Le 26/03/2026 à 09:57, Arnout Engelen a écrit :
On Wed, Mar 25, 2026 at 7:05 PM Jacques Le Roux via security <
[email protected]> wrote:
BTW, it's the tool (not sure of the version) that reported a possible
vulnerability in GHAs (GitHub actions) and leaded to this Infra announce
Friday 20 march evening:
https://lists.apache.org/thread/nlvl5dp5mxkcrs0krfky4xb94r0pnoxw
There is this link into it:
https://github.com/apache/infrastructure-actions/blob/main/README.md
So, as Jacopo summarised 2 days later the README in
https://lists.apache.org/thread/7c39wdkmo5svtmnto0zbmj39tyz987dz,
and his following message few minutes after,
the step-security/* was no longer allowed.
Last Friday 20 march (same day than Infra announce, but before) Dependabot
suggested to update it from 2.7.0 to 2.16.0 [2].
As I did not get a such suggestion since [1], I guess because of 2
security fixes in this last version, and unaware of the reject of
step-security/* I pushed it.
As you can read in the message you linked (
https://lists.apache.org/thread/nlvl5dp5mxkcrs0krfky4xb94r0pnoxw),
step-security/* was not specifically rejected, it's just not implicitly
allowed anymore. You could consider reviewing it and proposing it for
explicit allowlisting using the process documented at
https://github.com/apache/infrastructure-actions?tab=readme-ov-file#adding-a-new-version-to-the-allow-list
(also
linked in that message).
Kind regards,
Arnout
Thanks Arnoult,
Indeed that seems the best way. I'll do that.
Cheers
Jacques
Le 25/03/2026 à 11:43, Arnout Engelen a écrit :
(for reference: it took me longer than I care to admit to find out you
were referring to https://github.com/step-security/harden-runner :D )
On Wed, Mar 25, 2026 at 11:41 AM Arnout Engelen <[email protected]>
wrote:
I have no experience with it. It looks interesting. If you're confident,
would you like to be a trailblazer and try it? Perhaps it would be worth a
message to [email protected] to announce your
experiment and see if there's people who already have experience with it.
Of course like with any tool there's a trade-off between the additional
security this might bring and the increased attack surface - sadly
'security tools' regularly get compromised themselves. If you're confident
the trade-off is favourable for you in this case I don't see reason to
argue with that.
Kind regards,
Arnout
On Wed, Mar 25, 2026 at 11:11 AM Jacques Le Roux via security <
[email protected]> wrote:
Hi Infra and Security teams,
What is your opinion about using step-security/hardened-runner in GitHub
actions?
Thanks in advance
Jacques
--
Arnout Engelen
ASF Security Response
Apache Pekko PMC member, ASF Member
NixOS Committer
Independent Open Source consultant
--
Arnout Engelen
ASF Security Response
Apache Pekko PMC member, ASF Member
NixOS Committer
Independent Open Source consultant
