chore(deps): update step-security/harden-runner action to v2.12.1#800

Merged

sjinks merged 1 commit into

renovate/step-security-harden-runner-2.x

Jun 15, 2025

Contributor

renovate Bot commented Apr 1, 2025 •

edited

Loading

This PR contains the following updates:

Package	Type	Update	Change
step-security/harden-runner	action	minor	`v2.11.0` -> `v2.12.1`

Release Notes

step-security/harden-runner (step-security/harden-runner)

`v2.12.1`

What's Changed

Detection capabilities have been upgraded to better recognize attempts at runner tampering. These improvements are informed by real-world incident learnings, including analysis of anomalous behaviors observed in the tj-actions and reviewdog supply chain attack.
Resolved an issue where the block policy was not enforced correctly when the GitHub Actions job was running inside a container on a self-hosted VM runner.

Full Changelog: step-security/harden-runner@v2...v2.12.1

`v2.12.0`

What's Changed

A new option, disable-sudo-and-containers, is now available to replace the disable-sudo policy, addressing Docker-based privilege escalation (CVE-2025-32955). More details can be found in this blog post.
New detections have been added based on insights from the tj-actions and reviewdog actions incidents.

Full Changelog: step-security/harden-runner@v2...v2.12.0

`v2.11.1`

What's Changed

cache: add support for GitHub Actions cache v2 by @h0x0er in https://github.com/step-security/harden-runner/pull/529

Full Changelog: step-security/harden-runner@v2...v2.11.1

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate Bot added dependencies github-actions labels

github-actions Bot commented Apr 1, 2025 •

edited

Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package

Version

Score

Details

actions/step-security/harden-runner

002fdce3c6a235733a90a27c80493a3241e56863

🟢 8.6

Details

Check	Score	Reason
Binary-Artifacts	🟢 10	no binaries found in the repo
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
CI-Tests	🟢 10	7 out of 7 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Code-Review	🟢 10	all changesets reviewed
Contributors	🟢 6	project has 2 contributing companies or organizations -- score normalized to 6
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Dependency-Update-Tool	🟢 10	update tool detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	🟢 6	dependency not pinned by hash detected -- score normalized to 6
SAST	🟢 9	SAST tool detected but not run on all commits
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Vulnerabilities	🟢 9	1 existing vulnerabilities detected

actions/step-security/harden-runner

002fdce3c6a235733a90a27c80493a3241e56863

🟢 8.6

Details

Check	Score	Reason
Binary-Artifacts	🟢 10	no binaries found in the repo
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
CI-Tests	🟢 10	7 out of 7 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Code-Review	🟢 10	all changesets reviewed
Contributors	🟢 6	project has 2 contributing companies or organizations -- score normalized to 6
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Dependency-Update-Tool	🟢 10	update tool detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	🟢 6	dependency not pinned by hash detected -- score normalized to 6
SAST	🟢 9	SAST tool detected but not run on all commits
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Vulnerabilities	🟢 9	1 existing vulnerabilities detected

actions/step-security/harden-runner

002fdce3c6a235733a90a27c80493a3241e56863

🟢 8.6

Details

Check	Score	Reason
Binary-Artifacts	🟢 10	no binaries found in the repo
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
CI-Tests	🟢 10	7 out of 7 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Code-Review	🟢 10	all changesets reviewed
Contributors	🟢 6	project has 2 contributing companies or organizations -- score normalized to 6
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Dependency-Update-Tool	🟢 10	update tool detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	🟢 6	dependency not pinned by hash detected -- score normalized to 6
SAST	🟢 9	SAST tool detected but not run on all commits
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Vulnerabilities	🟢 9	1 existing vulnerabilities detected

actions/step-security/harden-runner

002fdce3c6a235733a90a27c80493a3241e56863

🟢 8.6

Details

Check	Score	Reason
Binary-Artifacts	🟢 10	no binaries found in the repo
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
CI-Tests	🟢 10	7 out of 7 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Code-Review	🟢 10	all changesets reviewed
Contributors	🟢 6	project has 2 contributing companies or organizations -- score normalized to 6
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Dependency-Update-Tool	🟢 10	update tool detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	🟢 6	dependency not pinned by hash detected -- score normalized to 6
SAST	🟢 9	SAST tool detected but not run on all commits
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Vulnerabilities	🟢 9	1 existing vulnerabilities detected

actions/step-security/harden-runner

002fdce3c6a235733a90a27c80493a3241e56863

🟢 8.6

Details

Check	Score	Reason
Binary-Artifacts	🟢 10	no binaries found in the repo
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
CI-Tests	🟢 10	7 out of 7 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Code-Review	🟢 10	all changesets reviewed
Contributors	🟢 6	project has 2 contributing companies or organizations -- score normalized to 6
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Dependency-Update-Tool	🟢 10	update tool detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	🟢 6	dependency not pinned by hash detected -- score normalized to 6
SAST	🟢 9	SAST tool detected but not run on all commits
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Vulnerabilities	🟢 9	1 existing vulnerabilities detected

actions/step-security/harden-runner

002fdce3c6a235733a90a27c80493a3241e56863

🟢 8.6

Details

Check	Score	Reason
Binary-Artifacts	🟢 10	no binaries found in the repo
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
CI-Tests	🟢 10	7 out of 7 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Code-Review	🟢 10	all changesets reviewed
Contributors	🟢 6	project has 2 contributing companies or organizations -- score normalized to 6
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Dependency-Update-Tool	🟢 10	update tool detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	🟢 6	dependency not pinned by hash detected -- score normalized to 6
SAST	🟢 9	SAST tool detected but not run on all commits
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Vulnerabilities	🟢 9	1 existing vulnerabilities detected

Scanned Files

.github/workflows/audit-signatures.yml
.github/workflows/ci-integration.yml
.github/workflows/ci.yml
.github/workflows/codeql-analysis.yml
.github/workflows/dependency-review.yml
.github/workflows/package-audit.yml

renovate Bot force-pushed the renovate/step-security-harden-runner-2.x branch from 14cc3b4 to 91b418a Compare

April 21, 2025 19:28

renovate Bot changed the title ~~chore(deps): update step-security/harden-runner action to v2.11.1~~ chore(deps): update step-security/harden-runner action to v2.12.0

sonarqubecloud Bot commented Apr 21, 2025

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

renovate Bot changed the title ~~chore(deps): update step-security/harden-runner action to v2.12.0~~ chore(deps): update step-security/harden-runner action to v2.12.1

renovate Bot force-pushed the renovate/step-security-harden-runner-2.x branch from 91b418a to 4f8015b Compare

June 11, 2025 19:05

sjinks force-pushed the renovate/step-security-harden-runner-2.x branch 2 times, most recently from 6c0c41c to 04e1aa1 Compare

June 15, 2025 19:44


          chore(deps): update step-security/harden-runner action to v2.12.1

4d9577d

sjinks force-pushed the renovate/step-security-harden-runner-2.x branch from 04e1aa1 to 4d9577d Compare

June 15, 2025 19:54

sonarqubecloud Bot commented Jun 15, 2025

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

sjinks merged commit 3b83f11 into master

12 checks passed

sjinks deleted the renovate/step-security-harden-runner-2.x branch

June 15, 2025 19:56

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies github-actions