Skip to content

[CHORE](deps)(deps): Bump step-security/harden-runner from 2.12.0 to 2.15.0#74

Merged
John Mertic (jmertic) merged 1 commit intomainfrom
dependabot/github_actions/step-security/harden-runner-2.15.0
Mar 4, 2026
Merged

[CHORE](deps)(deps): Bump step-security/harden-runner from 2.12.0 to 2.15.0#74
John Mertic (jmertic) merged 1 commit intomainfrom
dependabot/github_actions/step-security/harden-runner-2.15.0

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 4, 2026

Bumps step-security/harden-runner from 2.12.0 to 2.15.0.

Release notes

Sourced from step-security/harden-runner's releases.

v2.15.0

What's Changed

Windows and macOS runner support

We are excited to announce that Harden Runner now supports Windows and macOS runners, extending runtime security beyond Linux for the first time.

Insights for Windows and macOS runners will be displayed in the same consistent format you are already familiar with from Linux runners, giving you a unified view of runtime activity across all platforms.

Full Changelog: step-security/harden-runner@v2.14.2...v2.15.0

v2.14.2

What's Changed

Security fix: Fixed a medium severity vulnerability where outbound network connections using sendto, sendmsg, and sendmmsg socket system calls could bypass audit logging when using egress-policy: audit. This issue only affects the Community Tier in audit mode; block mode and Enterprise Tier were not affected. See GHSA-cpmj-h4f6-r6pq for details.

Full Changelog: step-security/harden-runner@v2.14.1...v2.14.2

v2.14.1

What's Changed

  1. In some self-hosted environments, the agent could briefly fall back to public DNS resolvers during startup if the system DNS was not yet available. This behavior was unintended for GitHub-hosted runners and has now been fixed to prevent any use of public DNS resolvers.

  2. Fixed npm audit vulnerabilities

Full Changelog: step-security/harden-runner@v2.14.0...v2.14.1

v2.14.0

What's Changed

  • Selective installation: Harden-Runner now skips installation on GitHub-hosted runners when the repository has a custom property skip_harden_runner, allowing organizations to opt out specific repos.
  • Avoid double install: The action no longer installs Harden-Runner if it’s already present on a GitHub-hosted runner, which could happen when a composite action also installs it.

Full Changelog: step-security/harden-runner@v2.13.3...v2.14.0

v2.13.3

What's Changed

  • Fixed an issue where process events were not uploaded in certain edge cases.

Full Changelog: step-security/harden-runner@v2.13.2...v2.13.3

v2.13.2

What's Changed

  • Fixed an issue where there was a limit of 512 allowed endpoints when using block egress policy. This restriction has been removed, allowing for an unlimited number of endpoints to be configured.
  • Harden Runner now automatically detects if the agent is already pre-installed on a custom VM image used by a GitHub-hosted runner. When detected, the action will skip reinstallation and use the existing agent.

Full Changelog: step-security/harden-runner@v2.13.1...v2.13.2

v2.13.1

... (truncated)

Commits
  • a90bcbc Update readme (#637)
  • f0a59d8 Release v2.15.0 (#639)
  • 5ef0c07 Merge pull request #635 from step-security/rc-34
  • eb43c7b update agent
  • e3f713f Merge pull request #631 from step-security/rc-31
  • 423acdd chore: fix npm audit vulnerabilities
  • 0ddb86c update agent
  • 20cf305 Merge pull request #622 from step-security/feature/custom-property-skip
  • c51e8ee feat: skip agent install and post step on subsequent runs for GitHub-hosted r...
  • e152b90 feat: skip harden-runner based on repository custom property
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
[CHORE](deps)(deps): Bump step-security/harden-runner
e279b65 
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.12.0 to 2.15.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@0634a26...a90bcbc)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.15.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Mar 4, 2026

Labels

The following labels could not be found: bot. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@jmertic John Mertic (jmertic) merged commit 8c86855 into main Mar 4, 2026
2 of 3 checks passed
@dependabot dependabot bot deleted the dependabot/github_actions/step-security/harden-runner-2.15.0 branch March 4, 2026 13:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dwoolflf David Woolf (dwoolflf) Awaiting requested review from dwoolflf dwoolflf is a code owner

@jmertic John Mertic (jmertic) Awaiting requested review from jmertic jmertic is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jmertic