Skip to content

ci: add harden-runner to all GitHub Actions workflows#755

Merged
dangrondahl merged 1 commit intomainfrom
harden_runner
Apr 1, 2026
Merged

ci: add harden-runner to all GitHub Actions workflows#755
dangrondahl merged 1 commit intomainfrom
harden_runner

Conversation

@dangrondahl
Copy link
Copy Markdown
Contributor

@dangrondahl dangrondahl commented Apr 1, 2026

Summary

  • Add step-security/harden-runner v2.16.1 as the first step in every job across all 14 workflow files
  • Pinned to SHA fe104658747b27e96e4f7e80cd0a94068e53901d
  • Configured with egress-policy: audit to monitor outbound traffic without blocking
  • Improves CI/CD supply chain security posture

@dangrondahl
ci: add harden-runner to all GitHub Actions workflows
ef14537 
Add step-security/harden-runner v2.16.1 as the first step in every job
across all 14 workflow files to improve supply chain security.
@meekrosoft
Copy link
Copy Markdown
Contributor

meekrosoft commented Apr 1, 2026

Is there a way to log these egress activities to Kosli?

@dangrondahl
Copy link
Copy Markdown
Contributor Author

dangrondahl commented Apr 1, 2026

Is there a way to log these egress activities to Kosli?

Good question. You mean as part of an attestation?

@dangrondahl
Copy link
Copy Markdown
Contributor Author

dangrondahl commented Apr 1, 2026

Is there a way to log these egress activities to Kosli?

Good question. You mean as part of an attestation?

@meekrosoft
harden-runner can block egress and only allow endpoints on the allow-list. So the current audit mode is set as learning the baseline.
It doesn't offer an output, like a SARIF report, so the only way is to attach the link to the dashboard, e.g. as part of a generic attestation.
I don't know what's possible through their API.

@dangrondahl
Copy link
Copy Markdown
Contributor Author

dangrondahl commented Apr 1, 2026

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

🤖 Generated with Claude Code

- If this code review was useful, please react with 👍. Otherwise, react with 👎.

@dangrondahl dangrondahl enabled auto-merge (squash) April 1, 2026 09:15
mbevc1
mbevc1 approved these changes Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@mbevc1 mbevc1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒

@dangrondahl dangrondahl merged commit 1625f55 into main Apr 1, 2026
31 of 33 checks passed
@dangrondahl dangrondahl deleted the harden_runner branch April 1, 2026 09:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mbevc1 mbevc1 mbevc1 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dangrondahl @meekrosoft @mbevc1