You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Move step-security/harden-runner ahead of checkout and other executable steps so outbound network controls are active before third-party actions or checked-out code run. Pair that with persist-credentials=false, narrower permissions, and tighter allowlists to reduce the chance that a compromised dependency or misconfigured workflow can reuse the job token or exfiltrate data.
Pin all external GitHub Actions to full SHAs and update them to current stable releases so workflow execution is tied to reviewed commits instead of mutable tags, while Renovate keeps future action updates digest-pinned automatically.
This also keeps maintainer-approved fork PR test paths intact, removes endpoints that are not used by the jobs that declared them, removes the gh-pages container that bypassed Harden Runner before the first step, and leaves the remaining high-variance jobs in audit mode until observed egress can be converted into minimal block-mode allowlists.
0 commit comments