Enable traffic audit in workflows#6496
Conversation
There was a problem hiding this comment.
Pull request overview
This PR enables outbound traffic auditing across GitHub Actions workflows by adding step-security/harden-runner steps in audit mode to most CI, security, dependency, release, and automation jobs.
Changes:
- Adds Harden Runner with
egress-policy: auditto workflow jobs. - Reuses YAML anchors for repeated Harden Runner and checkout steps in larger workflows.
- Leaves a note for the Playwright container job where standard Harden Runner monitoring is not applied.
Reviewed changes
Copilot reviewed 18 out of 18 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/add-to-project.yml |
Adds traffic audit before project automation steps. |
.github/workflows/auto-approve.yml |
Adds traffic audit to Renovate auto-approval jobs. |
.github/workflows/backend-lint-and-test.yaml |
Adds traffic audit to backend path check and test matrix jobs. |
.github/workflows/build.yaml |
Adds traffic audit and anchors checkout reuse in build workflow. |
.github/workflows/codeql.yaml |
Adds traffic audit to CodeQL path detection and analysis jobs. |
.github/workflows/daily.yml |
Adds traffic audit to daily issue-management helper jobs. |
.github/workflows/dependency-review.yaml |
Adds traffic audit before dependency review. |
.github/workflows/labeler.yaml |
Adds traffic audit before PR labeling. |
.github/workflows/lib-lint-and-test.yaml |
Adds traffic audit to library lint/test jobs. |
.github/workflows/npm-audit-fix.yml |
Adds traffic audit before npm audit automation. |
.github/workflows/publish.yaml |
Adds traffic audit before package build/publish steps. |
.github/workflows/remove-stale-branches.yaml |
Adds traffic audit before stale branch cleanup. |
.github/workflows/renovate-config-validator.yml |
Adds traffic audit before Renovate config validation. |
.github/workflows/renovate.yml |
Adds traffic audit before Renovate execution. |
.github/workflows/scorecard.yaml |
Adds traffic audit before Scorecard analysis. |
.github/workflows/security-scan.yaml |
Adds traffic audit to security scanning jobs. |
.github/workflows/stale_marker.yaml |
Adds traffic audit before stale issue/PR handling. |
.github/workflows/ui-lint-and-test.yaml |
Adds traffic audit to UI jobs and documents the container-job exception. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
🐳 Docker image sizes
|
📊 Test coverage report
|
|
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
⏱️ Backend import time —
|
| Accelerator | Cumulative (s) | Self (s) |
|---|---|---|
cpu |
4.572 | 0.003 |
xpu |
4.480 | 0.003 |
|
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Summary
Enable traffic audit in workflows
Checklist