Skip to content

ci: update action step-security/harden-runner from 0634a26 to 5ef0c07 #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

ci: update action step-security/harden-runner from 0634a26 to 5ef0c07 #15

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link

@renovate renovate bot commented Jun 14, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence OpenSSF
step-security/harden-runner v2.12.0v2.14.2 age adoption passing confidence OpenSSF Scorecard

Release Notes

step-security/harden-runner (step-security/harden-runner)

v2.14.2

Compare Source

What's Changed

Security fix: Fixed a medium severity vulnerability where outbound network connections using sendto, sendmsg, and sendmmsg socket system calls could bypass audit logging when using egress-policy: audit. This issue only affects the Community Tier in audit mode; block mode and Enterprise Tier were not affected. See GHSA-cpmj-h4f6-r6pq for details.

Full Changelog: step-security/harden-runner@v2.14.1...v2.14.2

v2.14.1

Compare Source

What's Changed

  1. In some self-hosted environments, the agent could briefly fall back to public DNS resolvers during startup if the system DNS was not yet available. This behavior was unintended for GitHub-hosted runners and has now been fixed to prevent any use of public DNS resolvers.

  2. Fixed npm audit vulnerabilities

Full Changelog: step-security/harden-runner@v2.14.0...v2.14.1

v2.14.0

Compare Source

What's Changed
  • Selective installation: Harden-Runner now skips installation on GitHub-hosted runners when the repository has a custom property skip_harden_runner, allowing organizations to opt out specific repos.
  • Avoid double install: The action no longer installs Harden-Runner if it’s already present on a GitHub-hosted runner, which could happen when a composite action also installs it.

Full Changelog: step-security/harden-runner@v2.13.3...v2.14.0

v2.13.3

Compare Source

What's Changed
  • Fixed an issue where process events were not uploaded in certain edge cases.

Full Changelog: step-security/harden-runner@v2.13.2...v2.13.3

v2.13.2

Compare Source

What's Changed
  • Fixed an issue where there was a limit of 512 allowed endpoints when using block egress policy. This restriction has been removed, allowing for an unlimited number of endpoints to be configured.
  • Harden Runner now automatically detects if the agent is already pre-installed on a custom VM image used by a GitHub-hosted runner. When detected, the action will skip reinstallation and use the existing agent.

Full Changelog: step-security/harden-runner@v2.13.1...v2.13.2

v2.13.1

Compare Source

What's Changed

  • Graceful handling of HTTP errors: Improved error handling when fetching Harden Runner policies from the StepSecurity Policy Store API, ensuring more reliable execution even in case of temporary network/API issues.

  • Security updates for npm dependencies: Updated vulnerable npm package dependencies to the latest secure versions.

  • Faster enterprise agent downloads: The enterprise agent is now downloaded from GitHub Releases instead of packages.stepsecurity.io, improving download speed and reliability.

Full Changelog: step-security/harden-runner@v2.13.0...v2.13.1

v2.13.0

Compare Source

What's Changed

  • Improved job markdown summary
  • Https monitoring for all domains (included with the enterprise tier)

Full Changelog: step-security/harden-runner@v2...v2.13.0

v2.12.2

Compare Source

What's Changed

Added HTTPS Monitoring for additional destinations - *.githubusercontent.com
Bug fixes:

  • Implicitly allow local multicast, local unicast and broadcast IP addresses in block mode
  • Increased policy map size for block mode

Full Changelog: step-security/harden-runner@v2...v2.12.2

v2.12.1

Compare Source

What's Changed
  • Detection capabilities have been upgraded to better recognize attempts at runner tampering. These improvements are informed by real-world incident learnings, including analysis of anomalous behaviors observed in the tj-actions and reviewdog supply chain attack.
  • Resolved an issue where the block policy was not enforced correctly when the GitHub Actions job was running inside a container on a self-hosted VM runner.

Full Changelog: step-security/harden-runner@v2...v2.12.1

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added bot Bot involvement dependency Additions or changes involving dependency renovate Anything from renovatebot workflow Additions or changes involving workflow labels Jun 14, 2025
@renovate renovate bot requested a review from codeismyid as a code owner June 14, 2025 08:01
@renovate renovate bot added bot Bot involvement dependency Additions or changes involving dependency renovate Anything from renovatebot workflow Additions or changes involving workflow labels Jun 14, 2025
@codecov-commenter
Copy link

codecov-commenter commented Jun 14, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

✅ All tests successful. No failed tests found.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@renovate renovate bot force-pushed the renovate/github-tags/step-security-harden-runner-2.x branch from cdb6243 to 6d59a47 Compare July 6, 2025 16:04
@renovate renovate bot changed the title ci: update action step-security/harden-runner from 0634a26 to 002fdce ci: update action step-security/harden-runner from 0634a26 to 6c439dc Jul 6, 2025
@renovate renovate bot force-pushed the renovate/github-tags/step-security-harden-runner-2.x branch from 6d59a47 to cfc10dc Compare July 27, 2025 07:54
@renovate renovate bot changed the title ci: update action step-security/harden-runner from 0634a26 to 6c439dc ci: update action step-security/harden-runner from 0634a26 to ec9f2d5 Jul 27, 2025
@renovate renovate bot force-pushed the renovate/github-tags/step-security-harden-runner-2.x branch from cfc10dc to 9bb9042 Compare September 10, 2025 16:15
@renovate renovate bot changed the title ci: update action step-security/harden-runner from 0634a26 to ec9f2d5 ci: update action step-security/harden-runner from 0634a26 to f4a75cf Sep 10, 2025
@renovate renovate bot force-pushed the renovate/github-tags/step-security-harden-runner-2.x branch from 9bb9042 to 7ed1e3f Compare November 9, 2025 08:14
@renovate renovate bot changed the title ci: update action step-security/harden-runner from 0634a26 to f4a75cf ci: update action step-security/harden-runner from 0634a26 to 95d9a5d Nov 9, 2025
@renovate renovate bot force-pushed the renovate/github-tags/step-security-harden-runner-2.x branch from 7ed1e3f to 02ab050 Compare December 2, 2025 12:13
@renovate renovate bot changed the title ci: update action step-security/harden-runner from 0634a26 to 95d9a5d ci: update action step-security/harden-runner from 0634a26 to df199fb Dec 2, 2025
@renovate renovate bot force-pushed the renovate/github-tags/step-security-harden-runner-2.x branch from 02ab050 to df47a6e Compare December 10, 2025 07:05
@renovate renovate bot changed the title ci: update action step-security/harden-runner from 0634a26 to df199fb ci: update action step-security/harden-runner from 0634a26 to 20cf305 Dec 10, 2025
@renovate renovate bot force-pushed the renovate/github-tags/step-security-harden-runner-2.x branch from df47a6e to 2e6ee46 Compare January 26, 2026 07:44
@renovate renovate bot changed the title ci: update action step-security/harden-runner from 0634a26 to 20cf305 ci: update action step-security/harden-runner from 0634a26 to e3f713f Jan 26, 2026
@renovate renovate bot force-pushed the renovate/github-tags/step-security-harden-runner-2.x branch from 2e6ee46 to 775ae84 Compare February 7, 2026 04:16
@renovate renovate bot changed the title ci: update action step-security/harden-runner from 0634a26 to e3f713f ci: update action step-security/harden-runner from 0634a26 to 5ef0c07 Feb 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@codeismyid codeismyid Awaiting requested review from codeismyid codeismyid is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

bot Bot involvement dependency Additions or changes involving dependency renovate Anything from renovatebot workflow Additions or changes involving workflow

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@codecov-commenter