On Wed, Mar 25, 2026 at 7:05 PM Jacques Le Roux via security < [email protected]> wrote:
> BTW, it's the tool (not sure of the version) that reported a possible > vulnerability in GHAs (GitHub actions) and leaded to this Infra announce > Friday 20 march evening: > https://lists.apache.org/thread/nlvl5dp5mxkcrs0krfky4xb94r0pnoxw > There is this link into it: > https://github.com/apache/infrastructure-actions/blob/main/README.md > > So, as Jacopo summarised 2 days later the README in > https://lists.apache.org/thread/7c39wdkmo5svtmnto0zbmj39tyz987dz, > and his following message few minutes after, > the step-security/* was no longer allowed. > > Last Friday 20 march (same day than Infra announce, but before) Dependabot > suggested to update it from 2.7.0 to 2.16.0 [2]. > As I did not get a such suggestion since [1], I guess because of 2 > security fixes in this last version, and unaware of the reject of > step-security/* I pushed it. > As you can read in the message you linked ( https://lists.apache.org/thread/nlvl5dp5mxkcrs0krfky4xb94r0pnoxw), step-security/* was not specifically rejected, it's just not implicitly allowed anymore. You could consider reviewing it and proposing it for explicit allowlisting using the process documented at https://github.com/apache/infrastructure-actions?tab=readme-ov-file#adding-a-new-version-to-the-allow-list (also linked in that message). Kind regards, Arnout > Le 25/03/2026 à 11:43, Arnout Engelen a écrit : > > (for reference: it took me longer than I care to admit to find out you > were referring to https://github.com/step-security/harden-runner :D ) > > On Wed, Mar 25, 2026 at 11:41 AM Arnout Engelen <[email protected]> > wrote: > >> I have no experience with it. It looks interesting. If you're confident, >> would you like to be a trailblazer and try it? Perhaps it would be worth a >> message to [email protected] to announce your >> experiment and see if there's people who already have experience with it. >> >> Of course like with any tool there's a trade-off between the additional >> security this might bring and the increased attack surface - sadly >> 'security tools' regularly get compromised themselves. If you're confident >> the trade-off is favourable for you in this case I don't see reason to >> argue with that. >> >> >> Kind regards, >> >> Arnout >> >> On Wed, Mar 25, 2026 at 11:11 AM Jacques Le Roux via security < >> [email protected]> wrote: >> >>> Hi Infra and Security teams, >>> >>> What is your opinion about using step-security/hardened-runner in GitHub >>> actions? >>> >>> Thanks in advance >>> >>> Jacques >>> >>> >> >> -- >> Arnout Engelen >> ASF Security Response >> Apache Pekko PMC member, ASF Member >> NixOS Committer >> Independent Open Source consultant >> > > > -- > Arnout Engelen > ASF Security Response > Apache Pekko PMC member, ASF Member > NixOS Committer > Independent Open Source consultant > > -- Arnout Engelen ASF Security Response Apache Pekko PMC member, ASF Member NixOS Committer Independent Open Source consultant
