build(deps): bump step-security/harden-runner from 2.19.4 to 2.20.0#1334
Merged
spoorcc merged 6 commits intoJul 13, 2026
Merged
Conversation
spoorcc
approved these changes
Jul 9, 2026
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.19.4 to 2.20.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@9af89fc...bf7454d) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.20.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
978977c to
26897a7
Compare
harden-runner v2.20.0 enforces egress blocking on Windows runners for the first time, which broke the svn choco install (fetched from sourceforge) and the SVN-based example fetch in the cygwin job.
The previous fix only covered one sourceforge mirror; CI hit a different one (phoenixnap.dl.sourceforge.net) on retry, since the mirror sourceforge redirects to varies per run. Switch to a *.dl.sourceforge.net wildcard to cover any mirror instead of listing them one by one. Also add cygwin.com and its default package mirror (mirrors.kernel.org), which cygwin-install-action needs and which was never reachable even before harden-runner enforced blocking on Windows.
Windows hard-fails a WinHTTP download with error 12057 (WINHTTP_ERROR_SECURE_FAILURE) when it can't reach the CA's certificate revocation endpoint. mirrors.kernel.org's cert chains to Let's Encrypt, whose CRL responders (x1/x2/ye/ye1.c.lencr.org, seen rotating across runs) were still being blocked, breaking the cygwin setup.exe download even though DNS/connect to the mirror itself was already allowed.
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
CRL distribution points are conventionally served over plain HTTP (port 80), never HTTPS, precisely to avoid a circular TLS-validation dependency (this repo's own macos-latest allowlist already reflects that convention via ocsp.sectigo.com:80). The previous fix only opened *.c.lencr.org:443, so the real port-80 CRL fetch for mirrors.kernel.org's cert was still silently dropped, hanging until schannel gave up with a generic secure-channel failure (12057) - same symptom as before despite every relevant domain now resolving and being allowed on port 443.
The cygwin.com/mirrors.kernel.org fixes let this job progress past the cygwin install for the first time, surfacing the next missing endpoint: choco install zig needs ziglang.org, already allowlisted for the separate windows-latest matrix job but never added here.
spoorcc
approved these changes
Jul 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps step-security/harden-runner from 2.19.4 to 2.20.0.
Release notes
Sourced from step-security/harden-runner's releases.
Commits
bf7454dMerge pull request #673 from step-security/fix/aggregate-error-startup-hang1188420Update non-TLS agent to v0.16.2162cfeaUpdate non-TLS agent to v0.16.1eb9e1f4Bring macOS runner updates from PR 6741a10b01Update Windows agent to v1.0.78b4a105Apply npm audit fixes with release-age cooldown3626e03Default TLS status check failures to enabled100e08bUpdate agent-ebpf to v1.8.12774f75fUpdate agent to v1.8.9f312657Extend missing-agent-dir guard to Linux and macOS cleanup pathsDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)