Feature request: make egress-policy: audit the default

[jasonkarns]

It seems that virtually every guide and template I come across uses egress-policy: audit. Which makes me wonder why this isn't the default?

According to the documentation, the default policy is block. Which seems virtually unusable on github because with that default policy, one can't even run the actions/checkout step. (which is step 1 in nearly every github action)

Wouldn't it make more sense to have the most common/useful configuration be the default? So that the common case doesn't require configuration at all?

[varunsh-coder]

Hi @jasonkarns, this is by design.

Our goal is to prioritize security by default, which is why harden-runner defaults to the block policy if no egress-policy is explicitly defined.

While we understand that this might require additional configuration for common use cases, it ensures that users are making conscious decisions about the egress policy. By requiring an explicit specification of the audit policy, it is clear to anyone reading the workflow file that it is intentionally running in audit mode.

Thank you for your feedback, and please let us know if you have any further questions or suggestions!