[StepSecurity] Apply security best practices#1
Conversation
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 1983747. Configure here.
| uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 | ||
| with: | ||
| use-policy-store: true | ||
| api-key: ${{ secrets.STEP_SECURITY_API_KEY }} |
There was a problem hiding this comment.
Harden-runner may break CI for fork pull requests
Medium Severity
Several workflows (like api-surface-area-review-verification.yml, changelog-verification.yml, new-module-verification.yml, codeql.yml) trigger on pull_request and previously required no secrets. The newly added harden-runner step uses use-policy-store: true with api-key: ${{ secrets.STEP_SECURITY_API_KEY }}, but GitHub Actions does not provide secrets for pull_request events from forks. The harden-runner docs state the API key is "required when use-policy-store is set to true," so this step may fail with an empty key, breaking CI for all external contributors to this public open-source project.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit 1983747. Configure here.
Summary
This pull request has been generated by StepSecurity as part of your enterprise subscription to ensure compliance with recommended security best practices. Please review and merge the pull request to apply these security enhancements.
Security Fixes
Harden Runner
Harden-Runner is an open-source security agent for the GitHub-hosted runner to prevent software supply chain attacks. It prevents exfiltration of credentials, detects tampering of source code during build, and enables running jobs without sudo access.
Feedback
For bug reports, feature requests, and general feedback; please create an issue in step-security/secure-repo or contact us via our website.
Note
Medium Risk
Touches many GitHub Actions workflows by adding a new third-party
step-security/harden-runnerstep that depends onSTEP_SECURITY_API_KEY; misconfiguration or secret availability could cause CI/automation failures.Overview
Adds a new “Harden the runner” step (pinned
step-security/harden-runner@v2.19.1) to a broad set of GitHub Actions workflows (CI builds/tests, CodeQL, and repo automation like stale issues/labeling) and configures it to use the StepSecurity policy store viaSTEP_SECURITY_API_KEY.No application code changes; this is an infrastructure/security update that runs before existing workflow steps.
Reviewed by Cursor Bugbot for commit 1983747. Bugbot is set up for automated code reviews on this repo. Configure here.