From d5bf06fc48bf364ec06ab9f14ebfbdfc5c144bef Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 20 Apr 2026 08:35:38 +0000 Subject: [PATCH 1/4] chore(deps): update github-actions --- .github/workflows/ci.yml | 20 ++++++++++---------- .github/workflows/lint.yml | 12 ++++++------ .github/workflows/pages.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/scheduled-release.yml | 4 ++-- .github/workflows/security.yml | 12 ++++++------ .github/workflows/update-vendor-hash.yml | 4 ++-- 7 files changed, 28 insertions(+), 28 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4ce495de..8ac5a1a0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -25,7 +25,7 @@ jobs: ci: ${{ steps.detect.outputs.ci }} steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -72,7 +72,7 @@ jobs: - windows-11-arm steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -212,7 +212,7 @@ jobs: --health-retries 5 steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -254,7 +254,7 @@ jobs: cancel-in-progress: ${{ github.event_name == 'pull_request' }} steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -288,7 +288,7 @@ jobs: cancel-in-progress: ${{ github.event_name == 'pull_request' }} steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -321,7 +321,7 @@ jobs: cancel-in-progress: ${{ github.event_name == 'pull_request' }} steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -352,7 +352,7 @@ jobs: runs-on: blacksmith-2vcpu-ubuntu-2404 steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -368,7 +368,7 @@ jobs: fetch-depth: 0 persist-credentials: false - - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: lts/* @@ -388,7 +388,7 @@ jobs: build_tags: ["", "selfhosted"] steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -426,7 +426,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: block disable-telemetry: true diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 39ec2855..596f5f71 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -21,7 +21,7 @@ jobs: ci: ${{ steps.detect.outputs.ci }} steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -61,7 +61,7 @@ jobs: CGO_ENABLED: "0" steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -106,7 +106,7 @@ jobs: CGO_ENABLED: "0" steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -143,7 +143,7 @@ jobs: cancel-in-progress: ${{ github.event_name == 'pull_request' }} steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -180,7 +180,7 @@ jobs: CGO_ENABLED: "0" steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -211,7 +211,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: block disable-telemetry: true diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml index a85f2f9f..ef101936 100644 --- a/.github/workflows/pages.yml +++ b/.github/workflows/pages.yml @@ -31,7 +31,7 @@ jobs: url: ${{ steps.deployment.outputs.page_url }} steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c1518240..e7b3e48f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -32,7 +32,7 @@ jobs: packages: write steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: audit diff --git a/.github/workflows/scheduled-release.yml b/.github/workflows/scheduled-release.yml index dbe0b3e7..ce8a5232 100644 --- a/.github/workflows/scheduled-release.yml +++ b/.github/workflows/scheduled-release.yml @@ -24,7 +24,7 @@ jobs: contents: write steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: audit @@ -71,7 +71,7 @@ jobs: map("::error::\(.name) is \(.conclusion // "none"), expected success") | .[] | halt_error(1) else true end' - - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: lts/* diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 5a8298c4..e654670c 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -21,7 +21,7 @@ jobs: ci: ${{ steps.detect.outputs.ci }} steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -59,7 +59,7 @@ jobs: cancel-in-progress: ${{ github.event_name == 'pull_request' }} steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -94,7 +94,7 @@ jobs: CGO_ENABLED: "0" steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -133,7 +133,7 @@ jobs: cancel-in-progress: ${{ github.event_name == 'pull_request' }} steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -167,7 +167,7 @@ jobs: CGO_ENABLED: "0" steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -207,7 +207,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: block disable-telemetry: true diff --git a/.github/workflows/update-vendor-hash.yml b/.github/workflows/update-vendor-hash.yml index 472c1792..b988826d 100644 --- a/.github/workflows/update-vendor-hash.yml +++ b/.github/workflows/update-vendor-hash.yml @@ -22,7 +22,7 @@ jobs: needed: ${{ steps.check.outputs.needed }} steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -60,7 +60,7 @@ jobs: contents: write steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block From c873d82df67f6bba142c80921c1423be2b3d9ffd Mon Sep 17 00:00:00 2001 From: Phillip Cloud <417981+cpcloud@users.noreply.github.com> Date: Mon, 20 Apr 2026 07:33:32 -0400 Subject: [PATCH 2/4] ci: expand harden-runner allowed-endpoints for v2.19.0 enforcement harden-runner v2.19.0 enforces egress policy on Blacksmith runners, unmasking domains that v2.18.0 silently allowed through. - Build & Test: add us-west-2.ec2.archive.ubuntu.com and security.ubuntu.com for apt-get install - Docker Build: add Cloudflare R2 buckets Docker Hub now serves image layers from - NilAway: add go.dev and release-assets.githubusercontent.com for setup-go version resolution --- .github/workflows/ci.yml | 4 ++++ .github/workflows/lint.yml | 2 ++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8ac5a1a0..bfed3a82 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -87,7 +87,9 @@ jobs: ports.ubuntu.com:80 proxy.golang.org:443 release-assets.githubusercontent.com:443 + security.ubuntu.com:80 storage.googleapis.com:443 + us-west-2.ec2.archive.ubuntu.com:80 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: @@ -394,8 +396,10 @@ jobs: egress-policy: block disable-telemetry: true allowed-endpoints: > + 1ede90a8395416f286ba9f692dc6bacf.r2.cloudflarestorage.com:443 api.github.com:443 auth.docker.io:443 + docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com:443 github.com:443 gcr.io:443 production.cloudflare.docker.com:443 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 596f5f71..4be8c67a 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -189,7 +189,9 @@ jobs: allowed-endpoints: > api.github.com:443 github.com:443 + go.dev:443 proxy.golang.org:443 + release-assets.githubusercontent.com:443 storage.googleapis.com:443 sum.golang.org:443 From 8096258122bbcff845fca587b82aa1513feee7da Mon Sep 17 00:00:00 2001 From: Phillip Cloud <417981+cpcloud@users.noreply.github.com> Date: Mon, 20 Apr 2026 07:44:25 -0400 Subject: [PATCH 3/4] ci: use wildcard for Cloudflare R2 in Docker Build allowlist The specific R2 bucket hashes Docker Hub serves layers from are opaque and can change. StepSecurity supports wildcards in allowed- endpoints; collapse the two bucket entries into `*.r2.cloudflarestorage.com:443`. --- .github/workflows/ci.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bfed3a82..3844507f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -396,10 +396,8 @@ jobs: egress-policy: block disable-telemetry: true allowed-endpoints: > - 1ede90a8395416f286ba9f692dc6bacf.r2.cloudflarestorage.com:443 api.github.com:443 auth.docker.io:443 - docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com:443 github.com:443 gcr.io:443 production.cloudflare.docker.com:443 @@ -407,6 +405,7 @@ jobs: registry-1.docker.io:443 storage.googleapis.com:443 sum.golang.org:443 + *.r2.cloudflarestorage.com:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: From 1a81afcb35ee024d4044dc1662af0225dbc0d25f Mon Sep 17 00:00:00 2001 From: Phillip Cloud <417981+cpcloud@users.noreply.github.com> Date: Mon, 20 Apr 2026 07:53:00 -0400 Subject: [PATCH 4/4] ci: pin Docker Hub R2 buckets instead of wildcarding Cloudflare *.r2.cloudflarestorage.com allows egress to any Cloudflare R2 customer's bucket. Pin the two Docker Hub buckets explicitly so the allowlist only covers Docker Inc's account. --- .github/workflows/ci.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3844507f..43208451 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -395,9 +395,15 @@ jobs: deploy-on-self-hosted-vm: true egress-policy: block disable-telemetry: true + # The two r2.cloudflarestorage.com entries are Docker Hub's + # R2 buckets (layers and images). The hashed subdomains are + # Docker Inc's Cloudflare account IDs -- stable per-account + # but not self-describing; update if Docker Hub reshards. allowed-endpoints: > + 1ede90a8395416f286ba9f692dc6bacf.r2.cloudflarestorage.com:443 api.github.com:443 auth.docker.io:443 + docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com:443 github.com:443 gcr.io:443 production.cloudflare.docker.com:443 @@ -405,7 +411,6 @@ jobs: registry-1.docker.io:443 storage.googleapis.com:443 sum.golang.org:443 - *.r2.cloudflarestorage.com:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: