Skip to content

chore(deps-dev): update step-security/harden-runner action to v2.19.4#442

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/step-security-harden-runner-2.x
Open

chore(deps-dev): update step-security/harden-runner action to v2.19.4#442
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/step-security-harden-runner-2.x

Conversation

@renovate

@renovate renovate Bot commented Feb 28, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change Pending
step-security/harden-runner action minor v2.14.2v2.19.4 v2.20.0
step-security/harden-runner action minor v2.16.0v2.19.4 v2.20.0

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

step-security/harden-runner (step-security/harden-runner)

v2.19.4

Compare Source

What's Changed
  • Improvements for HTTPS Monitoring for the Enterprise tier of Harden Runner

Full Changelog: step-security/harden-runner@v2.19.3...v2.19.4

v2.19.3

Compare Source

What's Changed

Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3

v2.19.2

Compare Source

What's Changed
  • Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs.

Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2

v2.19.1

Compare Source

What's Changed

What the fix changes

  • Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.

What the fix does not do

  • Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).
  • Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.

For StepSecurity enterprise customers
If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.

New Contributors

Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1

v2.19.0

Compare Source

What's Changed
New Runner Support

Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners.

Automated Incident Response for Supply Chain Attacks
  • Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode.
  • System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets).
Bug Fixes

Windows and macOS: stability and reliability fixes

Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0

v2.18.0

Compare Source

What's Changed

Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes.

Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible.

Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0

v2.17.0

Compare Source

What's Changed
Policy Store Support

Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode.

Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0

v2.16.1

Compare Source

What's Changed

Enterprise tier: Added support for direct IP addresses in the allow list
Community tier: Migrated Harden Runner telemetry to a new endpoint

Full Changelog: step-security/harden-runner@v2.16.0...v2.16.1

v2.16.0

Compare Source

What's Changed
  • Updated action.yml to use node24
  • Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS over HTTPS (DoH) by proxying DNS queries through a permitted resolver, allowing data exfiltration even with a restrictive allowed-endpoints list. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-46g3-37rh-v698 for details.
  • Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS queries over TCP to external resolvers, allowing outbound network communication that evades configured network restrictions. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-g699-3x6g-wm3g for details.

Full Changelog: step-security/harden-runner@v2.15.1...v2.16.0

v2.15.1

Compare Source

What's Changed
  • Fixes #​642 bug due to which post step was failing on Windows ARM runners
  • Updates npm packages

Full Changelog: step-security/harden-runner@v2.15.0...v2.15.1

v2.15.0

Compare Source

What's Changed
Windows and macOS runner support

We are excited to announce that Harden Runner now supports Windows and macOS runners, extending runtime security beyond Linux for the first time.

Insights for Windows and macOS runners will be displayed in the same consistent format you are already familiar with from Linux runners, giving you a unified view of runtime activity across all platforms.

Full Changelog: step-security/harden-runner@v2.14.2...v2.15.0


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from a team as a code owner February 28, 2026 01:30
@renovate renovate Bot enabled auto-merge (squash) February 28, 2026 01:30
@renovate renovate Bot force-pushed the renovate/step-security-harden-runner-2.x branch from ee36d29 to d7a6898 Compare March 9, 2026 01:03
@renovate renovate Bot changed the title chore(deps-dev): update step-security/harden-runner action to v2.15.0 chore(deps-dev): update step-security/harden-runner action to v2.15.1 Mar 9, 2026
@renovate renovate Bot force-pushed the renovate/step-security-harden-runner-2.x branch from d7a6898 to 7deab53 Compare March 19, 2026 09:52
@renovate renovate Bot changed the title chore(deps-dev): update step-security/harden-runner action to v2.15.1 chore(deps-dev): update step-security/harden-runner action to v2.16.0 Mar 19, 2026
@renovate renovate Bot force-pushed the renovate/step-security-harden-runner-2.x branch from 7deab53 to 652fc9b Compare March 20, 2026 11:15
@renovate renovate Bot force-pushed the renovate/step-security-harden-runner-2.x branch from 652fc9b to 215f22c Compare April 2, 2026 20:41
@renovate renovate Bot changed the title chore(deps-dev): update step-security/harden-runner action to v2.16.0 chore(deps-dev): update step-security/harden-runner action to v2.16.1 Apr 2, 2026
@renovate renovate Bot force-pushed the renovate/step-security-harden-runner-2.x branch from 215f22c to 8767196 Compare April 12, 2026 10:07
@renovate renovate Bot changed the title chore(deps-dev): update step-security/harden-runner action to v2.16.1 chore(deps-dev): update step-security/harden-runner action to v2.17.0 Apr 12, 2026
@renovate renovate Bot force-pushed the renovate/step-security-harden-runner-2.x branch from 8767196 to 4f1e56a Compare April 18, 2026 09:53
@renovate renovate Bot changed the title chore(deps-dev): update step-security/harden-runner action to v2.17.0 chore(deps-dev): update step-security/harden-runner action to v2.18.0 Apr 18, 2026
@renovate renovate Bot force-pushed the renovate/step-security-harden-runner-2.x branch from 4f1e56a to 1904cf9 Compare April 30, 2026 03:35
@renovate renovate Bot changed the title chore(deps-dev): update step-security/harden-runner action to v2.18.0 chore(deps-dev): update step-security/harden-runner action to v2.19.0 Apr 30, 2026
@renovate renovate Bot force-pushed the renovate/step-security-harden-runner-2.x branch from 1904cf9 to f9bd35d Compare May 5, 2026 09:08
@renovate renovate Bot changed the title chore(deps-dev): update step-security/harden-runner action to v2.19.0 chore(deps-dev): update step-security/harden-runner action to v2.19.1 May 5, 2026
@renovate renovate Bot force-pushed the renovate/step-security-harden-runner-2.x branch from f9bd35d to 78092d5 Compare May 16, 2026 21:00
@renovate renovate Bot changed the title chore(deps-dev): update step-security/harden-runner action to v2.19.1 chore(deps-dev): update step-security/harden-runner action to v2.19.2 May 16, 2026
@renovate renovate Bot force-pushed the renovate/step-security-harden-runner-2.x branch from 78092d5 to 158f8ff Compare May 18, 2026 00:28
@renovate renovate Bot changed the title chore(deps-dev): update step-security/harden-runner action to v2.19.2 chore(deps-dev): update step-security/harden-runner action to v2.19.3 May 18, 2026
@renovate renovate Bot force-pushed the renovate/step-security-harden-runner-2.x branch from 158f8ff to d9eec9b Compare May 24, 2026 17:15
@renovate renovate Bot changed the title chore(deps-dev): update step-security/harden-runner action to v2.19.3 chore(deps-dev): update step-security/harden-runner action to v2.19.4 May 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants