Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ci(action): update step-security/harden-runner action to v2.10.1 (#882)
This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | |---|---|---|---|---| | [step-security/harden-runner](https://redirect.github.com/step-security/harden-runner) | action | minor | `v2.7.0` -> `v2.10.1` | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/step-security/harden-runner/badge)](https://securityscorecards.dev/viewer/?uri=github.com/step-security/harden-runner) | --- ### Release Notes <details> <summary>step-security/harden-runner (step-security/harden-runner)</summary> ### [`v2.10.1`](https://redirect.github.com/step-security/harden-runner/releases/tag/v2.10.1) [Compare Source](https://redirect.github.com/step-security/harden-runner/compare/v2.10.0...v2.10.1) ##### What's Changed Release v2.10.1 by [@​varunsh-coder](https://redirect.github.com/varunsh-coder) in [https://github.com/step-security/harden-runner/pull/463](https://redirect.github.com/step-security/harden-runner/pull/463) Bug fix: Resolves an issue where DNS resolution of .local domains was failing when using a Kind cluster in a GitHub Actions workflow. **Full Changelog**: step-security/harden-runner@v2...v2.10.1 ### [`v2.10.0`](https://redirect.github.com/step-security/harden-runner/releases/tag/v2.10.0) [Compare Source](https://redirect.github.com/step-security/harden-runner/compare/v2.9.1...v2.10.0) #### What's Changed Release v2.10.0 by [@​h0x0er](https://redirect.github.com/h0x0er) and [@​varunsh-coder](https://redirect.github.com/varunsh-coder) in [https://github.com/step-security/harden-runner/pull/455](https://redirect.github.com/step-security/harden-runner/pull/455) **ARM Support**: Harden-Runner Enterprise tier now supports GitHub-hosted ARM runners. This includes all the features that apply to previously supported GitHub-hosted x64 Linux runners. **Full Changelog**: step-security/harden-runner@v2...v2.10.0 ### [`v2.9.1`](https://redirect.github.com/step-security/harden-runner/releases/tag/v2.9.1) [Compare Source](https://redirect.github.com/step-security/harden-runner/compare/v2.9.0...v2.9.1) ##### What's Changed Release v2.9.1 by [@​h0x0er](https://redirect.github.com/h0x0er) and [@​varunsh-coder](https://redirect.github.com/varunsh-coder) in [#​440](https://redirect.github.com/step-security/harden-runner/issues/440) This release includes two changes: 1. Updated markdown displayed in the job summary by the Harden-Runner Action. 2. Fixed a bug affecting Enterprise Tier customers where the agent attempted to upload telemetry for jobs with disable-telemetry set to true. No telemetry was uploaded as the endpoint was not in the allowed list. **Full Changelog**: step-security/harden-runner@v2...v2.9.1 ### [`v2.9.0`](https://redirect.github.com/step-security/harden-runner/releases/tag/v2.9.0) [Compare Source](https://redirect.github.com/step-security/harden-runner/compare/v2.8.1...v2.9.0) ##### What's Changed Release v2.9.0 by [@​h0x0er](https://redirect.github.com/h0x0er) and [@​varunsh-coder](https://redirect.github.com/varunsh-coder) in [https://github.com/step-security/harden-runner/pull/435](https://redirect.github.com/step-security/harden-runner/pull/435) This release includes: - Enterprise Tier - Telemetry Upload Enhancement: For the enterprise tier, this change helps overcome size constraints, allowing for more reliable telemetry uploads from the Harden-Runner agent to the StepSecurity backend API. No configuration change is needed to enable this. - Harden-Runner Agent Authentication: The Harden-Runner agent now uses a per-job key to authenticate to the StepSecurity backend API to submit telemetry. This change prevents the submission of telemetry data anonymously for a given job, improving the integrity of the data collection process. No configuration change is needed to enable this. - README Update: A Table of Contents has been added to the README file to improve navigation. This makes it easier for users to find the information they need quickly. - Dependency Update: Updated the `braces` npm package dependency to a non-vulnerable version. The vulnerability in `braces` did not affect the Harden Runner Action **Full Changelog**: step-security/harden-runner@v2...v2.9.0 ### [`v2.8.1`](https://redirect.github.com/step-security/harden-runner/releases/tag/v2.8.1) [Compare Source](https://redirect.github.com/step-security/harden-runner/compare/v2.8.0...v2.8.1) ##### What's Changed - Bug fix: Update isGitHubHosted implementation by [@​varunsh-coder](https://redirect.github.com/varunsh-coder) in [https://github.com/step-security/harden-runner/pull/425](https://redirect.github.com/step-security/harden-runner/pull/425) The previous implementation incorrectly identified large GitHub-hosted runners as self-hosted runners. As a result, harden-runner was not executing on these large GitHub-hosted runners. **Full Changelog**: step-security/harden-runner@v2...v2.8.1 ### [`v2.8.0`](https://redirect.github.com/step-security/harden-runner/releases/tag/v2.8.0) [Compare Source](https://redirect.github.com/step-security/harden-runner/compare/v2.7.1...v2.8.0) ##### What's Changed Release v2.8.0 by [@​h0x0er](https://redirect.github.com/h0x0er) and [@​varunsh-coder](https://redirect.github.com/varunsh-coder) in [https://github.com/step-security/harden-runner/pull/416](https://redirect.github.com/step-security/harden-runner/pull/416) This release includes: - File Monitoring Enhancements: Adds the capability to view the name and path of every file written during the build process. - Process Tracking Enhancements: Adds the capability to view process names and arguments of processes run during the build process. These enhancements are based on insights from the XZ Utils incident, aimed at improving observability and detections during the build process. **Full Changelog**: step-security/harden-runner@v2...v2.8.0 ### [`v2.7.1`](https://redirect.github.com/step-security/harden-runner/releases/tag/v2.7.1) [Compare Source](https://redirect.github.com/step-security/harden-runner/compare/v2.7.0...v2.7.1) ##### What's Changed Release v2.7.1 by [@​varunsh-coder](https://redirect.github.com/varunsh-coder), [@​h0x0er](https://redirect.github.com/h0x0er), [@​ashishkurmi](https://redirect.github.com/ashishkurmi) in [https://github.com/step-security/harden-runner/pull/397](https://redirect.github.com/step-security/harden-runner/pull/397) This release: - Improves the capability to [inspect outbound HTTPS traffic](https://www.stepsecurity.io/blog/monitor-outbound-https-requests-from-github-actions-runners) on GitHub-hosted and self-hosted VM runners - Updates README to add link to [case study video](https://www.youtube.com/watch?v=Yz72qAOrN9s) on how Harden-Runner detected a supply chain attack on a Google open-source project - Addresses minor bugs **Full Changelog**: step-security/harden-runner@v2.7.0...v2.7.1 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 5am every weekday,every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/kelektiv/node-cron). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMjEuMiIsInVwZGF0ZWRJblZlciI6IjM4LjU5LjIiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
- Loading branch information