From 62ec512ddab7fab2153d3110c752e8e1b856c35d Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 24 Apr 2025 10:43:08 +0100
Subject: [PATCH] Bump step-security/harden-runner from 2.11.1 to 2.12.0
(#3394)
Bumps
[step-security/harden-runner](https://github.com/step-security/harden-runner)
from 2.11.1 to 2.12.0.
Release notes
Sourced from step-security/harden-runner's
releases.
v2.12.0
What's Changed
-
A new option, disable-sudo-and-containers, is now
available to replace the disable-sudo policy, addressing
Docker-based privilege escalation (CVE-2025-32955).
More details can be found in this blog
post.
-
New detections have been added based on insights from the tj-actions
and reviewdog actions incidents.
Full Changelog: https://github.com/step-security/harden-runner/compare/v2...v2.12.0
Commits
0634a26
Merge pull request #541
from step-security/rc-202e3c511
Update action.yml40873e6
Update README.md484c279
Update README.md4c8582f
Update agent versionse8d595c
fix disable_sudo_and_containers bug5d277fc
fix journalctl related bugff2ab22
Merge pull request #536
from rohan-stepsecurity/feat/flag/disable-sudo-and-co...b81d650
fix: run sudo command only when both disable-sudo and
disable-sudo-and-docker...769df4e
Update agent- Additional commits viewable in compare
view
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
Signed-off-by: dependabot[bot]
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
.github/workflows/PR-Demo-Comment-with-react.yml | 4 ++--
.github/workflows/PR-Demo-cleanup.yml | 2 +-
.github/workflows/auto-labeler.yml | 2 +-
.github/workflows/build.yml | 6 +++---
.github/workflows/check_properties.yml | 2 +-
.github/workflows/dependency-review.yml | 2 +-
.github/workflows/licenses-update.yml | 2 +-
.github/workflows/manage-label.yml | 2 +-
.github/workflows/multiOSReleases.yml | 12 ++++++------
.github/workflows/pre_commit.yml | 2 +-
.github/workflows/push-docker.yml | 2 +-
.github/workflows/releaseArtifacts.yml | 6 +++---
.github/workflows/scorecards.yml | 2 +-
.github/workflows/sonarqube.yml | 2 +-
.github/workflows/stale.yml | 2 +-
.github/workflows/swagger.yml | 2 +-
.github/workflows/sync_files.yml | 4 ++--
.github/workflows/testdriver.yml | 6 +++---
18 files changed, 31 insertions(+), 31 deletions(-)
diff --git a/.github/workflows/PR-Demo-Comment-with-react.yml b/.github/workflows/PR-Demo-Comment-with-react.yml
index 105fb60b1..361b8b5df 100644
--- a/.github/workflows/PR-Demo-Comment-with-react.yml
+++ b/.github/workflows/PR-Demo-Comment-with-react.yml
@@ -41,7 +41,7 @@ jobs:
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
@@ -129,7 +129,7 @@ jobs:
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
diff --git a/.github/workflows/PR-Demo-cleanup.yml b/.github/workflows/PR-Demo-cleanup.yml
index bcb547588..1962bb83d 100644
--- a/.github/workflows/PR-Demo-cleanup.yml
+++ b/.github/workflows/PR-Demo-cleanup.yml
@@ -21,7 +21,7 @@ jobs:
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
diff --git a/.github/workflows/auto-labeler.yml b/.github/workflows/auto-labeler.yml
index 2bd50d8d4..5f350d2d4 100644
--- a/.github/workflows/auto-labeler.yml
+++ b/.github/workflows/auto-labeler.yml
@@ -13,7 +13,7 @@ jobs:
pull-requests: write
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 238773596..7db007ea5 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -24,7 +24,7 @@ jobs:
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
@@ -62,7 +62,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
@@ -106,7 +106,7 @@ jobs:
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
diff --git a/.github/workflows/check_properties.yml b/.github/workflows/check_properties.yml
index 84531e094..fc0e7eac2 100644
--- a/.github/workflows/check_properties.yml
+++ b/.github/workflows/check_properties.yml
@@ -18,7 +18,7 @@ jobs:
pull-requests: write
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index 2eece92fe..304267160 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -17,7 +17,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
diff --git a/.github/workflows/licenses-update.yml b/.github/workflows/licenses-update.yml
