From 9b2cb7dbd0c1d3834c9f481b901b46a9aa3e7f0e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A1s=20Kerekes?= <akerekes@google.com>
Date: Fri, 3 Oct 2025 18:48:05 -0700
Subject: [PATCH] chore: add release-assets.githubusercontent.com to allowed
 sites for harden runner

---
 .github/workflows/codeql.yml    | 9 ++++-----
 .github/workflows/scorecard.yml | 2 +-
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 5ff23715..134120d7 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -14,7 +14,7 @@ jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
-    
+
     permissions:
       actions: read
       contents: read
@@ -22,7 +22,7 @@ jobs:
 
     strategy:
       fail-fast: false
-      matrix: 
+      matrix:
         # Autobuild each of these seperate maven projects
         working-directory: ['invoker', 'functions-framework-api', 'function-maven-plugin']
 
@@ -37,10 +37,11 @@ jobs:
           github.com:443
           objects.githubusercontent.com:443
           proxy.golang.org:443
+          release-assets.githubusercontent.com:443
           repo.maven.apache.org:443
           storage.googleapis.com:443
           uploads.github.com:443
-          
+
     - name: Checkout repository
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
@@ -57,8 +58,6 @@ jobs:
         # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
         # queries: security-extended,security-and-quality
 
-
-    
     - name: Build
       run: |
         (cd functions-framework-api/ && mvn install)
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 11679d87..80ffb070 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -43,7 +43,7 @@ jobs:
             www.bestpractices.dev:443
             *.sigstore.dev:443
             *.github.com:443
-          
+
       - name: "Checkout code"
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with: