Releases: step-security/harden-runner
v2.17.0
What's Changed
Policy Store Support
Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode.
Full Changelog: v2.16.1...v2.17.0
v2.16.1
What's Changed
Enterprise tier: Added support for direct IP addresses in the allow list
Community tier: Migrated Harden Runner telemetry to a new endpoint
Full Changelog: v2.16.0...v2.16.1
v2.16.0
What's Changed
- Updated action.yml to use node24
- Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS over HTTPS (DoH) by proxying DNS queries through a permitted resolver, allowing data exfiltration even with a restrictive allowed-endpoints list. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-46g3-37rh-v698 for details.
- Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS queries over TCP to external resolvers, allowing outbound network communication that evades configured network restrictions. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-g699-3x6g-wm3g for details.
Full Changelog: v2.15.1...v2.16.0
v2.15.1
What's Changed
- Fixes #642 bug due to which post step was failing on Windows ARM runners
- Updates npm packages
Full Changelog: v2.15.0...v2.15.1
v2.15.0
What's Changed
Windows and macOS runner support
We are excited to announce that Harden Runner now supports Windows and macOS runners, extending runtime security beyond Linux for the first time.
Insights for Windows and macOS runners will be displayed in the same consistent format you are already familiar with from Linux runners, giving you a unified view of runtime activity across all platforms.
Full Changelog: v2.14.2...v2.15.0
v2.14.2
What's Changed
Security fix: Fixed a medium severity vulnerability where outbound network connections using sendto, sendmsg, and sendmmsg socket system calls could bypass audit logging when using egress-policy: audit. This issue only affects the Community Tier in audit mode; block mode and Enterprise Tier were not affected. See GHSA-cpmj-h4f6-r6pq for details.
Full Changelog: v2.14.1...v2.14.2
v2.14.1
What's Changed
-
In some self-hosted environments, the agent could briefly fall back to public DNS resolvers during startup if the system DNS was not yet available. This behavior was unintended for GitHub-hosted runners and has now been fixed to prevent any use of public DNS resolvers.
-
Fixed npm audit vulnerabilities
Full Changelog: v2.14.0...v2.14.1
v2.14.0
What's Changed
- Selective installation: Harden-Runner now skips installation on GitHub-hosted runners when the repository has a custom property skip_harden_runner, allowing organizations to opt out specific repos.
- Avoid double install: The action no longer installs Harden-Runner if it’s already present on a GitHub-hosted runner, which could happen when a composite action also installs it.
Full Changelog: v2.13.3...v2.14.0
v2.13.3
What's Changed
- Fixed an issue where process events were not uploaded in certain edge cases.
Full Changelog: v2.13.2...v2.13.3
v2.13.2
What's Changed
- Fixed an issue where there was a limit of 512 allowed endpoints when using block egress policy. This restriction has been removed, allowing for an unlimited number of endpoints to be configured.
- Harden Runner now automatically detects if the agent is already pre-installed on a custom VM image used by a GitHub-hosted runner. When detected, the action will skip reinstallation and use the existing agent.
Full Changelog: v2.13.1...v2.13.2