Skip to content

build(deps): bump step-security/harden-runner from 2.19.4 to 2.20.0#1334

Merged
spoorcc merged 6 commits into
mainfrom
dependabot/github_actions/step-security/harden-runner-2.20.0
Jul 13, 2026
Merged

build(deps): bump step-security/harden-runner from 2.19.4 to 2.20.0#1334
spoorcc merged 6 commits into
mainfrom
dependabot/github_actions/step-security/harden-runner-2.20.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 7, 2026

Copy link
Copy Markdown
Contributor

Bumps step-security/harden-runner from 2.19.4 to 2.20.0.

Release notes

Sourced from step-security/harden-runner's releases.

v2.20.0

What's Changed

  • Support for block policy for MacOS and Windows GitHub-hosted runners
  • Support for Bitrise MacOS GitHub Actions runners
  • HTTPS monitoring support for Bun for Linux runners (enterprise tier)

Full Changelog: step-security/harden-runner@v2.19.4...v2.20.0

Commits
  • bf7454d Merge pull request #673 from step-security/fix/aggregate-error-startup-hang
  • 1188420 Update non-TLS agent to v0.16.2
  • 162cfea Update non-TLS agent to v0.16.1
  • eb9e1f4 Bring macOS runner updates from PR 674
  • 1a10b01 Update Windows agent to v1.0.7
  • 8b4a105 Apply npm audit fixes with release-age cooldown
  • 3626e03 Default TLS status check failures to enabled
  • 100e08b Update agent-ebpf to v1.8.12
  • 774f75f Update agent to v1.8.9
  • f312657 Extend missing-agent-dir guard to Linux and macOS cleanup paths
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot Bot added dependencies Packages this project depends on github_actions Pull requests that update GitHub Actions code labels Jul 7, 2026
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.19.4 to 2.20.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@9af89fc...bf7454d)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.20.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@ben-edna ben-edna force-pushed the dependabot/github_actions/step-security/harden-runner-2.20.0 branch from 978977c to 26897a7 Compare July 13, 2026 11:36
harden-runner v2.20.0 enforces egress blocking on Windows runners for
the first time, which broke the svn choco install (fetched from
sourceforge) and the SVN-based example fetch in the cygwin job.
The previous fix only covered one sourceforge mirror; CI hit a
different one (phoenixnap.dl.sourceforge.net) on retry, since the
mirror sourceforge redirects to varies per run. Switch to a
*.dl.sourceforge.net wildcard to cover any mirror instead of listing
them one by one.

Also add cygwin.com and its default package mirror
(mirrors.kernel.org), which cygwin-install-action needs and which
was never reachable even before harden-runner enforced blocking on
Windows.
Windows hard-fails a WinHTTP download with error 12057
(WINHTTP_ERROR_SECURE_FAILURE) when it can't reach the CA's
certificate revocation endpoint. mirrors.kernel.org's cert chains to
Let's Encrypt, whose CRL responders (x1/x2/ye/ye1.c.lencr.org, seen
rotating across runs) were still being blocked, breaking the cygwin
setup.exe download even though DNS/connect to the mirror itself was
already allowed.
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

CRL distribution points are conventionally served over plain HTTP
(port 80), never HTTPS, precisely to avoid a circular TLS-validation
dependency (this repo's own macos-latest allowlist already reflects
that convention via ocsp.sectigo.com:80). The previous fix only
opened *.c.lencr.org:443, so the real port-80 CRL fetch for
mirrors.kernel.org's cert was still silently dropped, hanging until
schannel gave up with a generic secure-channel failure (12057) -
same symptom as before despite every relevant domain now resolving
and being allowed on port 443.
The cygwin.com/mirrors.kernel.org fixes let this job progress past
the cygwin install for the first time, surfacing the next missing
endpoint: choco install zig needs ziglang.org, already allowlisted
for the separate windows-latest matrix job but never added here.
@spoorcc spoorcc merged commit 2ee545b into main Jul 13, 2026
35 checks passed
@spoorcc spoorcc deleted the dependabot/github_actions/step-security/harden-runner-2.20.0 branch July 13, 2026 18:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Packages this project depends on github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants