From 9b2cb7dbd0c1d3834c9f481b901b46a9aa3e7f0e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A1s=20Kerekes?= <akerekes@google.com>
Date: Fri, 3 Oct 2025 18:48:05 -0700
Subject: [PATCH 1/2] chore: add release-assets.githubusercontent.com to
 allowed sites for harden runner

---
 .github/workflows/codeql.yml    | 9 ++++-----
 .github/workflows/scorecard.yml | 2 +-
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 5ff23715..134120d7 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -14,7 +14,7 @@ jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
-    
+
     permissions:
       actions: read
       contents: read
@@ -22,7 +22,7 @@ jobs:
 
     strategy:
       fail-fast: false
-      matrix: 
+      matrix:
         # Autobuild each of these seperate maven projects
         working-directory: ['invoker', 'functions-framework-api', 'function-maven-plugin']
 
@@ -37,10 +37,11 @@ jobs:
           github.com:443
           objects.githubusercontent.com:443
           proxy.golang.org:443
+          release-assets.githubusercontent.com:443
           repo.maven.apache.org:443
           storage.googleapis.com:443
           uploads.github.com:443
-          
+
     - name: Checkout repository
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
@@ -57,8 +58,6 @@ jobs:
         # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
         # queries: security-extended,security-and-quality
 
-
-    
     - name: Build
       run: |
         (cd functions-framework-api/ && mvn install)
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 11679d87..80ffb070 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -43,7 +43,7 @@ jobs:
             www.bestpractices.dev:443
             *.sigstore.dev:443
             *.github.com:443
-          
+
       - name: "Checkout code"
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:

From f7978ce26a6e4e5466582f89a5b7ece4a1dc02a2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A1s=20Kerekes?= <akerekes@google.com>
Date: Mon, 6 Oct 2025 11:05:55 -0700
Subject: [PATCH 2/2] chore: add release-assets.githubusercontent.com to
 allowed sites for harden runner

---
 .github/workflows/conformance.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml
index 33d05f71..21745f56 100644
--- a/.github/workflows/conformance.yaml
+++ b/.github/workflows/conformance.yaml
@@ -27,6 +27,7 @@ jobs:
           github.com:443
           objects.githubusercontent.com:443
           proxy.golang.org:443
+          release-assets.githubusercontent.com:443
           repo.maven.apache.org:443
           storage.googleapis.com:443
 
@@ -94,4 +95,4 @@ jobs:
         useBuildpacks: false
         validateConcurrency: true
         cmd: "'mvn -f invoker/conformance/pom.xml function:run -Drun.functionTarget=com.google.cloud.functions.conformance.ConcurrentHttpConformanceFunction'"
-        startDelay: 10
\ No newline at end of file
+        startDelay: 10