ci(security): add harden-runner (egress audit) to every job#274
Merged
Conversation
AGENTS.md requires step-security/harden-runner as the first step of every job (egress-policy: audit), but only publish-app.yaml had it. Reconcile the doc-vs-reality drift by adding the canonical hardened step to all 21 remaining jobs that run steps, across 13 workflows. Audit mode is non-blocking — it only records egress for visibility — so this is backward-compatible with no behavior change. Reusable-workflow caller jobs (uses:) are intentionally skipped: harden-runner lives in the called workflow. Also covers .sync-labels.yaml's sync job, which the original audit in #267 missed (it counted only the 14 non-dotfile workflows; template-sync.yaml has since been removed). Fixes #267 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR aligns the repository’s workflow implementation with AGENTS.md rule 3 by adding step-security/harden-runner (with egress-policy: audit) as the first step in every job that executes steps across the affected workflows.
Changes:
- Add
step-security/harden-runner(pinned SHA, audit mode) as the first step to step-running jobs across the repository workflows. - Extend the same hardening step to internal maintenance workflows where jobs run steps (e.g.
.sync-labels.yaml). - Keep behavior non-blocking by using
egress-policy: auditconsistently.
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/validate-go-project.yaml | Adds harden-runner as the first step to all step-running jobs in the Go validation workflow. |
| .github/workflows/update-agent-skills.yaml | Adds harden-runner as the first step in the skill update job. |
| .github/workflows/sync-cluster-policies.yaml | Adds harden-runner before token generation/checkout in the sync job. |
| .github/workflows/scan-for-workflow-vulnerabilities.yaml | Adds harden-runner as the first step in the zizmor scan job. |
| .github/workflows/scan-for-todo-comments.yaml | Adds harden-runner as the first step in the TODO scanning job. |
| .github/workflows/run-dotnet-tests.yaml | Adds harden-runner as the first step in the .NET test job. |
| .github/workflows/publish-dotnet-library.yaml | Adds harden-runner as the first step in the publish job. |
| .github/workflows/enable-auto-merge.yaml | Adds harden-runner as the first step in the auto-merge job. |
| .github/workflows/deploy-github-pages.yaml | Adds harden-runner as the first step in both build and deploy jobs. |
| .github/workflows/delete-workflow-runs.yaml | Adds harden-runner as the first step in the cleanup job. |
| .github/workflows/create-release.yaml | Adds harden-runner as the first step in the release job. |
| .github/workflows/ci.yaml | Adds harden-runner to the step-running ci-required-checks aggregation job. |
| .github/workflows/.sync-labels.yaml | Adds harden-runner as the first step in the internal label sync job. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
|
🎉 This PR is included in version 5.4.2 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #267 — Option A (apply the rule, harden the library).
What
AGENTS.md(Reusable Workflow Conventions, rule 3) requiresstep-security/harden-runneras the first step of every job withegress-policy: audit, but onlypublish-app.yamlactually had it (1 of 14 at audit time). This reconciles the doc-vs-reality drift by adding the canonical hardened step to all 21 remaining jobs that run steps, across 13 workflows.Why Option A
Per the issue, both options close the gap; I took A (the issue's own lean) because it's the most defensible read of the current
AGENTS.mdwording, is low-risk and backward-compatible (audit mode only records egress — it never blocks), and gives every consumer egress telemetry. NoAGENTS.mdchange is needed — the rule already says this; reality now matches it.Scope notes
uses:-style caller jobs (e.g. all thetest-*jobs inci.yaml, thereleasejob in.create-release.yaml) can't carry steps — harden-runner lives inside the called workflow, so those are correctly untouched..sync-labels.yamlis included even though the original audit table omitted it — itssyncjob runs steps and was missing the rule. (template-sync.yamlfrom the audit table has since been removed upstream, so it's no longer in scope.)publish-app.yaml:step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4.Validation
actionlintclean on the change — the only findings are pre-existingcode-qualitypermission-scope warnings (from the Code Quality coverage migration; actionlint's version doesn't yet know that real GitHub scope) and are present onmainunchanged.Acceptance criteria (from #267)
AGENTS.mdand the workflows agree — every step-running job now has harden-runner (Option A).actionlint-clean; one focused PR; no behavior change (audit mode).