Skip to content

feat(security): block mode for hardened runners#274

Merged
jfagoagas merged 1 commit intomainfrom
enable-block-hardened-runner
Mar 26, 2026
Merged

feat(security): block mode for hardened runners#274
jfagoagas merged 1 commit intomainfrom
enable-block-hardened-runner

Conversation

@jfagoagas
Copy link
Copy Markdown
Member

@jfagoagas jfagoagas commented Mar 26, 2026

Description

Enable block mode for StepSecurity hardened runners.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@jfagoagas jfagoagas requested a review from a team as a code owner March 26, 2026 08:05
Copilot AI review requested due to automatic review settings March 26, 2026 08:05
Copilot AI reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Enables StepSecurity harden-runner egress block mode (with an allowlist) for CI jobs, to prevent unexpected outbound network access from GitHub-hosted runners.

Changes:

  • Switch harden-runner from egress-policy: audit to egress-policy: block in the PR lint/test workflow.
  • Switch harden-runner from egress-policy: audit to egress-policy: block for the zizmor PR job and add an allowlist of required endpoints.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/zizmor.yml Enables harden-runner block mode + allowlisted endpoints for the PR zizmor job.
.github/workflows/pull-request.yml Enables harden-runner block mode + allowlisted endpoints for PR lint/test pipeline.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jfagoagas jfagoagas force-pushed the enable-block-hardened-runner branch from 64f385d to ca16659 Compare March 26, 2026 08:08
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Mar 26, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.02%. Comparing base (8cb29f9) to head (ca16659).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #274   +/-   ##
=======================================
  Coverage   97.02%   97.02%           
=======================================
  Files          64       64           
  Lines        1043     1043           
=======================================
  Hits         1012     1012           
  Misses         31       31

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@jfagoagas jfagoagas merged commit 0ef6927 into main Mar 26, 2026
11 checks passed
@jfagoagas jfagoagas deleted the enable-block-hardened-runner branch March 26, 2026 09:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pedrooot pedrooot pedrooot approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jfagoagas @codecov-commenter @pedrooot