Skip to content

ci: [StepSecurity] Apply security best practices #596

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
stepsecurity-app wants to merge 1 commit into
base: master
Choose a base branch
from
Open

ci: [StepSecurity] Apply security best practices #596

stepsecurity-app wants to merge 1 commit into from
+13 −5

Conversation

@stepsecurity-app
Copy link

@stepsecurity-app stepsecurity-app bot commented Jan 29, 2026

Summary

This pull request has been generated by StepSecurity as part of your enterprise subscription to ensure compliance with recommended security best practices. Please review and merge the pull request to apply these security enhancements.

Security Fixes

Harden Runner

Harden-Runner is an open-source security agent for the GitHub-hosted runner to prevent software supply chain attacks. It prevents exfiltration of credentials, detects tampering of source code during build, and enables running jobs without sudo access.

Least Privileged GitHub Actions Token Permissions

The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN.

Pinned Dependencies

Pinning GitHub Actions to specific versions or commit SHAs ensures that your workflows remain consistent and secure.
Unpinned actions can lead to unexpected changes or vulnerabilities caused by upstream updates.

StepSecurity Maintained Actions

Risky GitHub Actions can expose your project to potential security risks. Risky actions have been replaced with StepSecurity maintained actions, that are secure drop-in replacements.

Feedback

For bug reports, feature requests, and general feedback; please create an issue in step-security/secure-repo or contact us via our website.

@stepsecurity-app
ci: [StepSecurity] Apply security best practices
13a8c59 
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
@stepsecurity-app
Copy link
Author

stepsecurity-app bot commented Jan 29, 2026

Security Policy Alert: Secret Policy Violation

This workflow run has been blocked by StepSecurity's secrets policy because it accesses secrets and the workflow file differs from the default branch.

To approve this workflow, please add the workflows-approved label to this PR.

Note: The label must be added by someone other than the PR author (stepsecurity-app[bot]) or automation bots to ensure proper security review.

After the label is added, you can re-run the blocked workflow to proceed.

This workflow will be automatically approved once merged into the default branch.

For more information, see StepSecurity's Secret Exfiltration Policy documentation.

@stepsecurity-app
Copy link
Author

stepsecurity-app bot commented Jan 29, 2026

Security Policy Alert: Actions Policy Violation

This workflow run has been blocked by StepSecurity's actions policy because it uses actions that are not allowed by your organization's policy.

Disallowed Actions:

  • step-security/dependabot-fetch-metadata@38d404f7e1742ae1cfa9b25ade9afa0c7a288e77

To fix this issue, please modify the workflow to use only allowed actions. Contact your organization administrator to request changes to the allowed actions list if needed.

For more information, see StepSecurity's Actions Policy documentation.

@Pr0methean Pr0methean added this to the 7.3.0 milestone Jan 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

7.3.0

Development

Successfully merging this pull request may close these issues.

1 participant

@Pr0methean