From 48edefee9f304e71f80c57ab67f7117d8f3adc1a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 22 May 2026 08:59:10 +0000 Subject: [PATCH] ci(deps): bump the github-actions group across 1 directory with 5 updates Bumps the github-actions group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.19.1` | `2.19.3` | | [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) | `0.5.3` | `0.5.5` | | [github/codeql-action](https://github.com/github/codeql-action) | `4.35.3` | `4.35.5` | | [actions/create-github-app-token](https://github.com/actions/create-github-app-token) | `3.1.1` | `3.2.0` | | [philips-software/amp-devcontainer](https://github.com/philips-software/amp-devcontainer) | `6.10.2` | `6.10.3` | Updates `step-security/harden-runner` from 2.19.1 to 2.19.3 - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/a5ad31d6a139d249332a2605b85202e8c0b78450...ab7a9404c0f3da075243ca237b5fac12c98deaa5) Updates `zizmorcore/zizmor-action` from 0.5.3 to 0.5.5 - [Release notes](https://github.com/zizmorcore/zizmor-action/releases) - [Commits](https://github.com/zizmorcore/zizmor-action/compare/b1d7e1fb5de872772f31590499237e7cce841e8e...a16621b09c6db4281f81a93cb393b05dcd7b7165) Updates `github/codeql-action` from 4.35.3 to 4.35.5 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/e46ed2cbd01164d986452f91f178727624ae40d7...9e0d7b8d25671d64c341c19c0152d693099fb5ba) Updates `actions/create-github-app-token` from 3.1.1 to 3.2.0 - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Changelog](https://github.com/actions/create-github-app-token/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/create-github-app-token/compare/1b10c78c7865c340bc4f6099eb2f838309f1e8c3...bcd2ba49218906704ab6c1aa796996da409d3eb1) Updates `philips-software/amp-devcontainer` from 6.10.2 to 6.10.3 - [Release notes](https://github.com/philips-software/amp-devcontainer/releases) - [Changelog](https://github.com/philips-software/amp-devcontainer/blob/main/CHANGELOG.md) - [Commits](https://github.com/philips-software/amp-devcontainer/compare/94bc4a03c9802aa7d838108e906aea8c7fb33fc7...70e10d114311ed9042f23e971b04d2549926a409) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.19.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: zizmorcore/zizmor-action dependency-version: 0.5.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: github/codeql-action dependency-version: 4.35.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: actions/create-github-app-token dependency-version: 3.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: philips-software/amp-devcontainer dependency-version: 6.10.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] --- .github/workflows/continuous-integration.yml | 2 +- .github/workflows/image-cleanup.yml | 2 +- .github/workflows/issue-cleanup.yml | 2 +- .github/workflows/issue-creation-tool-versions.yml | 2 +- .github/workflows/linting-formatting.yml | 6 +++--- .github/workflows/ossf-scorecard.yml | 4 ++-- .github/workflows/pr-conventional-title.yml | 2 +- .github/workflows/pr-image-cleanup.yml | 4 ++-- .github/workflows/pr-report.yml | 2 +- .github/workflows/release-build.yml | 8 ++++---- .github/workflows/release-please.yml | 4 ++-- .github/workflows/update-dependencies.yml | 8 ++++---- .github/workflows/vulnerability-scan.yml | 4 ++-- .github/workflows/wc-acceptance-test.yml | 2 +- .github/workflows/wc-build-push.yml | 6 +++--- .github/workflows/wc-dependency-review.yml | 2 +- .github/workflows/wc-document-generation.yml | 2 +- .github/workflows/wc-integration-test-docker.yml | 2 +- .github/workflows/wc-integration-test-podman.yml | 2 +- .github/workflows/wc-publish-templates.yml | 2 +- .github/workflows/wc-sanitize-image-name.yml | 2 +- 21 files changed, 35 insertions(+), 35 deletions(-) diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml index 5c719cc0..8a600ee7 100644 --- a/.github/workflows/continuous-integration.yml +++ b/.github/workflows/continuous-integration.yml @@ -47,7 +47,7 @@ jobs: needs: build-push-test if: ${{ !cancelled() }} steps: - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo: true egress-policy: audit diff --git a/.github/workflows/image-cleanup.yml b/.github/workflows/image-cleanup.yml index 4d405f00..e7cdb9d3 100644 --- a/.github/workflows/image-cleanup.yml +++ b/.github/workflows/image-cleanup.yml @@ -15,7 +15,7 @@ jobs: permissions: packages: write # is needed by dataaxiom/ghcr-cleanup-action to delete untagged and orphaned images steps: - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo: true allowed-endpoints: > diff --git a/.github/workflows/issue-cleanup.yml b/.github/workflows/issue-cleanup.yml index a24b7967..9accbc1d 100644 --- a/.github/workflows/issue-cleanup.yml +++ b/.github/workflows/issue-cleanup.yml @@ -15,7 +15,7 @@ jobs: issues: write # is needed by actions/stale to close/comment on issues pull-requests: write # is needed by actions/stale to close/comment on PRs steps: - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo-and-containers: true egress-policy: audit diff --git a/.github/workflows/issue-creation-tool-versions.yml b/.github/workflows/issue-creation-tool-versions.yml index 74f2b875..12ed300a 100644 --- a/.github/workflows/issue-creation-tool-versions.yml +++ b/.github/workflows/issue-creation-tool-versions.yml @@ -16,7 +16,7 @@ jobs: contents: read # is needed to checkout the repository issues: write # is needed by gh cli to create/close/pin/unpin issues steps: - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo-and-containers: true egress-policy: audit diff --git a/.github/workflows/linting-formatting.yml b/.github/workflows/linting-formatting.yml index 5ca8ef47..6ba2da16 100644 --- a/.github/workflows/linting-formatting.yml +++ b/.github/workflows/linting-formatting.yml @@ -26,7 +26,7 @@ jobs: pull-requests: write # is needed by oxsecurity/megalinter and reviewdog/action-suggester to post PR comments security-events: write # is needed by oxsecurity/megalinter for uploading sarif files steps: - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo: true egress-policy: audit @@ -34,7 +34,7 @@ jobs: with: fetch-depth: 0 persist-credentials: false - - uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + - uses: zizmorcore/zizmor-action@a16621b09c6db4281f81a93cb393b05dcd7b7165 # v0.5.5 with: persona: pedantic # flavors/dotnet is the smallest flavor of MegaLinter that contains the linters @@ -44,7 +44,7 @@ jobs: APPLY_FIXES: all VALIDATE_ALL_CODEBASE: true GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3 + - uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 if: success() || failure() with: sarif_file: megalinter-reports/megalinter-report.sarif diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml index 89d51ac0..914346b3 100644 --- a/.github/workflows/ossf-scorecard.yml +++ b/.github/workflows/ossf-scorecard.yml @@ -20,7 +20,7 @@ jobs: security-events: write # is needed by github/codeql-action/upload-sarif to upload sarif files id-token: write # is needed by ossf/scorecard-action to authenticate with OIDC steps: - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo: true egress-policy: audit @@ -33,6 +33,6 @@ jobs: results_format: sarif repo_token: ${{ secrets.SCORECARD_TOKEN }} publish_results: true - - uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3 + - uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 with: sarif_file: results.sarif diff --git a/.github/workflows/pr-conventional-title.yml b/.github/workflows/pr-conventional-title.yml index 77607b17..e3c3eccc 100644 --- a/.github/workflows/pr-conventional-title.yml +++ b/.github/workflows/pr-conventional-title.yml @@ -17,7 +17,7 @@ jobs: permissions: pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments on PRs steps: - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo-and-containers: true allowed-endpoints: > diff --git a/.github/workflows/pr-image-cleanup.yml b/.github/workflows/pr-image-cleanup.yml index 9bb1b660..607a1334 100644 --- a/.github/workflows/pr-image-cleanup.yml +++ b/.github/workflows/pr-image-cleanup.yml @@ -14,7 +14,7 @@ jobs: permissions: packages: write # is needed by dataaxiom/ghcr-cleanup-action to delete images steps: - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo: true egress-policy: audit @@ -29,7 +29,7 @@ jobs: permissions: actions: write # is needed to delete workflow