Skip to content

chore: bump step-security/harden-runner from 2.13.1 to 2.14.0 #292

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dependabot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore: bump step-security/harden-runner from 2.13.1 to 2.14.0 #292

dependabot wants to merge 1 commit into from

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Dec 22, 2025

Bumps step-security/harden-runner from 2.13.1 to 2.14.0.

Release notes

Sourced from step-security/harden-runner's releases.

v2.14.0

What's Changed

  • Selective installation: Harden-Runner now skips installation on GitHub-hosted runners when the repository has a custom property skip_harden_runner, allowing organizations to opt out specific repos.
  • Avoid double install: The action no longer installs Harden-Runner if it’s already present on a GitHub-hosted runner, which could happen when a composite action also installs it.

Full Changelog: step-security/harden-runner@v2.13.3...v2.14.0

v2.13.3

What's Changed

  • Fixed an issue where process events were not uploaded in certain edge cases.

Full Changelog: step-security/harden-runner@v2.13.2...v2.13.3

v2.13.2

What's Changed

  • Fixed an issue where there was a limit of 512 allowed endpoints when using block egress policy. This restriction has been removed, allowing for an unlimited number of endpoints to be configured.
  • Harden Runner now automatically detects if the agent is already pre-installed on a custom VM image used by a GitHub-hosted runner. When detected, the action will skip reinstallation and use the existing agent.

Full Changelog: step-security/harden-runner@v2.13.1...v2.13.2

Commits
  • 20cf305 Merge pull request #622 from step-security/feature/custom-property-skip
  • c51e8ee feat: skip agent install and post step on subsequent runs for GitHub-hosted r...
  • e152b90 feat: skip harden-runner based on repository custom property
  • ee1faec feat: replace skip-harden-runner with skip-on-custom-property input
  • 1dc7c17 feat: add skip-harden-runner input to conditionally skip execution
  • df199fb Merge pull request #620 from step-security/rc-29
  • 03d096a update agent
  • 4090107 fix: update agent
  • 95d9a5d Merge pull request #606 from step-security/rc-28
  • 87e429d Update limitations.md
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore: bump step-security/harden-runner from 2.13.1 to 2.14.0
1a8a383 
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.13.1 to 2.14.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@f4a75cf...20cf305)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.14.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Dec 22, 2025
@dependabot dependabot bot added github_actions Pull requests that update GitHub Actions code dependencies Pull requests that update a dependency file labels Dec 22, 2025
@kaito-pr-agent
Copy link

kaito-pr-agent bot commented Dec 22, 2025

Title

Bump step-security/harden-runner from 2.13.1 to 2.14.0

Description

  • Updated step-security/harden-runner GitHub Action to v2.14.0

  • Modified workflow files to use new action version

  • Maintained existing egress-policy configuration

  • Updated commit references across workflows

Changes walkthrough 📝

Relevant files
Dependencies
create-release.yml
Update harden-runner action in release workflow                   

.github/workflows/create-release.yml

  • Updated step-security/harden-runner action from v2.13.1 to v2.14.0
  • Changed commit hash reference to new version
    		• +1/-1     
    e2e-workflow.yml
    Upgrade harden-runner in e2e workflow                                       

    .github/workflows/e2e-workflow.yml

  • Replaced harden-runner version from 2.13.1 to 2.14.0
  • Maintained egress-policy audit configuration
    		• +1/-1     
    lint-go.yaml
    Bump harden-runner version in lint workflow                           

    .github/workflows/lint-go.yaml

  • Updated harden-runner action to latest version
  • Preserved egress-policy audit setting
    		• +1/-1     
    tests.yml
    Update harden-runner in test workflow                                       

    .github/workflows/tests.yml

  • Changed harden-runner from v2.13.1 to v2.14.0
  • Kept existing egress-policy configuration
    		• +1/-1     
    Need help?
  • Type /help how to ... in the comments thread for any questions about PR-Agent usage.
  • Check out the documentation for more information.
    		•

    @kaito-pr-agent
    Copy link

    kaito-pr-agent bot commented Dec 22, 2025

    PR Reviewer Guide 🔍

    Here are some key observations to aid the review process:

    ⏱️ Estimated effort to review: 1 🔵⚪⚪⚪⚪
    🧪 No relevant tests
    🔒 No security concerns identified
    ⚡ Recommended focus areas for review

    Version Verification

    Verify that the new harden-runner version (v2.14.0) is compatible with existing workflows and that the referenced commit hash (20cf305ff2072d973412fa9b1e3a4f227bda3c76) matches the official release

     
    uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0

    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

    Reviewers

    @Fei-Guo Fei-Guo Awaiting requested review from Fei-Guo Fei-Guo is a code owner

    @helayoty helayoty Awaiting requested review from helayoty helayoty is a code owner

    At least 1 approving review is required to merge this pull request.

    Assignees

    No one assigned

    Labels

    dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code Review effort 1/5

    Projects

    None yet

    Milestone

    No milestone

    Development

    Successfully merging this pull request may close these issues.

    1 participant