From 94df6987665a8dc3d0e3821e7d93767e4e7a9163 Mon Sep 17 00:00:00 2001 From: "Zakharov, Ivan" Date: Fri, 15 May 2026 17:09:53 +0200 Subject: [PATCH 1/2] Enable traffic audit in workflows --- .github/workflows/add-to-project.yml | 5 +++++ .github/workflows/auto-approve.yml | 8 ++++++++ .github/workflows/backend-lint-and-test.yaml | 8 ++++++++ .github/workflows/build.yaml | 16 +++++++++++----- .github/workflows/codeql.yaml | 8 ++++++++ .github/workflows/daily.yml | 10 ++++++++++ .github/workflows/dependency-review.yaml | 5 +++++ .github/workflows/labeler.yaml | 5 +++++ .github/workflows/lib-lint-and-test.yaml | 18 ++++++++++++++++++ .github/workflows/npm-audit-fix.yml | 5 +++++ .github/workflows/publish.yaml | 5 +++++ .github/workflows/remove-stale-branches.yaml | 5 +++++ .../workflows/renovate-config-validator.yml | 5 +++++ .github/workflows/renovate.yml | 5 +++++ .github/workflows/scorecard.yaml | 5 +++++ .github/workflows/security-scan.yaml | 17 +++++++++++++++++ .github/workflows/stale_marker.yaml | 5 +++++ .github/workflows/ui-lint-and-test.yaml | 16 ++++++++++++++++ 18 files changed, 146 insertions(+), 5 deletions(-) diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml index c25499c9760..f5f2176f494 100644 --- a/.github/workflows/add-to-project.yml +++ b/.github/workflows/add-to-project.yml @@ -14,6 +14,11 @@ jobs: name: auto-add-new-issue-to-project deployment: false steps: + - name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Add issue to project id: add-project uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2 diff --git a/.github/workflows/auto-approve.yml b/.github/workflows/auto-approve.yml index cbbf9135e56..fb8f6812b26 100644 --- a/.github/workflows/auto-approve.yml +++ b/.github/workflows/auto-approve.yml @@ -23,6 +23,12 @@ jobs: github.event.sender.login == 'oep-renovate[bot]' }} steps: + - &harden-runner + name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Capture Commit SHA id: capture_sha run: | @@ -49,6 +55,8 @@ jobs: deployment: false runs-on: ubuntu-latest steps: + - *harden-runner + - name: Debug env: PR_AUTHOR: ${{ github.event.pull_request.user.login }} diff --git a/.github/workflows/backend-lint-and-test.yaml b/.github/workflows/backend-lint-and-test.yaml index 0d11b3c3452..8780fa0cbc8 100644 --- a/.github/workflows/backend-lint-and-test.yaml +++ b/.github/workflows/backend-lint-and-test.yaml @@ -27,6 +27,12 @@ jobs: outputs: run_workflow: ${{ steps.check_paths.outputs.run }} steps: + - &harden-runner + name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - &checkout name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -56,6 +62,8 @@ jobs: permissions: contents: read # to checkout code steps: + - *harden-runner + - *checkout - name: Install Python, uv and Just diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index f92b589371f..fd29565e965 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -25,7 +25,14 @@ jobs: outputs: run_workflow: ${{ steps.check_paths.outputs.run }} steps: - - name: Checkout repository + - &harden-runner + name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + + - &checkout + name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -56,10 +63,9 @@ jobs: pull-requests: write # Post image size comments on PRs id-token: write # Use OIDC token to sign images steps: - - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false + - *harden-runner + + - *checkout - name: Read application version id: version diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 95262a899f1..9900447b0db 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -25,6 +25,12 @@ jobs: run_actions: "${{ steps.prepare_outputs.outputs.run_actions }}" run_rust: "${{ steps.prepare_outputs.outputs.run_rust }}" steps: + - &harden-runner + name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - &checkout name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -102,6 +108,8 @@ jobs: run: ${{ needs.check_paths.outputs.run_rust || 'true' }} steps: + - *harden-runner + - *checkout # Initializes the CodeQL tools for scanning. diff --git a/.github/workflows/daily.yml b/.github/workflows/daily.yml index 06a2fb486b4..6ae2b6b3585 100644 --- a/.github/workflows/daily.yml +++ b/.github/workflows/daily.yml @@ -45,6 +45,12 @@ jobs: outputs: version: ${{ steps.version.outputs.value }} steps: + - &harden-runner + name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -89,6 +95,8 @@ jobs: outputs: issue_exists: ${{ steps.check.outputs.issue_exists }} steps: + - *harden-runner + - name: Check for existing open issue id: check uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 @@ -134,6 +142,8 @@ jobs: permissions: issues: write # Permission to create issues steps: + - *harden-runner + - name: Create GitHub Issue uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml index 7511ba366f1..feb97dc4a56 100644 --- a/.github/workflows/dependency-review.yaml +++ b/.github/workflows/dependency-review.yaml @@ -10,6 +10,11 @@ jobs: permissions: contents: read steps: + - name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: "Checkout Repository" uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/labeler.yaml b/.github/workflows/labeler.yaml index a57527e0b63..adcf69d2866 100644 --- a/.github/workflows/labeler.yaml +++ b/.github/workflows/labeler.yaml @@ -17,4 +17,9 @@ jobs: pull-requests: write runs-on: ${{ github.repository_owner == 'open-edge-platform' && 'overflow' || 'ubuntu-latest' }} steps: + - name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1 diff --git a/.github/workflows/lib-lint-and-test.yaml b/.github/workflows/lib-lint-and-test.yaml index 3bbef84b5ad..1eb711c4cc4 100644 --- a/.github/workflows/lib-lint-and-test.yaml +++ b/.github/workflows/lib-lint-and-test.yaml @@ -28,6 +28,12 @@ jobs: outputs: run_workflow: ${{ steps.check_paths.outputs.run }} steps: + - &harden-runner + name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - &checkout name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -50,6 +56,8 @@ jobs: permissions: contents: read steps: + - *harden-runner + - *checkout - name: Install Python, uv and Just @@ -85,6 +93,11 @@ jobs: name: unit-tests-with-Python${{ matrix.python-version }} steps: # YAML anchors not used cause currently zizmor don't support them in matrix strategies + - name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -143,6 +156,11 @@ jobs: name: integration-tests-${{ matrix.task }}-py${{ matrix.python-version }} steps: # YAML anchors aren't used because Zizmor fails here and support for them is best-effort for now + - name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/npm-audit-fix.yml b/.github/workflows/npm-audit-fix.yml index 09a200044a7..2773dc431cf 100644 --- a/.github/workflows/npm-audit-fix.yml +++ b/.github/workflows/npm-audit-fix.yml @@ -19,6 +19,11 @@ jobs: contents: read # to checkout code steps: + - name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index af9aea90822..961e9e84f6a 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -16,6 +16,11 @@ jobs: contents: write # required by svenstaro/upload-release-action id-token: write # required by trusted publisher steps: + - name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/remove-stale-branches.yaml b/.github/workflows/remove-stale-branches.yaml index ea579e8cc02..7ecf68479e4 100644 --- a/.github/workflows/remove-stale-branches.yaml +++ b/.github/workflows/remove-stale-branches.yaml @@ -26,6 +26,11 @@ jobs: actions: read # Required to read branch activity pull-requests: read # Required to check if a branch has an open PR steps: + - name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - uses: fpicalausa/remove-stale-branches@7c4f2afe88a36c0f9114cd958380979b9d7323fb # v2.4.0 with: dry-run: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.dry_run || 'false' }} diff --git a/.github/workflows/renovate-config-validator.yml b/.github/workflows/renovate-config-validator.yml index 7fc0a2d6fa9..4074529b984 100644 --- a/.github/workflows/renovate-config-validator.yml +++ b/.github/workflows/renovate-config-validator.yml @@ -29,6 +29,11 @@ jobs: permissions: contents: read steps: + - name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout configuration uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 29328bdcb1e..08306814932 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -59,6 +59,11 @@ jobs: runs-on: ${{ github.repository_owner == 'open-edge-platform' && 'overflow' || 'ubuntu-latest' }} steps: + - name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index 198f74c1519..5cefdf07680 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -21,6 +21,11 @@ jobs: id-token: write steps: + - name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/security-scan.yaml b/.github/workflows/security-scan.yaml index 937c72655dd..234f7444021 100644 --- a/.github/workflows/security-scan.yaml +++ b/.github/workflows/security-scan.yaml @@ -39,6 +39,12 @@ jobs: contents: read security-events: write # Needed to upload the results to code-scanning dashboard steps: + - &harden-runner + name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - &checkout name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -59,6 +65,8 @@ jobs: contents: read security-events: write # Needed to upload the results to code-scanning dashboard steps: + - *harden-runner + - *checkout - name: Run Bandit scan @@ -77,6 +85,8 @@ jobs: contents: read security-events: write # Needed to upload the results to code-scanning dashboard steps: + - *harden-runner + - *checkout - name: Run Trivy scan @@ -100,6 +110,8 @@ jobs: matrix: ai-device: [cpu] steps: + - *harden-runner + - name: Runner cleanup uses: open-edge-platform/geti-ci/actions/cleanup-runner@7e686c1248b3939f8ee8e04e2612da727e379d91 with: @@ -240,6 +252,11 @@ jobs: matrix: ai-device: [cpu, cuda, xpu] steps: + - name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Run container image scan (${{ matrix.ai-device }}) uses: open-edge-platform/geti-ci/actions/trivy@7e686c1248b3939f8ee8e04e2612da727e379d91 with: diff --git a/.github/workflows/stale_marker.yaml b/.github/workflows/stale_marker.yaml index e1e3c22ae82..c7d63f84d7e 100644 --- a/.github/workflows/stale_marker.yaml +++ b/.github/workflows/stale_marker.yaml @@ -13,6 +13,11 @@ jobs: issues: write pull-requests: write steps: + - name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 with: stale-issue-message: "This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days." diff --git a/.github/workflows/ui-lint-and-test.yaml b/.github/workflows/ui-lint-and-test.yaml index 83af41f7f14..55e833af7aa 100644 --- a/.github/workflows/ui-lint-and-test.yaml +++ b/.github/workflows/ui-lint-and-test.yaml @@ -30,6 +30,12 @@ jobs: outputs: run_workflow: ${{ steps.check_paths.outputs.run }} steps: + - &harden-runner + name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - &checkout name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -55,6 +61,8 @@ jobs: permissions: contents: read # to checkout code steps: + - *harden-runner + - *checkout - name: Install Python, uv and Just @@ -86,6 +94,8 @@ jobs: permissions: contents: read # to checkout code steps: + - *harden-runner + - *checkout - &setup-node @@ -126,6 +136,8 @@ jobs: permissions: contents: read # to checkout code steps: + - *harden-runner + - *checkout - *setup-node @@ -172,6 +184,8 @@ jobs: contents: read pull-requests: write steps: + - *harden-runner + - *checkout - *setup-node @@ -268,6 +282,8 @@ jobs: container: image: mcr.microsoft.com/playwright:v1.57.0-jammy@sha256:6aca677c27a967caf7673d108ac67ffaf8fed134f27e17b27a05464ca0ace831 steps: + # This job is running in a container. Such jobs can be monitored by installing Harden Runner in a custom VM image for GitHub-hosted runners. + - *checkout - *setup-node From b7abac54dc9e53b933ebd5984e858be36c85233b Mon Sep 17 00:00:00 2001 From: Ivan Zakharov Date: Fri, 15 May 2026 16:15:35 +0100 Subject: [PATCH 2/2] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .github/workflows/backend-lint-and-test.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/backend-lint-and-test.yaml b/.github/workflows/backend-lint-and-test.yaml index 8780fa0cbc8..2dfd1381529 100644 --- a/.github/workflows/backend-lint-and-test.yaml +++ b/.github/workflows/backend-lint-and-test.yaml @@ -62,7 +62,11 @@ jobs: permissions: contents: read # to checkout code steps: - - *harden-runner + - name: Harden the runner (audit all outbound calls) + if: matrix.os == 'ubuntu' + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit - *checkout