Skip to content

update workflows to use specific action versions and adding harden-runner steps to improve security#158

Merged
danhellem merged 1 commit into
microsoft:mainfrom
polatengin:polatengin/improving-security-and-harden-runners
Jul 6, 2025
Merged

update workflows to use specific action versions and adding harden-runner steps to improve security#158
danhellem merged 1 commit into
microsoft:mainfrom
polatengin:polatengin/improving-security-and-harden-runners

Conversation

@polatengin

Copy link
Copy Markdown
Contributor

To mitigate security concerns, we have made changes to the workflows to use specific action versions and added harden-runner steps to improve security.

  • Pinning GitHub Actions to full commit shas

Following best practices outlined in the official GitHub documentation on Security Hardening for GitHub Actions all GitHub Action steps have been updated to use full-length commit SHAs instead of mutable tags using Harden-Runner.

(for example; - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 instead of - uses: actions/checkout@v4)

This ensures that the exact, immutable version of an action is used, preventing unexpected or malicious code changes from being introduced via tag updates by action maintainers.

  • Introducing harden-runner

We have integrated Harden-Runner into our workflows as recommended by the Security Hardening for GitHub Actions guide.

Harden-Runner enhances the security posture of our pipelines by restricting the permissions of the runner, reducing the attack surface, and providing additional safeguards against supply chain attacks. This helps to control the environment in which the code runs, further limiting the potential for malicious execution.

Harden-Runner also monitoring and disallowing unauthorized outbound web requests and REST API calls.

GitHub issue number

Fixes #122

Associated Risks

None

PR Checklist

  • I have read the contribution guidelines
  • I have read the code of conduct guidelines
  • Title of the pull request is clear and informative.
  • 👌 Code hygiene
  • 🔭 Telemetry added, updated, or N/A
  • 📄 Documentation added, updated, or N/A
  • 🛡️ Automated tests added, or N/A

🧪 How did you test it?

N/A

@github-advanced-security

Copy link
Copy Markdown
Contributor

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@aaudzei aaudzei left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please double check if this output is expected from CodeQL run: https://github.com/microsoft/azure-devops-mcp/pull/158/checks?check_run_id=45081126856

Otherwise looks good.

@danhellem

Copy link
Copy Markdown
Collaborator

@polatengin can you please validate and then let us know so we can merge?

Please double check if this output is expected from CodeQL run: https://github.com/microsoft/azure-devops-mcp/pull/158/checks?check_run_id=45081126856

Otherwise looks good.

@polatengin

Copy link
Copy Markdown
Contributor Author

@polatengin can you please validate and then let us know so we can merge?

Please double check if this output is expected from CodeQL run: https://github.com/microsoft/azure-devops-mcp/pull/158/checks?check_run_id=45081126856
Otherwise looks good.

yes, after merge, the warning should gone 👍 please merge.

@danhellem danhellem merged commit a40ae28 into microsoft:main Jul 6, 2025
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Make it easier to disable specific tools, eg: create pull request

4 participants