run caches steps: - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo-and-containers: true egress-policy: audit diff --git a/.github/workflows/pr-report.yml b/.github/workflows/pr-report.yml index 8d99c432..596a6b2e 100644 --- a/.github/workflows/pr-report.yml +++ b/.github/workflows/pr-report.yml @@ -18,7 +18,7 @@ jobs: actions: read # is needed by philips-software/pull-request-report-action to fetch workflow run information runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo-and-containers: true egress-policy: audit diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml index 9755cd6c..1d7c3b15 100644 --- a/.github/workflows/release-build.yml +++ b/.github/workflows/release-build.yml @@ -38,7 +38,7 @@ jobs: # currently provide a more fine-grained permission for release modification. contents: write # is needed to modify a release steps: - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo-and-containers: true egress-policy: audit @@ -73,7 +73,7 @@ jobs: REF_NAME: ${{ github.ref_name }} REGISTRY: ghcr.io steps: - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo: true egress-policy: audit @@ -132,7 +132,7 @@ jobs: contents: write # is needed to modify a release needs: [generate-documents] steps: - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo: true egress-policy: audit @@ -154,7 +154,7 @@ jobs: permissions: pull-requests: write # is needed by rdlf0/comment-released-prs-action to post comments on PRs steps: - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo-and-containers: true egress-policy: audit diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index dcd0e2bb..3355a669 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -18,14 +18,14 @@ jobs: permissions: contents: read steps: - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo-and-containers: true egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 + - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 id: token with: app-id: ${{ vars.FOREST_RELEASER_APP_ID }} diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml index 23c98532..6c1c3e7f 100644 --- a/.github/workflows/update-dependencies.yml +++ b/.github/workflows/update-dependencies.yml @@ -24,7 +24,7 @@ jobs: contents: write # is needed by peter-evans/create-pull-request to create branches and push commits pull-requests: write # is needed by peter-evans/create-pull-request to create a PR steps: - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -34,7 +34,7 @@ jobs: id: update-packages with: input-file: .devcontainer/${{ matrix.flavor }}/apt-requirements*.json - - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 + - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 id: token if: github.event_name != 'pull_request' with: @@ -62,7 +62,7 @@ jobs: contents: write # is needed by peter-evans/create-pull-request to create branches and push commits pull-requests: write # is needed by peter-evans/create-pull-request to create a PR steps: - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -82,7 +82,7 @@ jobs: } >> "${RUNNER_TEMP}/pull-request-body.md" env: MARKDOWN_SUMMARY_FILE: ${{ steps.update-extensions.outputs.markdown-summary-file }} - - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 + - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 id: token if: github.event_name != 'pull_request' with: diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index b77cbab3..254b7ee9 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -18,7 +18,7 @@ jobs: permissions: security-events: write # is needed by github/codeql-action/upload-sarif to upload sarif files steps: - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: egress-policy: audit - uses: crazy-max/ghaction-container-scan@a0a3900b79d158c85ccf034e5368fae620a9233a # v4.0.0 @@ -26,7 +26,7 @@ jobs: with: image: ghcr.io/${{ github.repository }}-${{ matrix.flavor }}:latest dockerfile: .devcontainer/Dockerfile - - uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3 + - uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 if: steps.scan.outputs.sarif != '' with: sarif_file: ${{ steps.scan.outputs.sarif }} diff --git a/.github/workflows/wc-acceptance-test.yml b/.github/workflows/wc-acceptance-test.yml index d3f119f5..f3df1b22 100644 --- a/.github/workflows/wc-acceptance-test.yml +++ b/.github/workflows/wc-acceptance-test.yml @@ -36,7 +36,7 @@ jobs: runs-on: ubuntu-latest environment: acceptance-testing steps: - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo: false # Playwright requires root privileges to install browsers egress-policy: audit diff --git a/.github/workflows/wc-build-push.yml b/.github/workflows/wc-build-push.yml index 8b4c8ed7..69d4816b 100644 --- a/.github/workflows/wc-build-push.yml +++ b/.github/workflows/wc-build-push.yml @@ -75,7 +75,7 @@ jobs: contents: read packages: write # is needed by docker/build-push-action to push images when using GitHub Container Registry steps: - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo: true egress-policy: audit @@ -162,7 +162,7 @@ jobs: digest: ${{ steps.inspect-manifest.outputs.digest }} version: ${{ steps.metadata.outputs.version }} steps: - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo: true egress-policy: audit @@ -234,7 +234,7 @@ jobs: name: container-diff-${{ needs.sanitize-image-name.outputs.image-basename }} path: container-diff.json retention-days: 10 - - uses: philips-software/amp-devcontainer/.github/actions/container-size-diff@94bc4a03c9802aa7d838108e906aea8c7fb33fc7 # v6.10.2 + - uses: philips-software/amp-devcontainer/.github/actions/container-size-diff@70e10d114311ed9042f23e971b04d2549926a409 # v6.10.3 id: container-size-diff with: from-container: ${{ needs.sanitize-image-name.outputs.fully-qualified-image-name }}:edge diff --git a/.github/workflows/wc-dependency-review.yml b/.github/workflows/wc-dependency-review.yml index 07274d41..c6089aa0 100644 --- a/.github/workflows/wc-dependency-review.yml +++ b/.github/workflows/wc-dependency-review.yml @@ -26,7 +26,7 @@ jobs: contents: read pull-requests: write # is needed by actions/dependency-review-action to write PR summaries steps: - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo-and-containers: true egress-policy: audit diff --git a/.github/workflows/wc-document-generation.yml b/.github/workflows/wc-document-generation.yml index 50069992..8b2870a6 100644 --- a/.github/workflows/wc-document-generation.yml +++ b/.github/workflows/wc-document-generation.yml @@ -18,7 +18,7 @@ jobs: permissions: contents: read steps: - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/wc-integration-test-docker.yml b/.github/workflows/wc-integration-test-docker.yml index 3ee77de5..48392280 100644 --- a/.github/workflows/wc-integration-test-docker.yml +++ b/.github/workflows/wc-integration-test-docker.yml @@ -45,7 +45,7 @@ jobs: permissions: contents: read steps: - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo: true egress-policy: audit diff --git a/.github/workflows/wc-integration-test-podman.yml b/.github/workflows/wc-integration-test-podman.yml index 7c477187..6a3c88ff 100644 --- a/.github/workflows/wc-integration-test-podman.yml +++ b/.github/workflows/wc-integration-test-podman.yml @@ -40,7 +40,7 @@ jobs: permissions: contents: read steps: - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo: false egress-policy: audit diff --git a/.github/workflows/wc-publish-templates.yml b/.github/workflows/wc-publish-templates.yml index af960660..812e1abb 100644 --- a/.github/workflows/wc-publish-templates.yml +++ b/.github/workflows/wc-publish-templates.yml @@ -13,7 +13,7 @@ jobs: permissions: packages: write # is needed by devcontainers/action to write templates as OCI artifacts steps: - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo: true egress-policy: audit diff --git a/.github/workflows/wc-sanitize-image-name.yml b/.github/workflows/wc-sanitize-image-name.yml index 53d55bd3..e3013f93 100644 --- a/.github/workflows/wc-sanitize-image-name.yml +++ b/.github/workflows/wc-sanitize-image-name.yml @@ -35,7 +35,7 @@ jobs: image-name: ${{ steps.sanitize-image-name.outputs.sanitized-image-name }} fully-qualified-image-name: ${{ inputs.registry }}/${{ steps.sanitize-image-name.outputs.sanitized-image-name }} steps: - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: disable-sudo-and-containers: true allowed-endpoints: >