🌱 Restrict egress on github actions

[naveensrinivasan]

What kind of change does this PR introduce?

(Is it a bug fix, feature, docs update, something else?)

• PR title follows the guidelines defined in our pull request documentation

What is the current behavior?

What is the new behavior (if this is a feature change)?**

Restrict egress for github actions

• Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

NONE

Special notes for your reviewer

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

Restrict egress for GitHub actions

[github-actions]

Integration tests success for
[bf3317c]
(https://github.com/ossf/scorecard/actions/runs/1988334763)

[codecov]

Codecov Report

Merging #1733 (887de3c) into main (0c76ae3) will increase coverage by 3.07%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main    #1733      +/-   ##
==========================================
+ Coverage   56.71%   59.79%   +3.07%     
==========================================
  Files          65       65              
  Lines        6377     6377              
==========================================
+ Hits         3617     3813     +196     
+ Misses       2519     2317     -202     
- Partials      241      247       +6     

[github-actions]

Integration tests success for
[64808c6]
(https://github.com/ossf/scorecard/actions/runs/1995537440)

[github-actions]

Integration tests success for
[87650c0]
(https://github.com/ossf/scorecard/actions/runs/1995538651)

[github-actions]

Integration tests success for
[55977d2]
(https://github.com/ossf/scorecard/actions/runs/1995590994)

[github-actions]

Integration tests success for
[f753239]
(https://github.com/ossf/scorecard/actions/runs/1995592092)

[github-actions]

Integration tests success for
[7eccbd9]
(https://github.com/ossf/scorecard/actions/runs/2016352268)

[github-actions]

Integration tests success for
[d953c17]
(https://github.com/ossf/scorecard/actions/runs/2016384444)

[github-actions]

Integration tests success for
[887de3c]
(https://github.com/ossf/scorecard/actions/runs/2016419116)

[varunsh-coder]

@naveensrinivasan wanted to share this finding. harden-runner monitors file writes and detects if source code has been overwritten. I was looking at the output for scorecard workflows and saw this (screenshot for annotation from the generate-mocks job) https://github.com/ossf/scorecard/actions/runs/2018689479. I think it is a false positive, but wanted to share it, as it is cool to see detection of source code being overwritten :).

[laurentsimon]

we do use a library called mockgen to generate mock implementation, it may not be a false positive! (idk how the library works under the hood)

[varunsh-coder]

we do use a library called mockgen to generate mock implementation, it may not be a false positive! (idk how the library works under the hood)

There is a call to mockgen. The destination file clients/mockclients/vulnerabilities.go is being overwritten. The file is already in the repo, so it gets written first during checkout. Then the call to mockgen overwrites it. That is causing the overwrite warning...

mockgen -source=clients/vulnerabilities.go -destination=clients/mockclients/vulnerabilities.go -package=mockrepo -copyright_file=clients/mockclients/license.txt