Skip to content

BUILD-11094 Add StepSecurity Harden Runner to workflows#104

Merged
hedinasr merged 1 commit into
masterfrom
add-stepsecurity-harden-runner
Apr 22, 2026
Merged

BUILD-11094 Add StepSecurity Harden Runner to workflows#104
hedinasr merged 1 commit into
masterfrom
add-stepsecurity-harden-runner

Conversation

@chirag-goel-sonarsource
Copy link
Copy Markdown
Contributor

@chirag-goel-sonarsource chirag-goel-sonarsource commented Apr 22, 2026

Adds step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 (v2.19.0) as the first step in every job across all workflow files, using egress-policy: audit to monitor outbound network traffic without blocking.

Workflows updated: build.yml, pre-commit.yml, pr-cleanup.yml, slack_notify.yml, unified-dogfooding.yml, PullRequestClosed.yml, PullRequestCreated.yml, RequestReview.yml, SubmitReview.yml

release.yml is excluded as its job uses a reusable workflow call (uses:) and does not support injecting steps.

@chirag-goel-sonarsource
Add StepSecurity Harden Runner to all workflows
b6d7b6d 
Adds step-security/harden-runner@8d3c67d (v2.19.0)
as the first step in every job across all workflow files, using
egress-policy: audit to monitor outbound network traffic.

Workflows updated: build.yml, pre-commit.yml, pr-cleanup.yml,
slack_notify.yml, unified-dogfooding.yml, PullRequestClosed.yml,
PullRequestCreated.yml, RequestReview.yml, SubmitReview.yml

release.yml is excluded as its job uses a reusable workflow call and
does not support injecting steps.
@chirag-goel-sonarsource chirag-goel-sonarsource requested review from a team and Copilot April 22, 2026 10:09
@hashicorp-vault-sonar-prod hashicorp-vault-sonar-prod Bot changed the title Add StepSecurity Harden Runner to workflows BUILD-11094 Add StepSecurity Harden Runner to workflows Apr 22, 2026
@sonar-review-alpha
Copy link
Copy Markdown

sonar-review-alpha Bot commented Apr 22, 2026
edited
Loading

Summary

This PR adds StepSecurity Harden Runner (v2.19.0) as the first step in 9 GitHub workflows, configured with egress-policy: audit to monitor outbound network traffic without blocking. The harden-runner is injected identically into each workflow file, with the commit hash pinned for reproducibility. The change is non-invasive: each workflow's existing steps remain unmodified, and the audit mode means no network requests will be blocked.

What reviewers should know

Coverage: The 9 workflows span multiple purposes (CI builds, PR automation, notifications, cleanup). Note that build.yml has two jobs updated (build and promote), while others have single jobs.

Implementation consistency: All additions use the same pinned version and configuration, making this easy to audit and maintain.

Review focus: This is a purely additive change with no modifications to existing step logic. Verify that:

  • The harden-runner placement as the first step doesn't interfere with any job setup assumptions
  • All intended workflows are covered (the PR notes release.yml is intentionally excluded due to reusable workflow limitations)
  • The audit-only mode is acceptable for the intended security monitoring goal

No breaking changes or workflow behavior alterations are introduced.

  • Generate Walkthrough
  • Generate Diagram

🗣️ Give feedback

@hashicorp-vault-sonar-prod
Copy link
Copy Markdown

hashicorp-vault-sonar-prod Bot commented Apr 22, 2026
edited by atlassian Bot
Loading

BUILD-11094

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 22, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 New dependency risks

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Copilot AI reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR strengthens CI supply-chain security by adding StepSecurity’s Harden Runner action as the first step in each GitHub Actions job (audit-only egress monitoring), across the repository’s workflows.

Changes:

  • Added step-security/harden-runner@8d3c67d... (pinned SHA, v2.19.0) as the first step in every workflow job.
  • Configured egress-policy: audit consistently across all updated workflows.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.

Show a summary per file
File Description
.github/workflows/build.yml Adds Harden Runner to build and promote jobs before any other steps.
.github/workflows/pre-commit.yml Adds Harden Runner as the first step in the pre-commit job.
.github/workflows/pr-cleanup.yml Adds Harden Runner as the first step in the cleanup job.
.github/workflows/slack_notify.yml Adds Harden Runner as the first step in the notify job.
.github/workflows/unified-dogfooding.yml Adds Harden Runner as the first step in the scheduled dogfooding scan job.
.github/workflows/PullRequestClosed.yml Adds Harden Runner before secrets/action steps in the PR-closed automation job.
.github/workflows/PullRequestCreated.yml Adds Harden Runner before secrets/action steps in the PR-created automation job.
.github/workflows/RequestReview.yml Adds Harden Runner before secrets/action steps in the review-request automation job.
.github/workflows/SubmitReview.yml Adds Harden Runner before secrets/action steps in the review-submitted automation job.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

sonar-review-alpha[bot]
sonar-review-alpha Bot reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown

@sonar-review-alpha sonar-review-alpha Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! ✅

Clean, consistent implementation with no issues. All 9 eligible jobs are covered, both jobs in build.yml (build and promote) are included, and release.yml is correctly excluded — its job body is a single uses: reusable workflow call, which cannot accept injected steps.

One forward-looking note: audit mode is a sound starting point, but once the team has reviewed the egress logs and confirmed all outbound traffic is expected, consider upgrading the jobs with elevated permissions (id-token: write in build.yml, unified-dogfooding.yml, and the PR automation workflows that access Vault) to egress-policy: block. That's when harden-runner goes from monitoring to actually preventing exfiltration of OIDC tokens or secrets.

🗣️ Give feedback

@hedinasr hedinasr merged commit c985101 into master Apr 22, 2026
15 checks passed
@hedinasr hedinasr deleted the add-stepsecurity-harden-runner branch April 22, 2026 12:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@sonar-review-alpha sonar-review-alpha[bot] sonar-review-alpha[bot] left review comments

@hedinasr hedinasr hedinasr approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@chirag-goel-sonarsource @hedinasr