Update arguments for the different Step Security workflows.

[jenstroeger]

Looking at Step Security’s Harden Runner results (see workflow run 4222519143) it would probably make sense to incorporate their Recommended Policy feedback for the four runs we use in our workflows?

[behnazh]

Based on the recommendation, should we add the allowed list to every step or is it possible to specify it in a central policy?

[jenstroeger]

@behnazh I didn’t find a central/shared policy documented in the Harden Runner docs.

I wonder if it would make sense, because different workflows do different things and therefore might need different policies. Having said that, it would be nice to specify a common/central/shared “base policy” which can then be overridden by specific policies using the with: ... (Would save a lot of typing in our case 🤓)

@varunsh-coder do you have thoughts on this?

[varunsh-coder]

@jenstroeger next week, we are releasing a new feature to store policies using the insights website (tracking issue). This will allow specifying the policy in one place and referring to it from different jobs.

You can see a demo workflow here, and I can share the updated documentation once it is released.

There is a discussion about where/ how to store the policy in this discussion item. Feel free to add to that. I have not seen a base policy idea listed there before.

Also, you can prioritize setting policies in specific jobs that are more security sensitive, e.g., where credentials are used, and/ or release builds are created.