Skip to content

chore(deps): update step-security/harden-runner action to v2.20.0#561

Merged
nullvariant merged 1 commit into
mainfrom
renovate/step-security-harden-runner-2.x
Jul 13, 2026
Merged

chore(deps): update step-security/harden-runner action to v2.20.0#561
nullvariant merged 1 commit into
mainfrom
renovate/step-security-harden-runner-2.x

Conversation

@renovate

@renovate renovate Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
step-security/harden-runner action minor v2.19.4v2.20.0

Release Notes

step-security/harden-runner (step-security/harden-runner)

v2.20.0

Compare Source

What's Changed
  • Support for block policy for MacOS and Windows GitHub-hosted runners
  • Support for Bitrise MacOS GitHub Actions runners
  • HTTPS monitoring support for Bun for Linux runners (enterprise tier)

Full Changelog: step-security/harden-runner@v2.19.4...v2.20.0


Configuration

📅 Schedule: (in timezone Asia/Tokyo)

  • Branch creation
    • "before 5am on wednesday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added dependencies Pull requests that update a dependency file renovate labels Jul 7, 2026
@nullvariant-mimi

Copy link
Copy Markdown
Contributor

🐰 Mimi's Validation Report ✅

All checks are looking good! Great job! 🎉

⏳ Some checks are still running. I will keep watching!


バリデーターを通してくださいね

This report was carefully prepared by nullvariant-mimi[bot]

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/step-security/harden-runner bf7454d06d71f1098171f2acdf0cd4708d7b5920 🟢 7.9
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
CI-Tests🟢 1013 out of 13 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Code-Review🟢 10all changesets reviewed
Contributors🟢 6project has 2 contributing companies or organizations -- score normalized to 6
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Maintained🟢 1025 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
SAST🟢 10SAST tool is run on all commits
Security-Policy🟢 10security policy file detected
Signed-Releases⚠️ -1no releases found
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Vulnerabilities⚠️ 010 existing vulnerabilities detected
actions/step-security/harden-runner bf7454d06d71f1098171f2acdf0cd4708d7b5920 🟢 7.9
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
CI-Tests🟢 1013 out of 13 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Code-Review🟢 10all changesets reviewed
Contributors🟢 6project has 2 contributing companies or organizations -- score normalized to 6
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Maintained🟢 1025 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
SAST🟢 10SAST tool is run on all commits
Security-Policy🟢 10security policy file detected
Signed-Releases⚠️ -1no releases found
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Vulnerabilities⚠️ 010 existing vulnerabilities detected
actions/step-security/harden-runner bf7454d06d71f1098171f2acdf0cd4708d7b5920 🟢 7.9
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
CI-Tests🟢 1013 out of 13 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Code-Review🟢 10all changesets reviewed
Contributors🟢 6project has 2 contributing companies or organizations -- score normalized to 6
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Maintained🟢 1025 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
SAST🟢 10SAST tool is run on all commits
Security-Policy🟢 10security policy file detected
Signed-Releases⚠️ -1no releases found
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Vulnerabilities⚠️ 010 existing vulnerabilities detected
actions/step-security/harden-runner bf7454d06d71f1098171f2acdf0cd4708d7b5920 🟢 7.9
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
CI-Tests🟢 1013 out of 13 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Code-Review🟢 10all changesets reviewed
Contributors🟢 6project has 2 contributing companies or organizations -- score normalized to 6
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Maintained🟢 1025 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
SAST🟢 10SAST tool is run on all commits
Security-Policy🟢 10security policy file detected
Signed-Releases⚠️ -1no releases found
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Vulnerabilities⚠️ 010 existing vulnerabilities detected

Scanned Files

  • .github/workflows/ciel-bot.yml
  • .github/workflows/justice-bot.yml
  • .github/workflows/restyled.yml
  • .github/workflows/vex-update.yml

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

VEX Assessment: not_affected

This dependency update modifies devDependencies only.

  • Status: not_affected
  • Justification: vulnerable_code_not_in_execute_path
  • Impact: Zero production dependencies. No third-party code is included in the published VSIX.

Any CVEs in updated devDependencies do not affect end users. The VEX document will be automatically updated by the weekly VEX Auto-Update workflow.

🤖 Automated VEX assessment

@nullvariant-ciel

Copy link
Copy Markdown
Contributor

🕊️ Ciel's Mediation 💤

*~~ drifting lazily through still air ~~ The zoo is napping today...*

1 zoo member has reviewed this PR.

Zoo Member Status
🐰 Mimi Commented

😴 A quiet day at the zoo. Only one member peeked at this PR.


まあまあ、ほどほどに。

This mediation was peacefully delivered by nullvariant-ciel[bot]

@codecov

codecov Bot commented Jul 7, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@nullvariant-justice nullvariant-justice Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚖️ Justice grants passage. CI checks passed — this code meets the garden's standards.

@renovate
renovate Bot force-pushed the renovate/step-security-harden-runner-2.x branch from 4a3ae21 to cd6999c Compare July 9, 2026 02:19
@sonarqubecloud

sonarqubecloud Bot commented Jul 9, 2026

Copy link
Copy Markdown

@nullvariant
nullvariant merged commit 7efaa48 into main Jul 13, 2026
33 of 34 checks passed
@nullvariant
nullvariant deleted the renovate/step-security-harden-runner-2.x branch July 13, 2026 13:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file renovate

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant