chore(deps): Update GitHub Actions#33
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughGitHub Actions workflows across the repository were updated to pin action and reusable workflow references to specific commit SHAs. Step-security/harden-runner was upgraded to v2.19.4 across ten workflow jobs, supporting actions (checkout v6.0.3, setup-uv v8.2.0) were bumped, CodeQL actions were upgraded to v4.36.2, and five reusable workflow references were changed from branch pointers to deterministic commit pins. ChangesWorkflow Dependency Pinning
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Possibly related issues
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Dependency ReviewThe following issues were found:
License Issues.github/workflows/security-analysis.yml
OpenSSF Scorecard
Scanned Files
|
There was a problem hiding this comment.
Pull request overview
Routine Renovate-driven dependency update for GitHub Actions across workflow files. Pins are updated to new SHAs with version comments, and two previously @main-referenced reusable workflows are now SHA-pinned, aligning with the repo's pinDigests policy.
Changes:
- Bump
step-security/harden-runnerto9af89fc(v2.19.4) across all workflows. - Bump
github/codeql-action/{init,analyze}to7211b7c(v4.36.0). - Update
ByronWilliamsCPA/.githubreusable workflow refs to SHAe75a86b, including pinning previously-floating@mainrefs incoverage.ymlandqlty.yml.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/ci.yml | Updated harden-runner SHA to v2.19.4 in both jobs. |
| .github/workflows/codeql.yml | Updated harden-runner to v2.19.4 and codeql-action init/analyze to v4.36.0. |
| .github/workflows/coverage.yml | Pinned python-qlty-coverage reusable workflow from @main to SHA. |
| .github/workflows/pr-validation.yml | Updated harden-runner SHA to v2.19.4 across three jobs. |
| .github/workflows/python-compatibility.yml | Bumped reusable python-compatibility workflow SHA. |
| .github/workflows/qlty.yml | Pinned python-qlty-coverage reusable workflow from @main to SHA. |
| .github/workflows/reuse.yml | Updated harden-runner SHA to v2.19.4 in both jobs. |
| .github/workflows/scorecard.yml | Bumped reusable python-scorecard workflow SHA. |
| .github/workflows/security-analysis.yml | Bumped python-security-analysis reusable workflow SHA and harden-runner to v2.19.4. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
5f64bc2 to
309a04a
Compare
f9760c8 to
af22525
Compare
|
No dependency changes detected. Learn more about Socket for GitHub. 👍 No dependency changes detected in pull request |
2147bbf to
c8a2ade
Compare
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/coverage.yml:
- Line 26: Update the reusable workflow reference to remove the stale trailing
ref comment; in the line that uses
ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@ab2a3856e5292b9dcaed1d8a54c221f2074a549b
(the uses entry in the coverage.yml file), delete the trailing " # main"
annotation so the ref matches the SHA pin exactly and no longer misleads about
using the main branch.
In @.github/workflows/python-compatibility.yml:
- Line 38: Update the trailing comment on the uses line that currently reads "#
main" because the action is pinned to an immutable SHA; locate the line
beginning with "uses:
ByronWilliamsCPA/.github/.github/workflows/python-compatibility.yml@ab2a3856e5292b9dcaed1d8a54c221f2074a549b"
and replace or remove the inaccurate comment—e.g., change it to "# pinned to
commit ab2a3856..." or remove the comment entirely so it no longer suggests the
ref is "main".
In @.github/workflows/qlty.yml:
- Line 18: The comment "# main" next to the pinned reusable workflow is
misleading because the workflow is pinned to a commit SHA; update the line
containing the uses declaration (the string starting with "uses:
ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@ab2a3856e5292b9dcaed1d8a54c221f2074a549b
# main") by either removing the "# main" comment or replacing it with an
accurate note reflecting the SHA (or a short explanation like "# pinned to
commit SHA") so the comment correctly represents the pinned reference.
In @.github/workflows/security-analysis.yml:
- Line 25: The workflow 'uses' ref is pinned to a commit SHA but still has a
trailing "# main" comment that is misleading; edit the line containing the uses
declaration (uses:
ByronWilliamsCPA/.github/.github/workflows/python-security-analysis.yml@ab2a3856e5292b9dcaed1d8a54c221f2074a549b)
to remove or replace the "# main" annotation (e.g., remove it or replace with a
note like "# pinned to commit ab2a385...") so the comment accurately reflects
that it's pinned to a specific commit.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 6fb54b3f-84ce-4433-847d-447d44986158
📒 Files selected for processing (9)
.github/workflows/ci.yml.github/workflows/codeql.yml.github/workflows/coverage.yml.github/workflows/pr-validation.yml.github/workflows/python-compatibility.yml.github/workflows/qlty.yml.github/workflows/reuse.yml.github/workflows/scorecard.yml.github/workflows/security-analysis.yml
| name: Upload Coverage to Qlty | ||
| if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }} | ||
| uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@main | ||
| uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@ab2a3856e5292b9dcaed1d8a54c221f2074a549b # main |
There was a problem hiding this comment.
Fix the trailing ref annotation.
# main is stale after switching this reusable workflow to a commit SHA pin.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/coverage.yml at line 26, Update the reusable workflow
reference to remove the stale trailing ref comment; in the line that uses
ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@ab2a3856e5292b9dcaed1d8a54c221f2074a549b
(the uses entry in the coverage.yml file), delete the trailing " # main"
annotation so the ref matches the SHA pin exactly and no longer misleads about
using the main branch.
| compatibility: | ||
| name: Python Compatibility Matrix | ||
| uses: ByronWilliamsCPA/.github/.github/workflows/python-compatibility.yml@c22009ccaab0d3234819d30d9d7a03d53c531cb9 # main | ||
| uses: ByronWilliamsCPA/.github/.github/workflows/python-compatibility.yml@ab2a3856e5292b9dcaed1d8a54c221f2074a549b # main |
There was a problem hiding this comment.
Correct the outdated comment.
The workflow now references an immutable SHA, so # main no longer describes this line accurately.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/python-compatibility.yml at line 38, Update the trailing
comment on the uses line that currently reads "# main" because the action is
pinned to an immutable SHA; locate the line beginning with "uses:
ByronWilliamsCPA/.github/.github/workflows/python-compatibility.yml@ab2a3856e5292b9dcaed1d8a54c221f2074a549b"
and replace or remove the inaccurate comment—e.g., change it to "# pinned to
commit ab2a3856..." or remove the comment entirely so it no longer suggests the
ref is "main".
| qlty: | ||
| if: ${{ github.event.workflow_run.conclusion == 'success' }} | ||
| uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@main | ||
| uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@ab2a3856e5292b9dcaed1d8a54c221f2074a549b # main |
There was a problem hiding this comment.
Remove or update the stale # main note.
The reusable workflow is pinned to a commit SHA here, so keeping # main is misleading.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/qlty.yml at line 18, The comment "# main" next to the
pinned reusable workflow is misleading because the workflow is pinned to a
commit SHA; update the line containing the uses declaration (the string starting
with "uses:
ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@ab2a3856e5292b9dcaed1d8a54c221f2074a549b
# main") by either removing the "# main" comment or replacing it with an
accurate note reflecting the SHA (or a short explanation like "# pinned to
commit SHA") so the comment correctly represents the pinned reference.
| pull-requests: write | ||
| actions: read | ||
| uses: ByronWilliamsCPA/.github/.github/workflows/python-security-analysis.yml@c22009ccaab0d3234819d30d9d7a03d53c531cb9 # main | ||
| uses: ByronWilliamsCPA/.github/.github/workflows/python-security-analysis.yml@ab2a3856e5292b9dcaed1d8a54c221f2074a549b # main |
There was a problem hiding this comment.
Update the stale ref comment.
This line is pinned to a commit SHA now, so the trailing # main annotation is misleading and will confuse future updates.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/security-analysis.yml at line 25, The workflow 'uses' ref
is pinned to a commit SHA but still has a trailing "# main" comment that is
misleading; edit the line containing the uses declaration (uses:
ByronWilliamsCPA/.github/.github/workflows/python-security-analysis.yml@ab2a3856e5292b9dcaed1d8a54c221f2074a549b)
to remove or replace the "# main" annotation (e.g., remove it or replace with a
note like "# pinned to commit ab2a385...") so the comment accurately reflects
that it's pinned to a specific commit.
2e56889 to
ab1c84a
Compare
727a596 to
1d5888b
Compare
2f8d577 to
fbd7ba6
Compare
There was a problem hiding this comment.
Actionable comments posted: 2
♻️ Duplicate comments (1)
.github/workflows/security-analysis.yml (1)
25-25:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winMisleading
# mainannotations on SHA-pinned reusable workflows. Both reusable workflow references are pinned to specific commit SHAs but retain trailing# maincomments, which incorrectly suggest they track the main branch.
.github/workflows/security-analysis.yml#L25-L25: Remove# mainfrom the python-security-analysis.yml reusable workflow reference..github/workflows/coverage.yml#L26-L26: Remove# mainfrom the python-qlty-coverage.yml reusable workflow reference.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/security-analysis.yml at line 25, The reusable workflow references in both files are pinned to specific commit SHAs but include trailing `# main` comments that incorrectly indicate they track the main branch. In `.github/workflows/security-analysis.yml` at line 25, remove the `# main` comment from the end of the python-security-analysis.yml workflow reference line. In `.github/workflows/coverage.yml` at line 26, remove the `# main` comment from the end of the python-qlty-coverage.yml workflow reference line. This will make the annotations consistent with the actual SHA-pinned references.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yml:
- Line 37: Add the security configuration `with: persist-credentials: false` to
all checkout action invocations to prevent credential leakage through GitHub
Actions artifacts. In `.github/workflows/ci.yml` at lines 37-37 (quality job
checkout step) and 118-118 (dependency-review job checkout step), add the `with:
persist-credentials: false` configuration to the respective `actions/checkout`
uses statements. Similarly, in `.github/workflows/reuse.yml` at lines 35-35
(reuse job checkout step) and 63-63 (validate-licenses job checkout step), add
the same `with: persist-credentials: false` configuration to each
`actions/checkout` uses statement.
In @.github/workflows/dependency-review.yml:
- Around line 23-24: The checkout action in the Checkout repository step is
unnecessarily persisting GitHub token credentials in git config, creating a
security risk. Add the `persist-credentials: false` option to the
actions/checkout action to disable credential persistence, since this workflow
only needs the checked-out files and does not require git authentication for
subsequent steps.
---
Duplicate comments:
In @.github/workflows/security-analysis.yml:
- Line 25: The reusable workflow references in both files are pinned to specific
commit SHAs but include trailing `# main` comments that incorrectly indicate
they track the main branch. In `.github/workflows/security-analysis.yml` at line
25, remove the `# main` comment from the end of the python-security-analysis.yml
workflow reference line. In `.github/workflows/coverage.yml` at line 26, remove
the `# main` comment from the end of the python-qlty-coverage.yml workflow
reference line. This will make the annotations consistent with the actual
SHA-pinned references.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: e1e251c8-8328-4871-8a05-dc659ba466a4
📒 Files selected for processing (10)
.github/workflows/ci.yml.github/workflows/codeql.yml.github/workflows/coverage.yml.github/workflows/dependency-review.yml.github/workflows/pr-validation.yml.github/workflows/python-compatibility.yml.github/workflows/qlty.yml.github/workflows/reuse.yml.github/workflows/scorecard.yml.github/workflows/security-analysis.yml
🚧 Files skipped from review as they are similar to previous changes (5)
- .github/workflows/qlty.yml
- .github/workflows/scorecard.yml
- .github/workflows/python-compatibility.yml
- .github/workflows/codeql.yml
- .github/workflows/pr-validation.yml
|
|
||
| - name: Checkout | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 |
There was a problem hiding this comment.
Missing persist-credentials: false on checkout actions across workflows. All four checkout action invocations lack the persist-credentials: false safeguard, which prevents credential leakage through GitHub Actions artifacts (artipacked vulnerability).
.github/workflows/ci.yml#L37-L37: Addwith: persist-credentials: falseto the quality job checkout step..github/workflows/ci.yml#L118-L118: Addwith: persist-credentials: falseto the dependency-review job checkout step..github/workflows/reuse.yml#L35-L35: Addwith: persist-credentials: falseto the reuse job checkout step..github/workflows/reuse.yml#L63-L63: Addwith: persist-credentials: falseto the validate-licenses job checkout step.
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 36-37: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
📍 Affects 2 files
.github/workflows/ci.yml#L37-L37(this comment).github/workflows/ci.yml#L118-L118.github/workflows/reuse.yml#L35-L35.github/workflows/reuse.yml#L63-L63
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/ci.yml at line 37, Add the security configuration `with:
persist-credentials: false` to all checkout action invocations to prevent
credential leakage through GitHub Actions artifacts. In
`.github/workflows/ci.yml` at lines 37-37 (quality job checkout step) and
118-118 (dependency-review job checkout step), add the `with:
persist-credentials: false` configuration to the respective `actions/checkout`
uses statements. Similarly, in `.github/workflows/reuse.yml` at lines 35-35
(reuse job checkout step) and 63-63 (validate-licenses job checkout step), add
the same `with: persist-credentials: false` configuration to each
`actions/checkout` uses statement.
Source: Linters/SAST tools
| - name: Checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 |
There was a problem hiding this comment.
Disable persisted checkout credentials.
This job only needs the checked-out files, so keeping the GitHub token in git config is unnecessary exposure. Add persist-credentials: false to reduce the blast radius if a later step or action is compromised.
Suggested change
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| - name: Checkout repository | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 23-24: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/dependency-review.yml around lines 23 - 24, The checkout
action in the Checkout repository step is unnecessarily persisting GitHub token
credentials in git config, creating a security risk. Add the
`persist-credentials: false` option to the actions/checkout action to disable
credential persistence, since this workflow only needs the checked-out files and
does not require git authentication for subsequent steps.
Source: Linters/SAST tools
be0e272 to
46815ee
Compare
There was a problem hiding this comment.
♻️ Duplicate comments (5)
.github/workflows/reuse.yml (2)
34-35:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winStill missing
persist-credentials: falseon checkout.This repeats the earlier checkout-credential finding: the REUSE job still persists credentials in git config. Please add
persist-credentials: false.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/reuse.yml around lines 34 - 35, The Checkout repository step using actions/checkout is missing the persist-credentials: false configuration option, which allows credentials to persist in the git config. Add the with parameter section to the actions/checkout step and set persist-credentials to false to prevent credential persistence in git config for the REUSE job.Source: Linters/SAST tools
62-63:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winStill missing
persist-credentials: falseon checkout.Same issue in the license-validation job:
actions/checkoutstill keeps credentials in git config. Disable it here as well.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/reuse.yml around lines 62 - 63, The "Checkout repository" step using actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 is missing the persist-credentials configuration parameter. Add `persist-credentials: false` as an input parameter to the actions/checkout step to prevent git credentials from being persisted in the git config, matching the security configuration pattern used elsewhere in the workflow.Source: Linters/SAST tools
.github/workflows/dependency-review.yml (1)
24-24:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winStill missing
persist-credentials: falseon checkout.The checkout step still persists the GitHub token in git config, which is the same artipacked exposure previously flagged. Add
persist-credentials: false.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/dependency-review.yml at line 24, The checkout action in the workflow does not disable credential persistence, which leaves the GitHub token vulnerable to exposure in git config. Add the `persist-credentials: false` option to the `with` section of the `actions/checkout` action to prevent the token from being stored in git configuration.Source: Linters/SAST tools
.github/workflows/ci.yml (2)
117-118:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winStill missing
persist-credentials: falseon checkout.Same issue as above: this
actions/checkoutstep still leaves credentials persisted in git config. Please disable that here too.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci.yml around lines 117 - 118, The Checkout step using actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 is missing the persist-credentials: false configuration, which leaves credentials persisted in git config. Add a with section to this step that includes persist-credentials: false to prevent credentials from being persisted in the git configuration.Source: Linters/SAST tools
36-37:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winStill missing
persist-credentials: falseon checkout.This repeats the earlier artipacked finding:
actions/checkoutis still persisting credentials in git config here. Addpersist-credentials: false.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci.yml around lines 36 - 37, The checkout step using actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 is missing the persist-credentials configuration which allows credentials to be persisted in git config. Add the with section to the Checkout step and include persist-credentials set to false to prevent credentials from being stored in the git configuration.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Duplicate comments:
In @.github/workflows/ci.yml:
- Around line 117-118: The Checkout step using
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 is missing the
persist-credentials: false configuration, which leaves credentials persisted in
git config. Add a with section to this step that includes persist-credentials:
false to prevent credentials from being persisted in the git configuration.
- Around line 36-37: The checkout step using
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 is missing the
persist-credentials configuration which allows credentials to be persisted in
git config. Add the with section to the Checkout step and include
persist-credentials set to false to prevent credentials from being stored in the
git configuration.
In @.github/workflows/dependency-review.yml:
- Line 24: The checkout action in the workflow does not disable credential
persistence, which leaves the GitHub token vulnerable to exposure in git config.
Add the `persist-credentials: false` option to the `with` section of the
`actions/checkout` action to prevent the token from being stored in git
configuration.
In @.github/workflows/reuse.yml:
- Around line 34-35: The Checkout repository step using actions/checkout is
missing the persist-credentials: false configuration option, which allows
credentials to persist in the git config. Add the with parameter section to the
actions/checkout step and set persist-credentials to false to prevent credential
persistence in git config for the REUSE job.
- Around line 62-63: The "Checkout repository" step using
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 is missing the
persist-credentials configuration parameter. Add `persist-credentials: false` as
an input parameter to the actions/checkout step to prevent git credentials from
being persisted in the git config, matching the security configuration pattern
used elsewhere in the workflow.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: c3d8571b-68fe-42d0-8111-2e73d2208d01
📒 Files selected for processing (10)
.github/workflows/ci.yml.github/workflows/codeql.yml.github/workflows/coverage.yml.github/workflows/dependency-review.yml.github/workflows/pr-validation.yml.github/workflows/python-compatibility.yml.github/workflows/qlty.yml.github/workflows/reuse.yml.github/workflows/scorecard.yml.github/workflows/security-analysis.yml
✅ Files skipped from review due to trivial changes (3)
- .github/workflows/python-compatibility.yml
- .github/workflows/pr-validation.yml
- .github/workflows/security-analysis.yml
🚧 Files skipped from review as they are similar to previous changes (3)
- .github/workflows/codeql.yml
- .github/workflows/scorecard.yml
- .github/workflows/qlty.yml
29f617c to
469fed0
Compare
469fed0 to
1369b41
Compare
|



Summary
Why
Scheduled patch update, bug fixes and security patches with no API changes.
Changes
This PR contains the following updates:
c22009c→4b12bfev6.0.2→v6.0.3v8.1.0→v8.2.0v4.35.3→v4.36.2v2.10.1→v2.19.4v2.19.1→v2.19.4Impact
Acceptance Criteria
Testing
Notes
Release Notes
actions/checkout (actions/checkout)
v6.0.3Compare Source
astral-sh/setup-uv (astral-sh/setup-uv)
v8.2.0: 🌈 New inputsquietanddownload-from-astral-mirrorCompare Source
Changes
This release brings two new inputs and a few bug fixes.
New inputs
Lets talk about the new inputs first.
quiet
Pretty simple. It turns of all
infologgings. Useful if you use this in a composite action and are not interested in all the details.In the upcoming releases we will add log groups to fully implement support for "less noise"
download-from-astral-mirror
In some cases you may want to directly use the fallback of checking for available versions and downloading releases from GitHub instead of using the astral.sh mirror. Setting
download-from-astral-mirror: falseallows you to do that.Bugfixes
When using the astral.sh mirror to query available versions and download releases (done by default) we now stop sending the GitHub token in the header. The mirror never looked at it but we shouldn't be handing out that data even if it is just a short lived token.
All other bugfixes try to limit the impact of failed GitHub queries due to retries and other faults.
We couldn't pinpoint all rootcauses yet but added more logging for error cases to track them down.
🐛 Bug fixes
🚀 Enhancements
download-from-astral-mirrorinput @eifinger (#897)🧰 Maintenance
⬆️ Dependency updates
github/codeql-action (github/codeql-action)
v4.36.2Compare Source
v4.36.1Compare Source
No user facing changes.
v4.36.0Compare Source
v4.35.5Compare Source
analysis-kindsinput, onlycode-scanningwill be enabled. Theanalysis-kindsinput is experimental, for GitHub-internal use only, and may change without notice at any time. #3892v4.35.4Compare Source
step-security/harden-runner (step-security/harden-runner)
v2.19.4Compare Source
What's Changed
Full Changelog: step-security/harden-runner@v2.19.3...v2.19.4
v2.19.3Compare Source
What's Changed
Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3
v2.19.2Compare Source
What's Changed
Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2
v2.19.1Compare Source
What's Changed
What the fix changes
ubuntu-slimrunners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.What the fix does not do
ubuntu-slimwill not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).For StepSecurity enterprise customers
If your security posture requires that workflows are always monitored, you can block the use of
ubuntu-slimvia workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.New Contributors
Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1
v2.19.0Compare Source
What's Changed
New Runner Support
Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners.
Automated Incident Response for Supply Chain Attacks
Bug Fixes
Windows and macOS: stability and reliability fixes
Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0
v2.18.0Compare Source
What's Changed
Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes.
Deploy on Self-Hosted VM: Added
deploy-on-self-hosted-vminput that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible.Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0
v2.17.0Compare Source
What's Changed
Policy Store Support
Added
use-policy-storeandapi-keyinputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existingpolicyinput which requiresid-token: writepermission. If no policy is found in the store, the action defaults to audit mode.Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0
v2.16.1Compare Source
What's Changed
Enterprise tier: Added support for direct IP addresses in the allow list
Community tier: Migrated Harden Runner telemetry to a new endpoint
Full Changelog: step-security/harden-runner@v2.16.0...v2.16.1
v2.16.0Compare Source
What's Changed
Full Changelog: step-security/harden-runner@v2.15.1...v2.16.0
v2.15.1Compare Source
What's Changed
Full Changelog: step-security/harden-runner@v2.15.0...v2.15.1
v2.15.0Compare Source
What's Changed
Windows and macOS runner support
We are excited to announce that Harden Runner now supports Windows and macOS runners, extending runtime security beyond Linux for the first time.
Insights for Windows and macOS runners will be displayed in the same consistent format you are already familiar with from Linux runners, giving you a unified view of runtime activity across all platforms.
Full Changelog: step-security/harden-runner@v2.14.2...v2.15.0
v2.14.2Compare Source
What's Changed
Security fix: Fixed a medium severity vulnerability where outbound network connections using sendto, sendmsg, and sendmmsg socket system calls could bypass audit logging when using egress-policy: audit. This issue only affects the Community Tier in audit mode; block mode and Enterprise Tier were not affected. See GHSA-cpmj-h4f6-r6pq for details.
Full Changelog: step-security/harden-runner@v2.14.1...v2.14.2
v2.14.1Compare Source
What's Changed
In some self-hosted environments, the agent could briefly fall back to public DNS resolvers during startup if the system DNS was not yet available. This behavior was unintended for GitHub-hosted runners and has now been fixed to prevent any use of public DNS resolvers.
Fixed npm audit vulnerabilities
Full Changelog: step-security/harden-runner@v2.14.0...v2.14.1
v2.14.0Compare Source
What's Changed
Full Changelog: step-security/harden-runner@v2.13.3...v2.14.0
v2.13.3Compare Source
What's Changed
Full Changelog: step-security/harden-runner@v2.13.2...v2.13.3
v2.13.2Compare Source
What's Changed
Full Changelog: step-security/harden-runner@v2.13.1...v2.13.2
v2.13.1Compare Source
What's Changed
Graceful handling of HTTP errors: Improved error handling when fetching Harden Runner policies from the StepSecurity Policy Store API, ensuring more reliable execution even in case of temporary network/API issues.
Security updates for npm dependencies: Updated vulnerable npm package dependencies to the latest secure versions.
Faster enterprise agent downloads: The enterprise agent is now downloaded from GitHub Releases instead of packages.stepsecurity.io, improving download speed and reliability.
Full Changelog: step-security/harden-runner@v2.13.0...v2.13.1
v2.13.0Compare Source
What's Changed
Full Changelog: step-security/harden-runner@v2...v2.13.0
v2.12.2Compare Source
What's Changed
Added HTTPS Monitoring for additional destinations - *.githubusercontent.com
Bug fixes:
Full Changelog: step-security/harden-runner@v2...v2.12.2
v2.12.1Compare Source
What's Changed
Full Changelog: step-security/harden-runner@v2...v2.12.1
v2.12.0Compare Source
What's Changed
A new option,
disable-sudo-and-containers, is now available to replace thedisable-sudo policy, addressing Docker-based privilege escalation (CVE-2025-32955). More details can be found in this blog post.New detections have been added based on insights from the tj-actions and reviewdog actions incidents.
Full Changelog: step-security/harden-runner@v2...v2.12.0
v2.11.1Compare Source
What's Changed
Full Changelog: step-security/harden-runner@v2...v2.11.1
v2.11.0Compare Source
What's Changed
Release v2.11.0 in #498
Harden-Runner Enterprise tier now supports the use of eBPF for DNS resolution and network call monitoring
Full Changelog: step-security/harden-runner@v2...v2.11.0
v2.10.4Compare Source
What's Changed
Fixed a potential Harden-Runner post step failure that could occur when printing agent service logs. The fix gracefully handles failures without failing the post step.
Full Changelog: step-security/harden-runner@v2...v2.10.4
v2.10.3Compare Source
What's Changed
Fixed an issue where DNS requests using uppercase characters (e.g., EXAMPLE.com) were blocked even when the domain was present in the allowed list. This update standardizes domain names to lowercase for consistent comparison.
Full Changelog: step-security/harden-runner@v2...v2.10.3
v2.10.2Compare Source
What's Changed
Fixes low-severity command injection weaknesses
The advisory is here: GHSA-g85v-wf27-67xc
Bug fix to improve detection of whether Harden-Runner is running in a container
Full Changelog: step-security/harden-runner@v2...v2.10.2
Configuration
📅 Schedule: (in timezone America/New_York)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Mend Renovate.