index a86a7c945..0851b1490 100644
--- a/.github/workflows/licenses-update.yml
+++ b/.github/workflows/licenses-update.yml
@@ -18,7 +18,7 @@ jobs:
pull-requests: write
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
diff --git a/.github/workflows/manage-label.yml b/.github/workflows/manage-label.yml
index 63a3f7b7d..73ece41ae 100644
--- a/.github/workflows/manage-label.yml
+++ b/.github/workflows/manage-label.yml
@@ -15,7 +15,7 @@ jobs:
issues: write
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
diff --git a/.github/workflows/multiOSReleases.yml b/.github/workflows/multiOSReleases.yml
index 28a5bd32b..538f74a3a 100644
--- a/.github/workflows/multiOSReleases.yml
+++ b/.github/workflows/multiOSReleases.yml
@@ -21,7 +21,7 @@ jobs:
versionMac: ${{ steps.versionNumberMac.outputs.versionNumberMac }}
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
@@ -56,7 +56,7 @@ jobs:
file_suffix: ""
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
@@ -106,7 +106,7 @@ jobs:
file_suffix: ""
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
@@ -144,7 +144,7 @@ jobs:
contents: write
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
@@ -234,7 +234,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
@@ -297,7 +297,7 @@ jobs:
contents: write
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
diff --git a/.github/workflows/pre_commit.yml b/.github/workflows/pre_commit.yml
index ad39a1b9a..82745fc4d 100644
--- a/.github/workflows/pre_commit.yml
+++ b/.github/workflows/pre_commit.yml
@@ -16,7 +16,7 @@ jobs:
pull-requests: write
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
diff --git a/.github/workflows/push-docker.yml b/.github/workflows/push-docker.yml
index 8485a85b4..b8b4cba9c 100644
--- a/.github/workflows/push-docker.yml
+++ b/.github/workflows/push-docker.yml
@@ -18,7 +18,7 @@ jobs:
id-token: write
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
diff --git a/.github/workflows/releaseArtifacts.yml b/.github/workflows/releaseArtifacts.yml
index 8844b3a1c..7c2de5e23 100644
--- a/.github/workflows/releaseArtifacts.yml
+++ b/.github/workflows/releaseArtifacts.yml
@@ -23,7 +23,7 @@ jobs:
version: ${{ steps.versionNumber.outputs.versionNumber }}
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
@@ -83,7 +83,7 @@ jobs:
file_suffix: ""
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
@@ -161,7 +161,7 @@ jobs:
file_suffix: ""
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index 4e50b7325..e226f6592 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -34,7 +34,7 @@ jobs:
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml
index 3220da581..ddf0980ab 100644
--- a/.github/workflows/sonarqube.yml
+++ b/.github/workflows/sonarqube.yml
@@ -18,7 +18,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 24375021c..4000f0e6f 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -16,7 +16,7 @@ jobs:
pull-requests: write
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
diff --git a/.github/workflows/swagger.yml b/.github/workflows/swagger.yml
index cd72a2483..19c0aaa89 100644
--- a/.github/workflows/swagger.yml
+++ b/.github/workflows/swagger.yml
@@ -14,7 +14,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
diff --git a/.github/workflows/sync_files.yml b/.github/workflows/sync_files.yml
index a47d3ee60..1bfa11167 100644
--- a/.github/workflows/sync_files.yml
+++ b/.github/workflows/sync_files.yml
@@ -24,7 +24,7 @@ jobs:
committer: ${{ steps.committer.outputs.committer }}
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
@@ -57,7 +57,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
diff --git a/.github/workflows/testdriver.yml b/.github/workflows/testdriver.yml
index 5986c38f4..4489dd56a 100644
--- a/.github/workflows/testdriver.yml
+++ b/.github/workflows/testdriver.yml
@@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
@@ -105,7 +105,7 @@ jobs:
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit
@@ -134,7 +134,7 @@ jobs:
steps:
- name: Harden Runner
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+ uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit