Skip to content

chore(deps): bump step-security/harden-runner from 2.11.1 to 2.13.0#975

Merged
dependabot[bot] merged 1 commit into
mainfrom
dependabot/github_actions/main/step-security/harden-runner-2.13.0
Sep 10, 2025
Merged

chore(deps): bump step-security/harden-runner from 2.11.1 to 2.13.0#975
dependabot[bot] merged 1 commit into
mainfrom
dependabot/github_actions/main/step-security/harden-runner-2.13.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 21, 2025

Copy link
Copy Markdown
Contributor

Bumps step-security/harden-runner from 2.11.1 to 2.13.0.

Release notes

Sourced from step-security/harden-runner's releases.

v2.13.0

What's Changed

  • Improved job markdown summary
  • Https monitoring for all domains (included with the enterprise tier)

Full Changelog: step-security/harden-runner@v2...v2.13.0

v2.12.2

What's Changed

Added HTTPS Monitoring for additional destinations - *.githubusercontent.com Bug fixes:

  • Implicitly allow local multicast, local unicast and broadcast IP addresses in block mode
  • Increased policy map size for block mode

Full Changelog: step-security/harden-runner@v2...v2.12.2

v2.12.1

What's Changed

  • Detection capabilities have been upgraded to better recognize attempts at runner tampering. These improvements are informed by real-world incident learnings, including analysis of anomalous behaviors observed in the tj-actions and reviewdog supply chain attack.
  • Resolved an issue where the block policy was not enforced correctly when the GitHub Actions job was running inside a container on a self-hosted VM runner.

Full Changelog: step-security/harden-runner@v2...v2.12.1

v2.12.0

What's Changed

  1. A new option, disable-sudo-and-containers, is now available to replace the disable-sudo policy, addressing Docker-based privilege escalation (CVE-2025-32955). More details can be found in this blog post.

  2. New detections have been added based on insights from the tj-actions and reviewdog actions incidents.

Full Changelog: step-security/harden-runner@v2...v2.12.0

Commits

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.11.1 to 2.13.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@c6295a6...ec9f2d5)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.13.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update Github_actions code labels Jul 21, 2025
@dependabot dependabot Bot requested review from behnazh and jenstroeger as code owners July 21, 2025 09:51
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update Github_actions code labels Jul 21, 2025
@jenstroeger

Copy link
Copy Markdown
Owner

@dependabot squash and merge

@dependabot dependabot Bot merged commit 4bc4285 into main Sep 10, 2025
15 checks passed
@dependabot dependabot Bot deleted the dependabot/github_actions/main/step-security/harden-runner-2.13.0 branch September 10, 2025 10:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update Github_actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant