Skip to content

Enable traffic audit in workflows#6496

Merged
ivanzati merged 7 commits into
developfrom
ivanzati/harden-runner-audit
Jul 14, 2026
Merged

Enable traffic audit in workflows#6496
ivanzati merged 7 commits into
developfrom
ivanzati/harden-runner-audit

Conversation

@ivanzati

Copy link
Copy Markdown
Contributor

Summary

Enable traffic audit in workflows

Checklist

  • The PR title and description are clear and descriptive
  • I have manually tested the changes
  • All changes are covered by automated tests
  • All related issues are linked to this PR (if applicable)
  • Documentation has been updated (if applicable)

@ivanzati ivanzati requested a review from a team as a code owner May 15, 2026 15:11
Copilot AI review requested due to automatic review settings May 15, 2026 15:11
@github-actions github-actions Bot added the BUILD label May 15, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enables outbound traffic auditing across GitHub Actions workflows by adding step-security/harden-runner steps in audit mode to most CI, security, dependency, release, and automation jobs.

Changes:

  • Adds Harden Runner with egress-policy: audit to workflow jobs.
  • Reuses YAML anchors for repeated Harden Runner and checkout steps in larger workflows.
  • Leaves a note for the Playwright container job where standard Harden Runner monitoring is not applied.

Reviewed changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
.github/workflows/add-to-project.yml Adds traffic audit before project automation steps.
.github/workflows/auto-approve.yml Adds traffic audit to Renovate auto-approval jobs.
.github/workflows/backend-lint-and-test.yaml Adds traffic audit to backend path check and test matrix jobs.
.github/workflows/build.yaml Adds traffic audit and anchors checkout reuse in build workflow.
.github/workflows/codeql.yaml Adds traffic audit to CodeQL path detection and analysis jobs.
.github/workflows/daily.yml Adds traffic audit to daily issue-management helper jobs.
.github/workflows/dependency-review.yaml Adds traffic audit before dependency review.
.github/workflows/labeler.yaml Adds traffic audit before PR labeling.
.github/workflows/lib-lint-and-test.yaml Adds traffic audit to library lint/test jobs.
.github/workflows/npm-audit-fix.yml Adds traffic audit before npm audit automation.
.github/workflows/publish.yaml Adds traffic audit before package build/publish steps.
.github/workflows/remove-stale-branches.yaml Adds traffic audit before stale branch cleanup.
.github/workflows/renovate-config-validator.yml Adds traffic audit before Renovate config validation.
.github/workflows/renovate.yml Adds traffic audit before Renovate execution.
.github/workflows/scorecard.yaml Adds traffic audit before Scorecard analysis.
.github/workflows/security-scan.yaml Adds traffic audit to security scanning jobs.
.github/workflows/stale_marker.yaml Adds traffic audit before stale issue/PR handling.
.github/workflows/ui-lint-and-test.yaml Adds traffic audit to UI jobs and documents the container-job exception.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/backend-lint-and-test.yaml Outdated
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@github-actions

github-actions Bot commented May 15, 2026

Copy link
Copy Markdown

🐳 Docker image sizes

Device Size
xpu 10801.7 MB (10.55 GB)
cuda 10208.3 MB (9.97 GB)
cpu 4013.1 MB (3.92 GB)

@github-actions

github-actions Bot commented May 15, 2026

Copy link
Copy Markdown

📊 Test coverage report

Metric Coverage
Lines 60.3%
Functions 57.0%
Branches 52.1%
Statements 59.9%

@codecov-commenter

Copy link
Copy Markdown

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@github-actions

github-actions Bot commented Jun 29, 2026

Copy link
Copy Markdown

⏱️ Backend import time — app.main

Accelerator Cumulative (s) Self (s)
cpu 4.864 0.004
xpu 4.819 0.004
cuda 4.813 0.004

@codecov-commenter

Copy link
Copy Markdown

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@AlexanderBarabanov AlexanderBarabanov left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, Ivan!

@ivanzati ivanzati added this pull request to the merge queue Jul 14, 2026
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Jul 14, 2026
@ivanzati ivanzati added this pull request to the merge queue Jul 14, 2026
Merged via the queue into develop with commit 97ed9d4 Jul 14, 2026
54 checks passed
@ivanzati ivanzati deleted the ivanzati/harden-runner-audit branch July 14, 2026 14:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants