Skip to content

Commit 777c8c7

Browse files
renovate[bot]cpcloud
renovate[bot]
and
cpcloud
authored
chore(deps): update github-actions (#959)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/setup-node](https://redirect.github.com/actions/setup-node) | action | minor | `v6.3.0` → `v6.4.0` | | [step-security/harden-runner](https://redirect.github.com/step-security/harden-runner) | action | minor | `v2.18.0` → `v2.19.0` | --- ### Release Notes <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v6.4.0`](https://redirect.github.com/actions/setup-node/compare/v6.3.0...v6.4.0) [Compare Source](https://redirect.github.com/actions/setup-node/compare/v6.3.0...v6.4.0) </details> <details> <summary>step-security/harden-runner (step-security/harden-runner)</summary> ### [`v2.19.0`](https://redirect.github.com/step-security/harden-runner/releases/tag/v2.19.0) [Compare Source](https://redirect.github.com/step-security/harden-runner/compare/v2.18.0...v2.19.0) ##### What's Changed ##### New Runner Support Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners. ##### Automated Incident Response for Supply Chain Attacks - Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode. - System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets). ##### Bug Fixes Windows and macOS: stability and reliability fixes **Full Changelog**: <step-security/harden-runner@v2.18.0...v2.19.0> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/micasa-dev/micasa). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMjMuOCIsInVwZGF0ZWRJblZlciI6IjQzLjEyMy44IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Phillip Cloud <417981+cpcloud@users.noreply.github.com>
1 parent 4291d12 commit 777c8c7

7 files changed

Lines changed: 38 additions & 28 deletions

File tree

.github/workflows/ci.yml

Lines changed: 18 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@ jobs:
2525
ci: ${{ steps.detect.outputs.ci }}
2626
steps:
2727
- name: Harden Runner
28-
uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
28+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
2929
with:
3030
deploy-on-self-hosted-vm: true
3131
egress-policy: block
@@ -72,7 +72,7 @@ jobs:
7272
- windows-11-arm
7373
steps:
7474
- name: Harden Runner
75-
uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
75+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
7676
with:
7777
deploy-on-self-hosted-vm: true
7878
egress-policy: block
@@ -87,7 +87,9 @@ jobs:
8787
ports.ubuntu.com:80
8888
proxy.golang.org:443
8989
release-assets.githubusercontent.com:443
90+
security.ubuntu.com:80
9091
storage.googleapis.com:443
92+
us-west-2.ec2.archive.ubuntu.com:80
9193
9294
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
9395
with:
@@ -212,7 +214,7 @@ jobs:
212214
--health-retries 5
213215
steps:
214216
- name: Harden Runner
215-
uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
217+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
216218
with:
217219
deploy-on-self-hosted-vm: true
218220
egress-policy: block
@@ -254,7 +256,7 @@ jobs:
254256
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
255257
steps:
256258
- name: Harden Runner
257-
uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
259+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
258260
with:
259261
deploy-on-self-hosted-vm: true
260262
egress-policy: block
@@ -288,7 +290,7 @@ jobs:
288290
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
289291
steps:
290292
- name: Harden Runner
291-
uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
293+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
292294
with:
293295
deploy-on-self-hosted-vm: true
294296
egress-policy: block
@@ -321,7 +323,7 @@ jobs:
321323
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
322324
steps:
323325
- name: Harden Runner
324-
uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
326+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
325327
with:
326328
deploy-on-self-hosted-vm: true
327329
egress-policy: block
@@ -352,7 +354,7 @@ jobs:
352354
runs-on: blacksmith-2vcpu-ubuntu-2404
353355
steps:
354356
- name: Harden Runner
355-
uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
357+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
356358
with:
357359
deploy-on-self-hosted-vm: true
358360
egress-policy: block
@@ -368,7 +370,7 @@ jobs:
368370
fetch-depth: 0
369371
persist-credentials: false
370372

371-
- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
373+
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
372374
with:
373375
node-version: lts/*
374376

@@ -388,14 +390,20 @@ jobs:
388390
build_tags: ["", "selfhosted"]
389391
steps:
390392
- name: Harden Runner
391-
uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
393+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
392394
with:
393395
deploy-on-self-hosted-vm: true
394396
egress-policy: block
395397
disable-telemetry: true
398+
# The two r2.cloudflarestorage.com entries are Docker Hub's
399+
# R2 buckets (layers and images). The hashed subdomains are
400+
# Docker Inc's Cloudflare account IDs -- stable per-account
401+
# but not self-describing; update if Docker Hub reshards.
396402
allowed-endpoints: >
403+
1ede90a8395416f286ba9f692dc6bacf.r2.cloudflarestorage.com:443
397404
api.github.com:443
398405
auth.docker.io:443
406+
docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com:443
399407
github.com:443
400408
gcr.io:443
401409
production.cloudflare.docker.com:443
@@ -426,7 +434,7 @@ jobs:
426434
runs-on: ubuntu-latest
427435
steps:
428436
- name: Harden Runner
429-
uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
437+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
430438
with:
431439
egress-policy: block
432440
disable-telemetry: true

.github/workflows/lint.yml

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@ jobs:
2121
ci: ${{ steps.detect.outputs.ci }}
2222
steps:
2323
- name: Harden Runner
24-
uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
24+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
2525
with:
2626
deploy-on-self-hosted-vm: true
2727
egress-policy: block
@@ -61,7 +61,7 @@ jobs:
6161
CGO_ENABLED: "0"
6262
steps:
6363
- name: Harden Runner
64-
uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
64+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
6565
with:
6666
deploy-on-self-hosted-vm: true
6767
egress-policy: block
@@ -106,7 +106,7 @@ jobs:
106106
CGO_ENABLED: "0"
107107
steps:
108108
- name: Harden Runner
109-
uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
109+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
110110
with:
111111
deploy-on-self-hosted-vm: true
112112
egress-policy: block
@@ -143,7 +143,7 @@ jobs:
143143
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
144144
steps:
145145
- name: Harden Runner
146-
uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
146+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
147147
with:
148148
deploy-on-self-hosted-vm: true
149149
egress-policy: block
@@ -180,7 +180,7 @@ jobs:
180180
CGO_ENABLED: "0"
181181
steps:
182182
- name: Harden Runner
183-
uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
183+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
184184
with:
185185
deploy-on-self-hosted-vm: true
186186
egress-policy: block
@@ -189,7 +189,9 @@ jobs:
189189
allowed-endpoints: >
190190
api.github.com:443
191191
github.com:443
192+
go.dev:443
192193
proxy.golang.org:443
194+
release-assets.githubusercontent.com:443
193195
storage.googleapis.com:443
194196
sum.golang.org:443
195197
@@ -211,7 +213,7 @@ jobs:
211213
runs-on: ubuntu-latest
212214
steps:
213215
- name: Harden Runner
214-
uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
216+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
215217
with:
216218
egress-policy: block
217219
disable-telemetry: true

.github/workflows/pages.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,7 @@ jobs:
3131
url: ${{ steps.deployment.outputs.page_url }}
3232
steps:
3333
- name: Harden Runner
34-
uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
34+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
3535
with:
3636
deploy-on-self-hosted-vm: true
3737
egress-policy: block

.github/workflows/release.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ jobs:
3232
packages: write
3333
steps:
3434
- name: Harden Runner
35-
uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
35+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
3636
with:
3737
deploy-on-self-hosted-vm: true
3838
egress-policy: audit

.github/workflows/scheduled-release.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ jobs:
2424
contents: write
2525
steps:
2626
- name: Harden Runner
27-
uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
27+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
2828
with:
2929
deploy-on-self-hosted-vm: true
3030
egress-policy: audit
@@ -71,7 +71,7 @@ jobs:
7171
map("::error::\(.name) is \(.conclusion // "none"), expected success") | .[] | halt_error(1)
7272
else true end'
7373
74-
- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
74+
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
7575
with:
7676
node-version: lts/*
7777

.github/workflows/security.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@ jobs:
2121
ci: ${{ steps.detect.outputs.ci }}
2222
steps:
2323
- name: Harden Runner
24-
uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
24+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
2525
with:
2626
deploy-on-self-hosted-vm: true
2727
egress-policy: block
@@ -59,7 +59,7 @@ jobs:
5959
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
6060
steps:
6161
- name: Harden Runner
62-
uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
62+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
6363
with:
6464
deploy-on-self-hosted-vm: true
6565
egress-policy: block
@@ -94,7 +94,7 @@ jobs:
9494
CGO_ENABLED: "0"
9595
steps:
9696
- name: Harden Runner
97-
uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
97+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
9898
with:
9999
deploy-on-self-hosted-vm: true
100100
egress-policy: block
@@ -133,7 +133,7 @@ jobs:
133133
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
134134
steps:
135135
- name: Harden Runner
136-
uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
136+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
137137
with:
138138
deploy-on-self-hosted-vm: true
139139
egress-policy: block
@@ -167,7 +167,7 @@ jobs:
167167
CGO_ENABLED: "0"
168168
steps:
169169
- name: Harden Runner
170-
uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
170+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
171171
with:
172172
deploy-on-self-hosted-vm: true
173173
egress-policy: block
@@ -207,7 +207,7 @@ jobs:
207207
runs-on: ubuntu-latest
208208
steps:
209209
- name: Harden Runner
210-
uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
210+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
211211
with:
212212
egress-policy: block
213213
disable-telemetry: true

.github/workflows/update-vendor-hash.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ jobs:
2222
needed: ${{ steps.check.outputs.needed }}
2323
steps:
2424
- name: Harden Runner
25-
uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
25+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
2626
with:
2727
deploy-on-self-hosted-vm: true
2828
egress-policy: block
@@ -60,7 +60,7 @@ jobs:
6060
contents: write
6161
steps:
6262
- name: Harden Runner
63-
uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
63+
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
6464
with:
6565
deploy-on-self-hosted-vm: true
6666
egress-policy: block

0 commit comments

Comments
 (0)