Hi Arnoult, Infra Team
I thought about putting the link, but as I tend to put too much links, I assumed that Googling would be enough
(https://www.google.com/search?q=step-security%2Fharden-runner :))
Actually we used it for 2 years with the version 2.7.0[1]. We did not get any
issue, and I was confident.
BTW, it's the tool (not sure of the version) that reported a possible vulnerability in GHAs (GitHub actions) and leaded to this Infra announce Friday
20 march evening:
https://lists.apache.org/thread/nlvl5dp5mxkcrs0krfky4xb94r0pnoxw
There is this link into it:
https://github.com/apache/infrastructure-actions/blob/main/README.md
So, as Jacopo summarised 2 days later the README in
https://lists.apache.org/thread/7c39wdkmo5svtmnto0zbmj39tyz987dz,
and his following message few minutes after,
the step-security/* was no longer allowed.
Last Friday 20 march (same day than Infra announce, but before) Dependabot
suggested to update it from 2.7.0 to 2.16.0 [2].
As I did not get a such suggestion since [1], I guess because of 2 security fixes in this last version, and unaware of the reject of step-security/* I
pushed it.
Since then, we have reverted this commit and other related, because the not
allowed step-security/* blocked our GHAs.
So my question is maybe more for Infra: do you encourage to use
step-security/hardened-runner ?
[1] https://github.com/apache/ofbiz-framework/pull/737
[2] https://github.com/apache/ofbiz-framework/pull/1004
TIA for your help
Jacques
Le 25/03/2026 à 11:43, Arnout Engelen a écrit :
(for reference: it took me longer than I care to admit to find out you were
referring to https://github.com/step-security/harden-runner :D )
On Wed, Mar 25, 2026 at 11:41 AM Arnout Engelen <[email protected]> wrote:
I have no experience with it. It looks interesting. If you're confident,
would you like to be a trailblazer and try it? Perhaps it would be
worth a message to [email protected] to announce your
experiment and see if there's people who already have experience with it.
Of course like with any tool there's a trade-off between the additional
security this might bring and the increased attack surface - sadly
'security tools' regularly get compromised themselves. If you're confident
the trade-off is favourable for you in this case I don't see reason
to argue with that.
Kind regards,
Arnout
On Wed, Mar 25, 2026 at 11:11 AM Jacques Le Roux via security
<[email protected]> wrote:
Hi Infra and Security teams,
What is your opinion about using step-security/hardened-runner in
GitHub actions?
Thanks in advance
Jacques
--
Arnout Engelen
ASF Security Response
Apache Pekko PMC member, ASF Member
NixOS Committer
Independent Open Source consultant
--
Arnout Engelen
ASF Security Response
Apache Pekko PMC member, ASF Member
NixOS Committer
Independent Open Source consultant
