Skip to content

Add harden-runner to all workflows.#208

Merged
simonmarty merged 1 commit into
aws:mainfrom
simonmarty:harden-runner
May 27, 2026
Merged

Add harden-runner to all workflows.#208
simonmarty merged 1 commit into
aws:mainfrom
simonmarty:harden-runner

Conversation

@simonmarty
Copy link
Copy Markdown
Contributor

@simonmarty simonmarty commented May 21, 2026
edited
Loading

Description

Why is this change being made?

  1. We are adding an egress blocklist to all GitHub Actions workflows. First, we need to collect egress data to establish a baseline.
  2. CodeQL analysis is now built into a GitHub repo, there's no need to have a workflow definition in GH actions for it.

What is changing?

  1. Audited the step-security/harden-runner changes since our last usage in our repos step-security/harden-runner@v2.16.0...v2.19.4 for changes to our use cases only (auditing and block list) with a quick skim over other components in the diff.
  2. Removed the CodeQL workflow since it's superfluous.
  3. Added step-security/harden-runner step to all of our workflows in audit mode to collect a baseline.

Related Links

  • Issue #, if available:

Testing

How was this tested?

  1. No testing, this is GH action workflow changes.

When testing locally, provide testing artifact(s):

Reviewee Checklist

Update the checklist after submitting the PR

  • I have reviewed, tested and understand all changes
    If not, why:
  • I have filled out the Description and Testing sections above
    If not, why:
  • Build and Unit tests are passing
    If not, why:
  • Unit test coverage check is passing
    If not, why:
  • Integration tests pass locally
    If not, why:
  • I have updated integration tests (if needed)
    If not, why: Not needed
  • I have ensured no sensitive information is leaking (i.e., no logging of sensitive fields, or otherwise)
    If not, why:
  • I have added explanatory comments for complex logic, new classes/methods and new tests
    If not, why: Not needed
  • I have updated README/documentation (if needed)
    If not, why: Not needed
  • I have clearly called out breaking changes (if any)
    If not, why: No breaking changes.

Reviewer Checklist

All reviewers please ensure the following are true before reviewing:

  • Reviewee checklist has been accurately filled out
  • Code changes align with stated purpose in description
  • Test coverage adequately validates the changes

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@simonmarty simonmarty requested a review from a team as a code owner May 21, 2026 21:34
@simonmarty simonmarty added the safe-to-test Maintainer approval to run integration tests for external contributor PRs. label May 21, 2026
@github-actions github-actions Bot removed the safe-to-test Maintainer approval to run integration tests for external contributor PRs. label May 21, 2026
madsid
madsid approved these changes May 21, 2026
View reviewed changes
Copy link
Copy Markdown

@madsid madsid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@simonmarty simonmarty enabled auto-merge (squash) May 22, 2026 00:05
@simonmarty simonmarty disabled auto-merge May 22, 2026 00:07
@simonmarty simonmarty requested a review from lohdipak May 27, 2026 22:06
@simonmarty simonmarty enabled auto-merge (squash) May 27, 2026 22:53
@simonmarty simonmarty disabled auto-merge May 27, 2026 22:53
@simonmarty simonmarty merged commit c8b4c07 into aws:main May 27, 2026
1 check passed
@simonmarty simonmarty deleted the harden-runner branch May 27, 2026 22:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@madsid madsid madsid approved these changes

@lohdipak lohdipak lohdipak approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@simonmarty @madsid @lohdipak