Skip to content

[StepSecurity] Apply security best practices#2

Open
stepsecurity-app[bot] wants to merge 1 commit intomasterfrom
chore/GHA-261837-stepsecurity-remediation
Open

[StepSecurity] Apply security best practices#2
stepsecurity-app[bot] wants to merge 1 commit intomasterfrom
chore/GHA-261837-stepsecurity-remediation

Conversation

@stepsecurity-app
Copy link

@stepsecurity-app stepsecurity-app bot commented Feb 26, 2026

Summary

This pull request has been generated by StepSecurity as part of your enterprise subscription to ensure compliance with recommended security best practices. Please review and merge the pull request to apply these security enhancements.

Security Fixes

Harden Runner

Harden-Runner is an open-source security agent for the GitHub-hosted runner to prevent software supply chain attacks. It prevents exfiltration of credentials, detects tampering of source code during build, and enables running jobs without sudo access.

Least Privileged GitHub Actions Token Permissions

The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN.

Pinned Dependencies

Pinning GitHub Actions to specific versions or commit SHAs ensures that your workflows remain consistent and secure.
Unpinned actions can lead to unexpected changes or vulnerabilities caused by upstream updates.

Feedback

For bug reports, feature requests, and general feedback; please create an issue in step-security/secure-repo or contact us via our website.

@stepsecurity-app
[StepSecurity] Apply security best practices
ae825ff 
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
@stepsecurity-app
Copy link
Author

stepsecurity-app bot commented Feb 26, 2026

Security Policy Alert: Actions Policy Violation

This workflow run has been blocked by StepSecurity's actions policy because it uses actions that are not allowed by your organization's policy.

Disallowed Actions:

  • step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b
  • actions/upload-artifact@0c366cb4fc8897159c94880f94b55bc716ad6a66

To fix this issue, please modify the workflow to use only allowed actions. Contact your organization administrator to request changes to the allowed actions list if needed.

For more information, see StepSecurity's Actions Policy documentation.

@stepsecurity-app
Copy link
Author

stepsecurity-app bot commented Feb 26, 2026

Security Policy Alert: Actions Policy Violation

This workflow run has been blocked by StepSecurity's actions policy because it uses actions that are not allowed by your organization's policy.

Disallowed Actions:

  • step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b
  • actions/upload-artifact@0c366cb4fc8897159c94880f94b55bc716ad6a66

To fix this issue, please modify the workflow to use only allowed actions. Contact your organization administrator to request changes to the allowed actions list if needed.

For more information, see StepSecurity's Actions Policy documentation.

@stepsecurity-app
Copy link
Author

stepsecurity-app bot commented Feb 26, 2026

Security Policy Alert: Actions Policy Violation

This workflow run has been blocked by StepSecurity's actions policy because it uses actions that are not allowed by your organization's policy.

Disallowed Actions:

  • step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b
  • actions/upload-artifact@0c366cb4fc8897159c94880f94b55bc716ad6a66

To fix this issue, please modify the workflow to use only allowed actions. Contact your organization administrator to request changes to the allowed actions list if needed.

For more information, see StepSecurity's Actions Policy documentation.

@stepsecurity-app
Copy link
Author

stepsecurity-app bot commented Feb 26, 2026

Security Policy Alert: Actions Policy Violation

This workflow run has been blocked by StepSecurity's actions policy because it uses actions that are not allowed by your organization's policy.

Disallowed Actions:

  • step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b
  • actions/upload-artifact@0c366cb4fc8897159c94880f94b55bc716ad6a66

To fix this issue, please modify the workflow to use only allowed actions. Contact your organization administrator to request changes to the allowed actions list if needed.

For more information, see StepSecurity's Actions Policy documentation.

@stepsecurity-app
Copy link
Author

stepsecurity-app bot commented Feb 26, 2026

Security Policy Alert: Actions Policy Violation

This workflow run has been blocked by StepSecurity's actions policy because it uses actions that are not allowed by your organization's policy.

Disallowed Actions:

  • step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b
  • actions/upload-artifact@0c366cb4fc8897159c94880f94b55bc716ad6a66

To fix this issue, please modify the workflow to use only allowed actions. Contact your organization administrator to request changes to the allowed actions list if needed.

For more information, see StepSecurity's Actions Policy documentation.

@stepsecurity-app
Copy link
Author

stepsecurity-app bot commented Feb 26, 2026

Security Policy Alert: Actions Policy Violation

This workflow run has been blocked by StepSecurity's actions policy because it uses actions that are not allowed by your organization's policy.

Disallowed Actions:

  • step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b
  • actions/upload-artifact@0c366cb4fc8897159c94880f94b55bc716ad6a66

To fix this issue, please modify the workflow to use only allowed actions. Contact your organization administrator to request changes to the allowed actions list if needed.

For more information, see StepSecurity's Actions Policy documentation.

@stepsecurity-app
Copy link
Author

stepsecurity-app bot commented Feb 26, 2026

Security Policy Alert: Actions Policy Violation

This workflow run has been blocked by StepSecurity's actions policy because it uses actions that are not allowed by your organization's policy.

Disallowed Actions:

  • step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b
  • actions/upload-artifact@0c366cb4fc8897159c94880f94b55bc716ad6a66

To fix this issue, please modify the workflow to use only allowed actions. Contact your organization administrator to request changes to the allowed actions list if needed.

For more information, see StepSecurity's Actions Policy documentation.

@stepsecurity-app
Copy link
Author

stepsecurity-app bot commented Feb 26, 2026

Security Policy Alert: Actions Policy Violation

This workflow run has been blocked by StepSecurity's actions policy because it uses actions that are not allowed by your organization's policy.

Disallowed Actions:

  • step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b
  • docker/setup-qemu-action@5964de0df58d5ad28b04d8fe2e6b80ad47105b91
  • step-security/setup-buildx-action@c60a792b446ef83310733d5cd9d0c8d6870d043f
  • step-security/docker-login-action@c3e677aae8393bc9c81cfdf9709648720ea4bd4d
  • step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438

To fix this issue, please modify the workflow to use only allowed actions. Contact your organization administrator to request changes to the allowed actions list if needed.

For more information, see StepSecurity's Actions Policy documentation.

LukeLarge
Lawrence Lucas Large (LukeLarge) reviewed Feb 27, 2026
View reviewed changes
Copy link
Collaborator

@LukeLarge Lawrence Lucas Large (LukeLarge) left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[StepSecurity] Apply security best practices
#2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@LukeLarge Lawrence Lucas Large (LukeLarge) LukeLarge left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@LukeLarge