feat(#28): add harden-runner in audit mode to all CI jobs#39
Open
ms280690 wants to merge 4 commits into
Open
Conversation
Add step-security/harden-runner@9af89fc7 (v2.19.4) as the first step in every CI job. Runs in egress-policy: audit — logs all outbound network traffic without blocking. Provides the baseline dataset needed to build an explicit allowlist before switching to enforce mode. Jobs instrumented: actionlint, zizmor, scorecard, dependency-review, terramate-opentofu-setup, storage-optimizer. docs/approved-actions.md: - Add step-security/harden-runner to approved actions table. - Add step-security/* to org allowlist patterns. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: ms280690 <mehul@sparkgeo.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces StepSecurity runner hardening across the repository’s CI workflows in audit mode to capture outbound egress telemetry (as groundwork for a later enforce-mode allowlist), and updates the repo’s documentation/allowlist guidance accordingly.
Changes:
- Adds
step-security/harden-runner@9af89fc7…as the first step in all CI jobs withegress-policy: audit. - Updates the approved-actions registry to include
step-security/harden-runner, expands org allowlist patterns to includestep-security/*, and documents telemetry/data-handling implications. - Extends the README with example “consuming repo CI” setups for public vs private repos.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 10 comments.
| File | Description |
|---|---|
.github/workflows/ci.yml |
Adds harden-runner audit step to each CI job. |
docs/approved-actions.md |
Approves harden-runner, updates allowlist patterns, and documents telemetry/data handling. |
README.md |
Documents recommended CI setup patterns for consuming repos (public vs private). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+154
to
+157
| - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | ||
| with: { egress-policy: audit } | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: { persist-credentials: false } |
Comment on lines
+164
to
+167
| - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | ||
| with: { egress-policy: audit } | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: { persist-credentials: false } |
Comment on lines
+175
to
+178
| - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | ||
| with: { egress-policy: audit } | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: { persist-credentials: false } |
Comment on lines
+186
to
+189
| - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | ||
| with: { egress-policy: audit } | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: { persist-credentials: false } |
Comment on lines
+211
to
+212
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: { persist-credentials: false } |
Comment on lines
+220
to
+221
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: { persist-credentials: false } |
Comment on lines
+231
to
+232
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: { persist-credentials: false } |
Comment on lines
+211
to
+212
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: { persist-credentials: false } |
Comment on lines
+220
to
+221
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: { persist-credentials: false } |
Comment on lines
+231
to
+232
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: { persist-credentials: false } |
Signed-off-by: ms280690 <mehul@sparkgeo.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
step-security/harden-runner@9af89fc7(v2.19.4) as the first step in all 6 CI jobs (actionlint,zizmor,scorecard,dependency-review,terramate-opentofu-setup,storage-optimizer).egress-policy: audit— logs all outbound network calls, blocks nothing. This builds the baseline domain allowlist needed before switching toenforcemode (phase 2).step-security/harden-runnertodocs/approved-actions.mdandstep-security/*to the org allowlist patterns.Why audit mode first
Switching directly to
enforcewith an incomplete allowlist would break legitimate traffic (package registries, scanner update feeds, cloud APIs). Audit mode runs silently for 2–4 weeks, surfacing all real domains. Once the list is stable, a follow-up PR switches toenforcewith an explicitallowed-endpointsblock.Test plan
Closes #28
Data from sample run on this branch: https://app.stepsecurity.io/github/sparkgeo/github-actions/actions/runs/26779096208
🤖 Generated with Claude Code