ci: enable more harden-runner features

[rjaegers]

🚀 Hey, I have created a Pull Request

Description of changes

This PR enables disable-sudo and disable-sudo-and-containers where possible. And it enables the block policy on jobs that have a stable baseline.

Note

We are aware that step-security/harden-runner currently does not work on ARM runners and on job that themselves run in containers (via container:). We have purposely not excluded the step from those jobs, as support might come in the future.

✔️ Checklist

• I have followed the contribution guidelines for this repository
• I have added tests for new behavior, and have not broken any existing tests
• I have added or updated relevant documentation
• I have verified that all added components are accounted for in the SBOM

[Copilot]

Pull Request Overview

This PR hardens the GitHub Actions runners by enabling additional harden-runner flags across all CI workflows.

• Adds disable-sudo or disable-sudo-and-containers flags to the step-security/harden-runner step in each workflow
• Introduces a push trigger for the linting/formatting workflow to establish a baseline on main

Reviewed Changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/workflows/wc-integration-test.yml	Enable disable-sudo on the harden-runner step
.github/workflows/wc-build-push.yml	Enable disable-sudo on the harden-runner step
.github/workflows/wc-build-push-test.yml	Enable disable-sudo-and-containers on one job and disable-sudo on another
.github/workflows/wc-acceptance-test.yml	Enable disable-sudo-and-containers on the harden-runner step
.github/workflows/social-interaction.yml	Enable disable-sudo-and-containers on the harden-runner step
.github/workflows/release-published.yml	Enable disable-sudo-and-containers on the harden-runner step
.github/workflows/release-please.yml	Enable disable-sudo-and-containers on the harden-runner step
.github/workflows/release-build.yml	Enable disable-sudo-and-containers on both harden-runner jobs
.github/workflows/pr-report.yml	Enable disable-sudo-and-containers on the harden-runner step
.github/workflows/pr-image-cleanup.yml	Enable disable-sudo-and-containers on both harden-runner jobs
.github/workflows/pr-conventional-title.yml	Enable disable-sudo-and-containers on the harden-runner step
.github/workflows/ossf-scorecard.yml	Enable disable-sudo on the harden-runner step
.github/workflows/linting-formatting.yml	Enable disable-sudo on the harden-runner step and add push trigger for main
.github/workflows/issue-creation-tool-versions.yml	Enable disable-sudo-and-containers on the harden-runner step
.github/workflows/issue-cleanup.yml	Enable disable-sudo-and-containers on the harden-runner step

Comments suppressed due to low confidence (4)

.github/workflows/wc-build-push-test.yml:40

• The disable-sudo-and-containers input requires harden-runner v2.12.1 or later. Consider updating the action reference here to 002fdce3c6a235733a90a27c80493a3241e56863 (v2.12.1) to ensure the flag is supported.

      - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0

.github/workflows/linting-formatting.yml:7

• [nitpick] This adds a push trigger for main to establish a baseline, but there’s no filtering on paths. If unintended workflows run on every push to main, consider specifying paths or clarifying in docs.

  push:

.github/workflows/wc-integration-test.yml:29

• [nitpick] Across workflows you mix disable-sudo and disable-sudo-and-containers. Verify and standardize which flag is needed per job, and document the rationale to keep consistency.

          disable-sudo: true

.github/workflows/wc-integration-test.yml:27

• The harden-runner configuration is duplicated in every workflow. Consider creating a reusable composite action or using YAML anchors to DRY this step and simplify future updates.

      - uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1

[github-actions]

🦙 MegaLinter status: ⚠️ WARNING

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	18		0	0	0.51s
✅ DOCKERFILE	hadolint	2		0	0	0.81s
✅ GHERKIN	gherkin-lint	2		0	0	1.18s
✅ JSON	npm-package-json-lint	yes		no	no	0.52s
✅ JSON	prettier	16	1	0	0	0.57s
✅ JSON	v8r	16		0	0	6.86s
✅ MARKDOWN	markdownlint	9	0	0	0	0.89s
✅ MARKDOWN	markdown-table-formatter	9	0	0	0	0.3s
✅ REPOSITORY	checkov	yes		no	no	17.25s
✅ REPOSITORY	gitleaks	yes		no	no	0.41s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
⚠️ REPOSITORY	grype	yes		no	2	24.0s
✅ REPOSITORY	secretlint	yes		no	no	0.95s
✅ REPOSITORY	syft	yes		no	no	1.9s
✅ REPOSITORY	trivy	yes		no	no	6.91s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.23s
✅ REPOSITORY	trufflehog	yes		no	no	3.39s
✅ SPELL	lychee	63		0	0	1.77s
✅ YAML	prettier	24	0	0	0	1.05s
✅ YAML	v8r	24		0	0	6.8s
✅ YAML	yamllint	24		0	0	0.82s

See detailed report in MegaLinter reports

[github-actions]

📦 Container Size Analysis

Comparing ghcr.io/philips-software/amp-devcontainer-rust:edge to ghcr.io/philips-software/amp-devcontainer-rust:pr-835

📈 Size Comparison Table

OS/Platform	Previous Size	Current Size	Change	Trend
linux/amd64	489.22M	489.22M	0.00 (+0.00%)	🔄
linux/arm64	441.18M	441.18M	0.00 (+0.00%)	🔄

[github-actions]

📦 Container Size Analysis

Comparing ghcr.io/philips-software/amp-devcontainer-cpp:edge to ghcr.io/philips-software/amp-devcontainer-cpp:pr-835

📈 Size Comparison Table

OS/Platform	Previous Size	Current Size	Change	Trend
linux/amd64	673.46M	673.46M	0.00 (+0.00%)	🔄
linux/arm64	656.60M	656.60M	0.00 (+0.00%)	🔄

[github-actions]

Test Results

 4 files  ±0   4 suites  ±0   2m 24s ⏱️ -4s
30 tests ±0  30 ✅ ±0  0 💤 ±0  0 ❌ ±0 
64 runs  ±0  64 ✅ ±0  0 💤 ±0  0 ❌ ±0 

Results for commit 354367c. ± Comparison against base commit 62a2660.

♻️ This comment has been updated with latest results.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Pull Request Report (#835)

Static measures

Description	Value
Number of added lines	30
Number of deleted lines	2
Number of changed files	15
Number of commits	4
Number of reviews	2
Number of comments (w/o review comments)	5
Number of reviews that contains a comment to resolve	1
Number of reviews that requested a change from the author	0
Number of reviews that approved the Pull Request	1
Get the total number of participants of a Pull Request	5

Time related measures

Description	Value
PR lead time (from creation to close of PR)	5 Days
Time that was spend on the branch before the PR was created	58 Sec
Time that was spend on the branch before the PR was merged	5 Days
Time to merge after last review	2.4 Days

Status check related measures

Description	Value
Total runtime for last status check run (Workflow for PR)	29.2 Min
Total time spend in last status check run on PR	10.7 Min

[github-actions]

🎉 Hooray! The changes in this pull request went live with the release of v6.2.0 🎉