chore(stepsecurity): update workflows to use custom hosted runners with built-in StepSecurity (#48)

circle-ops-repo-updater · seanl-circle · web-flow · commit c2577fbddaea · 2025-12-18T14:34:06.000Z
## Summary
This PR updates GitHub Actions workflows to use custom hosted runners
that have StepSecurity built-in, removing the need for the explicit
StepSecurity harden-runner action.

## What Changed
- Removed step-security/harden-runner action steps (no longer needed as
StepSecurity is built into custom runners)
- Removed id-token: write permissions (no longer needed without the
StepSecurity action)
- Updated runs-on from ubuntu-latest to github-hosted-small (custom
runners with built-in StepSecurity)
- Converted non-circlefin action versions to commit SHAs with version
comments for security pinning (e.g., actions/checkout@abc123 # v3.6.0)
- circlefin GitHub actions remain unchanged

## Purpose
Our custom hosted runners (github-hosted-small) now have StepSecurity
built-in at the runner level, so we no longer need to add it as an
explicit step in each workflow. This simplifies our workflows while
maintaining the same security posture.

## Testing
- All workflow syntax changes have been validated
- No functional changes to workflow behavior
- StepSecurity protection is maintained via the custom runners
- Review the diff to ensure only intended changes occurred

Co-authored-by: Sean Liao &lt;sean.liao@circle.com&gt;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -27,7 +27,7 @@ jobs:
     if: needs.conventional-commit-release.outputs.release_created == 'true'
     permissions:
       contents: write
-    runs-on: ubuntu-latest
+    runs-on: github-hosted-small
     env:
       GORELEASER_CURRENT_TAG: ${{ needs.conventional-commit-release.outputs.release_tag }}
     steps:
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -13,10 +13,9 @@ permissions: {}
 jobs:
   analysis:
     name: Scorecard analysis
-    runs-on: ubuntu-latest
+    runs-on: github-hosted-small
     permissions:
       security-events: write
-      id-token: write
       contents: read
       actions: read
       checks: read
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -14,7 +14,7 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-latest
+    runs-on: github-hosted-small
     permissions:
       contents: read
       actions: read
@@ -55,7 +55,7 @@ jobs:
 
   trivy-scan:
     name: Trivy Scan
-    runs-on: ubuntu-latest
+    runs-on: github-hosted-small
     permissions:
       security-events: write
       actions: read
@@ -78,7 +78,7 @@ jobs:
         sarif_file: 'trivy-results.sarif'
 
   generate:
-    runs-on: ubuntu-latest
+    runs-on: github-hosted-small
     permissions:
       contents: read
     steps:
@@ -105,7 +105,7 @@ jobs:
   test:
     name: Terraform Provider Unit Tests
     needs: build
-    runs-on: ubuntu-latest
+    runs-on: github-hosted-small
     timeout-minutes: 5
     permissions:
       contents: read
@@ -125,7 +125,7 @@ jobs:
     if: ${{ github.actor != 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository }}
     name: Terraform Provider Acceptance Tests
     needs: build
-    runs-on: ubuntu-latest
+    runs-on: github-hosted-small
     timeout-minutes: 15
     strategy:
       fail-fast: false
@@ -165,7 +165,7 @@ jobs:
     - generate
     - test
     - acctest
-    runs-on: ubuntu-latest
+    runs-on: github-hosted-small
     permissions: {}
     steps:
     - run: exit 1
