monadical/greywall
Archived
13
0
Fork 0
Code Issues Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity
This repository has been archived on 2026-03-13. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
8db245f56e87a164185ee02655cf4b5120d922cf
greywall/docs/recipes/ci.md

584 B
Raw Blame History

Recipe: CI jobs

Goal: make CI steps safer by default: minimal egress and controlled writes.

Suggested baseline

{
  "network": {
    "allowedDomains": []
  },
  "filesystem": {
    "allowWrite": [".", "/tmp"]
  }
}

Run:

fence --settings ./fence.json -c "make test"

Add only what you need

Use monitor mode to discover what a job tries to reach:

fence -m --settings ./fence.json -c "make test"

Then allowlist only:

  • your artifact/cache endpoints
  • the minimum package registries required
  • any internal services the job must access
Reference in New Issue View Git Blame Copy Permalink