Skip to content

Commit

Permalink
ci(action): update step-security/harden-runner action to v2.10.1 (#882)
Browse files Browse the repository at this point in the history
This PR contains the following updates:

| Package | Type | Update | Change | OpenSSF |
|---|---|---|---|---|
|
[step-security/harden-runner](https://redirect.github.com/step-security/harden-runner)
| action | minor | `v2.7.0` -> `v2.10.1` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/step-security/harden-runner/badge)](https://securityscorecards.dev/viewer/?uri=github.com/step-security/harden-runner)
|

---

### Release Notes

<details>
<summary>step-security/harden-runner
(step-security/harden-runner)</summary>

###
[`v2.10.1`](https://redirect.github.com/step-security/harden-runner/releases/tag/v2.10.1)

[Compare
Source](https://redirect.github.com/step-security/harden-runner/compare/v2.10.0...v2.10.1)

##### What's Changed

Release v2.10.1 by
[@&#8203;varunsh-coder](https://redirect.github.com/varunsh-coder) in
[https://github.com/step-security/harden-runner/pull/463](https://redirect.github.com/step-security/harden-runner/pull/463)
Bug fix: Resolves an issue where DNS resolution of .local domains was
failing when using a Kind cluster in a GitHub Actions workflow.

**Full Changelog**:
step-security/harden-runner@v2...v2.10.1

###
[`v2.10.0`](https://redirect.github.com/step-security/harden-runner/releases/tag/v2.10.0)

[Compare
Source](https://redirect.github.com/step-security/harden-runner/compare/v2.9.1...v2.10.0)

#### What's Changed

Release v2.10.0 by [@&#8203;h0x0er](https://redirect.github.com/h0x0er)
and [@&#8203;varunsh-coder](https://redirect.github.com/varunsh-coder)
in
[https://github.com/step-security/harden-runner/pull/455](https://redirect.github.com/step-security/harden-runner/pull/455)

**ARM Support**: Harden-Runner Enterprise tier now supports
GitHub-hosted ARM runners. This includes all the features that apply to
previously supported GitHub-hosted x64 Linux runners.

**Full Changelog**:
step-security/harden-runner@v2...v2.10.0

###
[`v2.9.1`](https://redirect.github.com/step-security/harden-runner/releases/tag/v2.9.1)

[Compare
Source](https://redirect.github.com/step-security/harden-runner/compare/v2.9.0...v2.9.1)

##### What's Changed

Release v2.9.1 by [@&#8203;h0x0er](https://redirect.github.com/h0x0er)
and [@&#8203;varunsh-coder](https://redirect.github.com/varunsh-coder)
in
[#&#8203;440](https://redirect.github.com/step-security/harden-runner/issues/440)
This release includes two changes:

1. Updated markdown displayed in the job summary by the Harden-Runner
Action.
2. Fixed a bug affecting Enterprise Tier customers where the agent
attempted to upload telemetry for jobs with disable-telemetry set to
true. No telemetry was uploaded as the endpoint was not in the allowed
list.

**Full Changelog**:
step-security/harden-runner@v2...v2.9.1

###
[`v2.9.0`](https://redirect.github.com/step-security/harden-runner/releases/tag/v2.9.0)

[Compare
Source](https://redirect.github.com/step-security/harden-runner/compare/v2.8.1...v2.9.0)

##### What's Changed

Release v2.9.0 by [@&#8203;h0x0er](https://redirect.github.com/h0x0er)
and [@&#8203;varunsh-coder](https://redirect.github.com/varunsh-coder)
in
[https://github.com/step-security/harden-runner/pull/435](https://redirect.github.com/step-security/harden-runner/pull/435)
This release includes:

-   Enterprise Tier - Telemetry Upload Enhancement:
For the enterprise tier, this change helps overcome size constraints,
allowing for more reliable telemetry uploads from the Harden-Runner
agent to the StepSecurity backend API. No configuration change is needed
to enable this.
-   Harden-Runner Agent Authentication:
The Harden-Runner agent now uses a per-job key to authenticate to the
StepSecurity backend API to submit telemetry. This change prevents the
submission of telemetry data anonymously for a given job, improving the
integrity of the data collection process. No configuration change is
needed to enable this.
-   README Update:
A Table of Contents has been added to the README file to improve
navigation. This makes it easier for users to find the information they
need quickly.
-   Dependency Update:
Updated the `braces` npm package dependency to a non-vulnerable version.
The vulnerability in `braces` did not affect the Harden Runner Action

**Full Changelog**:
step-security/harden-runner@v2...v2.9.0

###
[`v2.8.1`](https://redirect.github.com/step-security/harden-runner/releases/tag/v2.8.1)

[Compare
Source](https://redirect.github.com/step-security/harden-runner/compare/v2.8.0...v2.8.1)

##### What's Changed

- Bug fix: Update isGitHubHosted implementation by
[@&#8203;varunsh-coder](https://redirect.github.com/varunsh-coder) in
[https://github.com/step-security/harden-runner/pull/425](https://redirect.github.com/step-security/harden-runner/pull/425)
The previous implementation incorrectly identified large GitHub-hosted
runners as self-hosted runners. As a result, harden-runner was not
executing on these large GitHub-hosted runners.

**Full Changelog**:
step-security/harden-runner@v2...v2.8.1

###
[`v2.8.0`](https://redirect.github.com/step-security/harden-runner/releases/tag/v2.8.0)

[Compare
Source](https://redirect.github.com/step-security/harden-runner/compare/v2.7.1...v2.8.0)

##### What's Changed

Release v2.8.0 by [@&#8203;h0x0er](https://redirect.github.com/h0x0er)
and [@&#8203;varunsh-coder](https://redirect.github.com/varunsh-coder)
in
[https://github.com/step-security/harden-runner/pull/416](https://redirect.github.com/step-security/harden-runner/pull/416)
This release includes:

- File Monitoring Enhancements: Adds the capability to view the name and
path of every file written during the build process.
- Process Tracking Enhancements: Adds the capability to view process
names and arguments of processes run during the build process.

These enhancements are based on insights from the XZ Utils incident,
aimed at improving observability and detections during the build
process.

**Full Changelog**:
step-security/harden-runner@v2...v2.8.0

###
[`v2.7.1`](https://redirect.github.com/step-security/harden-runner/releases/tag/v2.7.1)

[Compare
Source](https://redirect.github.com/step-security/harden-runner/compare/v2.7.0...v2.7.1)

##### What's Changed

Release v2.7.1 by
[@&#8203;varunsh-coder](https://redirect.github.com/varunsh-coder),
[@&#8203;h0x0er](https://redirect.github.com/h0x0er),
[@&#8203;ashishkurmi](https://redirect.github.com/ashishkurmi) in
[https://github.com/step-security/harden-runner/pull/397](https://redirect.github.com/step-security/harden-runner/pull/397)
This release:

- Improves the capability to [inspect outbound HTTPS
traffic](https://www.stepsecurity.io/blog/monitor-outbound-https-requests-from-github-actions-runners)
on GitHub-hosted and self-hosted VM runners
- Updates README to add link to [case study
video](https://www.youtube.com/watch?v=Yz72qAOrN9s) on how Harden-Runner
detected a supply chain attack on a Google open-source project
-   Addresses minor bugs

**Full Changelog**:
step-security/harden-runner@v2.7.0...v2.7.1

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 5am every weekday,every
weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/kelektiv/node-cron).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMjEuMiIsInVwZGF0ZWRJblZlciI6IjM4LjU5LjIiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
  • Loading branch information
renovate[bot] authored Nov 7, 2024
1 parent 2d00739 commit b09438e
Show file tree
Hide file tree
Showing 5 changed files with 5 additions and 5 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ jobs:

steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/lint_pr_title.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ jobs:

steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/scorecards.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ jobs:

steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ jobs:

steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand Down

0 comments on commit b09438e

Please sign in to comment.