You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners.
Automated Incident Response for Supply Chain Attacks
Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode.
System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets).
Bug Fixes
Windows and macOS: stability and reliability fixes
This is a routine dependency update by Renovate, bumping step-security/harden-runner from v2.18.0 to v2.19.0.
Changes:
.github/actions/claude-code-review/action.yml: SHA pinned ref updated to 8d3c67de8e2fe68ef647c8db1e6a09f647780f40
.github/workflows/claude.yml: SHA pinned ref updated to 8d3c67de8e2fe68ef647c8db1e6a09f647780f40
Assessment: Approve
The changes are correct and follow best practices:
SHA pinning is preserved — both files use full commit SHA pinning with a version comment (e.g., # v2.19.0), which is the recommended security practice for GitHub Actions. The SHA 8d3c67de8e2fe68ef647c8db1e6a09f647780f40 matches the new release.
Consistent update — both occurrences of the action are updated to the same SHA, so there's no version skew.
Valuable security improvements in v2.19.0:
Global block list: outbound connections to known malicious domains/IPs are blocked even in audit mode
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v2.18.0→v2.19.0Release Notes
step-security/harden-runner (step-security/harden-runner)
v2.19.0Compare Source
What's Changed
New Runner Support
Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners.
Automated Incident Response for Supply Chain Attacks
Bug Fixes
Windows and macOS: stability and reliability fixes
Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.