From 8362d22d5576f7de920b5870aa19f423dc9100dc Mon Sep 17 00:00:00 2001 From: Peter Hedenskog Date: Fri, 3 Apr 2026 06:59:02 +0200 Subject: [PATCH 1/4] Update to latest versions and use harden action --- .github/workflows/docker.yml | 6 +++++- .github/workflows/install.yml | 4 ++++ .github/workflows/linux.yml | 8 ++++++-- .github/workflows/osx.yml | 8 ++++++-- 4 files changed, 21 insertions(+), 5 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 76a33f9..f6d9e27 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -10,7 +10,11 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: Harden Runner + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Build the container run: docker build -f test/Dockerfile . -t sitespeedio/throttle - name: Test Throttle diff --git a/.github/workflows/install.yml b/.github/workflows/install.yml index c30e3e2..a768c7b 100644 --- a/.github/workflows/install.yml +++ b/.github/workflows/install.yml @@ -13,6 +13,10 @@ jobs: matrix: node-version: [24.x] steps: + - name: Harden Runner + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit - name: Install throttle run: npm install @sitespeed.io/throttle -g - name: Install dependencies diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 6c811f1..ad1f9f7 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -13,9 +13,13 @@ jobs: matrix: node-version: [20.x, 22.x, 24.x] steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: Harden Runner + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: ${{ matrix.node-version }} - name: Install throttle diff --git a/.github/workflows/osx.yml b/.github/workflows/osx.yml index 5a4c55a..c97ec03 100644 --- a/.github/workflows/osx.yml +++ b/.github/workflows/osx.yml @@ -10,9 +10,13 @@ jobs: build: runs-on: macos-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: Harden Runner + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Use Node.js - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: '20.x' - name: Install dependencies From b48595532fbbb75e9a708fc94f3631f13a8fd50c Mon Sep 17 00:00:00 2001 From: Peter Hedenskog Date: Fri, 3 Apr 2026 07:03:42 +0200 Subject: [PATCH 2/4] block --- .github/workflows/docker.yml | 10 +++++++++- .github/workflows/install.yml | 4 +++- .github/workflows/linux.yml | 6 +++++- 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index f6d9e27..5d65fea 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -13,7 +13,15 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + archive.ubuntu.com:80 + auth.docker.io:443 + github.com:443 + production.cloudflare.docker.com:443 + registry-1.docker.io:443 + registry.npmjs.org:443 + security.ubuntu.com:80 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Build the container run: docker build -f test/Dockerfile . -t sitespeedio/throttle diff --git a/.github/workflows/install.yml b/.github/workflows/install.yml index a768c7b..eb3b08d 100644 --- a/.github/workflows/install.yml +++ b/.github/workflows/install.yml @@ -16,7 +16,9 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + registry.npmjs.org:443 - name: Install throttle run: npm install @sitespeed.io/throttle -g - name: Install dependencies diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index ad1f9f7..25af8bb 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -16,7 +16,11 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + nodejs.org:443 + registry.npmjs.org:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Use Node.js ${{ matrix.node-version }} uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 From e9e981d1f3885bd50a74aa25adaef253be285e85 Mon Sep 17 00:00:00 2001 From: Peter Hedenskog Date: Fri, 3 Apr 2026 07:06:03 +0200 Subject: [PATCH 3/4] Fix: Error: Exclusivity flag on, cannot modify. --- lib/tc.js | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/tc.js b/lib/tc.js index 31750c2..2f7d41a 100644 --- a/lib/tc.js +++ b/lib/tc.js @@ -11,9 +11,11 @@ async function getDefaultInterface() { } // Fall back to finding the interface with a global IP address, - // since the default route may be gone while throttling is active + // since the default route may be gone while throttling is active. + // Exclude virtual interfaces (docker, bridge, veth) that may have + // exclusive qdiscs. const addrResult = await shell( - "ip -o -4 addr show scope global | awk '{print $2; exit}'" + "ip -o -4 addr show scope global | grep -v -E 'docker|br-|veth' | awk '{print $2; exit}'" ); if (addrResult.stdout.trim().length > 0) { return addrResult.stdout.trim(); From 759a45a08795d1904cad9f0ef4254638125d357c Mon Sep 17 00:00:00 2001 From: Peter Hedenskog Date: Fri, 3 Apr 2026 07:08:45 +0200 Subject: [PATCH 4/4] fixes --- .github/workflows/linux.yml | 6 +----- lib/tc.js | 6 ++---- 2 files changed, 3 insertions(+), 9 deletions(-) diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 25af8bb..ad1f9f7 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -16,11 +16,7 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 with: - egress-policy: block - allowed-endpoints: > - github.com:443 - nodejs.org:443 - registry.npmjs.org:443 + egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Use Node.js ${{ matrix.node-version }} uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 diff --git a/lib/tc.js b/lib/tc.js index 2f7d41a..31750c2 100644 --- a/lib/tc.js +++ b/lib/tc.js @@ -11,11 +11,9 @@ async function getDefaultInterface() { } // Fall back to finding the interface with a global IP address, - // since the default route may be gone while throttling is active. - // Exclude virtual interfaces (docker, bridge, veth) that may have - // exclusive qdiscs. + // since the default route may be gone while throttling is active const addrResult = await shell( - "ip -o -4 addr show scope global | grep -v -E 'docker|br-|veth' | awk '{print $2; exit}'" + "ip -o -4 addr show scope global | awk '{print $2; exit}'" ); if (addrResult.stdout.trim().length > 0) { return addrResult.stdout.trim();