Skip to content

Enable traffic audit in workflows#6496

Open
ivanzati wants to merge 5 commits into
developfrom
ivanzati/harden-runner-audit
Open

Enable traffic audit in workflows#6496
ivanzati wants to merge 5 commits into
developfrom
ivanzati/harden-runner-audit

Conversation

@ivanzati

Copy link
Copy Markdown
Contributor

Summary

Enable traffic audit in workflows

Checklist

  • The PR title and description are clear and descriptive
  • I have manually tested the changes
  • All changes are covered by automated tests
  • All related issues are linked to this PR (if applicable)
  • Documentation has been updated (if applicable)

@ivanzati ivanzati requested a review from a team as a code owner May 15, 2026 15:11
Copilot AI review requested due to automatic review settings May 15, 2026 15:11
@github-actions github-actions Bot added the BUILD label May 15, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enables outbound traffic auditing across GitHub Actions workflows by adding step-security/harden-runner steps in audit mode to most CI, security, dependency, release, and automation jobs.

Changes:

  • Adds Harden Runner with egress-policy: audit to workflow jobs.
  • Reuses YAML anchors for repeated Harden Runner and checkout steps in larger workflows.
  • Leaves a note for the Playwright container job where standard Harden Runner monitoring is not applied.

Reviewed changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
.github/workflows/add-to-project.yml Adds traffic audit before project automation steps.
.github/workflows/auto-approve.yml Adds traffic audit to Renovate auto-approval jobs.
.github/workflows/backend-lint-and-test.yaml Adds traffic audit to backend path check and test matrix jobs.
.github/workflows/build.yaml Adds traffic audit and anchors checkout reuse in build workflow.
.github/workflows/codeql.yaml Adds traffic audit to CodeQL path detection and analysis jobs.
.github/workflows/daily.yml Adds traffic audit to daily issue-management helper jobs.
.github/workflows/dependency-review.yaml Adds traffic audit before dependency review.
.github/workflows/labeler.yaml Adds traffic audit before PR labeling.
.github/workflows/lib-lint-and-test.yaml Adds traffic audit to library lint/test jobs.
.github/workflows/npm-audit-fix.yml Adds traffic audit before npm audit automation.
.github/workflows/publish.yaml Adds traffic audit before package build/publish steps.
.github/workflows/remove-stale-branches.yaml Adds traffic audit before stale branch cleanup.
.github/workflows/renovate-config-validator.yml Adds traffic audit before Renovate config validation.
.github/workflows/renovate.yml Adds traffic audit before Renovate execution.
.github/workflows/scorecard.yaml Adds traffic audit before Scorecard analysis.
.github/workflows/security-scan.yaml Adds traffic audit to security scanning jobs.
.github/workflows/stale_marker.yaml Adds traffic audit before stale issue/PR handling.
.github/workflows/ui-lint-and-test.yaml Adds traffic audit to UI jobs and documents the container-job exception.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/backend-lint-and-test.yaml Outdated
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@github-actions

github-actions Bot commented May 15, 2026

Copy link
Copy Markdown

🐳 Docker image sizes

Device Size
xpu 10802.5 MB (10.55 GB)
cuda 10219.3 MB (9.98 GB)
cpu 4024.1 MB (3.93 GB)

@github-actions

github-actions Bot commented May 15, 2026

Copy link
Copy Markdown

📊 Test coverage report

Metric Coverage
Lines 59.5%
Functions 55.7%
Branches 51.2%
Statements 59.0%

@codecov-commenter

Copy link
Copy Markdown

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@github-actions

github-actions Bot commented Jun 29, 2026

Copy link
Copy Markdown

⏱️ Backend import time — app.main

Accelerator Cumulative (s) Self (s)
cpu 4.572 0.003
xpu 4.480 0.003

@codecov-commenter

Copy link
Copy Markdown

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants