Skip to content

[StepSecurity] Apply security best practices#5000

Merged
mergify[bot] merged 4 commits into
GitTools:mainfrom
step-security-bot:chore/GHA-301112-stepsecurity-remediation
Jun 30, 2026
Merged

[StepSecurity] Apply security best practices#5000
mergify[bot] merged 4 commits into
GitTools:mainfrom
step-security-bot:chore/GHA-301112-stepsecurity-remediation

Conversation

@step-security-bot

@step-security-bot step-security-bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary

This pull request is created by StepSecurity at the request of @arturcic. Please merge the Pull Request to incorporate the requested changes. Please tag @arturcic on your message if you have any questions related to the PR.

Security Fixes

Least Privileged GitHub Actions Token Permissions

The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN.

Harden Runner

Harden-Runner is an open-source security agent for the GitHub-hosted runner to prevent software supply chain attacks. It prevents exfiltration of credentials, detects tampering of source code during build, and enables running jobs without sudo access. See how popular open-source projects use Harden-Runner here.

Harden runner usage

You can find link to view insights and policy recommendation in the build log

Please refer to documentation to find more details.

Keeping your actions up to date with Dependabot

With Dependabot version updates, when Dependabot identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. This is recommended by GitHub as well as The Open Source Security Foundation (OpenSSF).

Secure Dockerfiles

Pin image tags to digests in Dockerfiles. With the Docker v2 API release, it became possible to use digests in place of tags when pulling images or to use them in FROM lines in Dockerfiles.

Add Dependency Review Workflow

The Dependency Review Workflow enforces dependency reviews on your pull requests. The action scans for vulnerable versions of dependencies introduced by package version changes in pull requests, and warns you about the associated security vulnerabilities. This gives you better visibility of what's changing in a pull request, and helps prevent vulnerabilities being added to your repository.

Add OpenSSF Scorecard Workflow

OpenSSF Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project.

Scorecard workflow also allows maintainers to display a Scorecard badge on their repository to show off their hard work.

Maintain Code Quality with Pre-Commit

Pre-commit is a framework for managing and maintaining multi-language pre-commit hooks. Hooks can be any scripts, code, or binaries that run at any stage of the git workflow. Pre-commit hooks are useful for enforcing code quality, code formatting, and detecting security vulnerabilities.

Feedback

For bug reports, feature requests, and general feedback; please email support@stepsecurity.io. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot bot@stepsecurity.io


Open with GitKraken
step-security-bot and others added 2 commits June 30, 2026 11:12
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
- scorecards.yml: replace workflow-level 'permissions: read-all' with
  least-privilege 'contents: read' (the analysis job already declares its
  own elevated permissions). Fixes the failing new_security_rating gate.
- dependabot.yml: collapse the expanded NuGet directory list (~35 project
  dirs) back to the 4 Central Package Management roots (/build, /new-cli,
  /src, /tests/integration) where Directory.Packages.props lives, and drop
  the spurious '/' github-actions directory.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@arturcic arturcic enabled auto-merge June 30, 2026 11:25
arturcic and others added 2 commits June 30, 2026 13:29
actions/checkout v4.3.1->v7.0.0, actions/upload-artifact v4.6.2->v7.0.1,
github/codeql-action/upload-sarif v3.36.2->v4.36.2 (matching init/analyze),
ossf/scorecard-action v2.4.0->v2.4.3, dependency-review-action v4.9.0->v5.0.0.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Drop the redundant ':dev-10.0' tag and keep the immutable digest.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@arturcic arturcic marked this pull request as draft June 30, 2026 11:34
auto-merge was automatically disabled June 30, 2026 11:34

Pull request was converted to draft

@arturcic arturcic marked this pull request as ready for review June 30, 2026 11:41
@mergify

mergify Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Queued — the merge queue status continues in this comment ↓.

@mergify

mergify Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Merge Queue Status

  • Entered queue2026-06-30 11:59 UTC · Rule: default · triggered by @arturcic with the merge queue checkbox
  • Checks skipped · PR is already up-to-date
  • Merged2026-06-30 11:59 UTC · at 2e838669264bb4fac78dd43968dba7ad12355b95 · merge

This pull request spent 16 seconds in the queue, including 2 seconds running CI.

Required conditions to merge
  • github-review-approved [🛡 GitHub repository ruleset rule main branch rule]
  • any of [🛡 GitHub repository ruleset rule main branch rule]:
    • check-success = @github-actions/DotNet Format
    • check-neutral = @github-actions/DotNet Format
    • check-skipped = @github-actions/DotNet Format
  • any of [🛡 GitHub repository ruleset rule main branch rule]:
    • check-success = @github-actions/Release
    • check-neutral = @github-actions/Release
    • check-skipped = @github-actions/Release
  • any of [🛡 GitHub repository ruleset rule main branch rule]:
    • check-success = @github-actions/Build & Test (new-cli)
    • check-neutral = @github-actions/Build & Test (new-cli)
    • check-skipped = @github-actions/Build & Test (new-cli)
  • any of [🛡 GitHub repository ruleset rule main branch rule]:
    • check-success = @github-actions/Build & Package / macos-26
    • check-neutral = @github-actions/Build & Package / macos-26
    • check-skipped = @github-actions/Build & Package / macos-26
  • any of [🛡 GitHub repository ruleset rule main branch rule]:
    • check-success = @github-actions/Build & Package / ubuntu-24.04
    • check-neutral = @github-actions/Build & Package / ubuntu-24.04
    • check-skipped = @github-actions/Build & Package / ubuntu-24.04
  • any of [🛡 GitHub repository ruleset rule main branch rule]:
    • check-success = @github-actions/Build & Package / windows-2025-vs2026
    • check-neutral = @github-actions/Build & Package / windows-2025-vs2026
    • check-skipped = @github-actions/Build & Package / windows-2025-vs2026
  • any of [🛡 GitHub repository ruleset rule main branch rule]:
    • check-success = @github-actions/Test / macos-26 - net10.0
    • check-neutral = @github-actions/Test / macos-26 - net10.0
    • check-skipped = @github-actions/Test / macos-26 - net10.0
  • any of [🛡 GitHub repository ruleset rule main branch rule]:
    • check-success = @github-actions/Test / macos-26 - net8.0
    • check-neutral = @github-actions/Test / macos-26 - net8.0
    • check-skipped = @github-actions/Test / macos-26 - net8.0
  • any of [🛡 GitHub repository ruleset rule main branch rule]:
    • check-success = @github-actions/Test / macos-26 - net9.0
    • check-neutral = @github-actions/Test / macos-26 - net9.0
    • check-skipped = @github-actions/Test / macos-26 - net9.0
  • any of [🛡 GitHub repository ruleset rule main branch rule]:
    • check-success = @github-actions/Test / ubuntu-24.04 - net10.0
    • check-neutral = @github-actions/Test / ubuntu-24.04 - net10.0
    • check-skipped = @github-actions/Test / ubuntu-24.04 - net10.0
  • any of [🛡 GitHub repository ruleset rule main branch rule]:
    • check-success = @github-actions/Test / ubuntu-24.04 - net8.0
    • check-neutral = @github-actions/Test / ubuntu-24.04 - net8.0
    • check-skipped = @github-actions/Test / ubuntu-24.04 - net8.0
  • any of [🛡 GitHub repository ruleset rule main branch rule]:
    • check-success = @github-actions/Test / ubuntu-24.04 - net9.0
    • check-neutral = @github-actions/Test / ubuntu-24.04 - net9.0
    • check-skipped = @github-actions/Test / ubuntu-24.04 - net9.0
  • any of [🛡 GitHub repository ruleset rule main branch rule]:
    • check-success = @github-actions/Test / windows-2025-vs2026 - net10.0
    • check-neutral = @github-actions/Test / windows-2025-vs2026 - net10.0
    • check-skipped = @github-actions/Test / windows-2025-vs2026 - net10.0
  • any of [🛡 GitHub repository ruleset rule main branch rule]:
    • check-success = @github-actions/Test / windows-2025-vs2026 - net8.0
    • check-neutral = @github-actions/Test / windows-2025-vs2026 - net8.0
    • check-skipped = @github-actions/Test / windows-2025-vs2026 - net8.0
  • any of [🛡 GitHub repository ruleset rule main branch rule]:
    • check-success = @github-actions/Test / windows-2025-vs2026 - net9.0
    • check-neutral = @github-actions/Test / windows-2025-vs2026 - net9.0
    • check-skipped = @github-actions/Test / windows-2025-vs2026 - net9.0
  • any of [🛡 GitHub repository ruleset rule main branch rule]:
    • check-neutral = Mergify Merge Protections
    • check-skipped = Mergify Merge Protections
    • check-success = Mergify Merge Protections
  • any of [🛡 GitHub repository ruleset rule main branch rule]:
    • check-success = @sonarqubecloud/SonarCloud Code Analysis
    • check-neutral = @sonarqubecloud/SonarCloud Code Analysis
    • check-skipped = @sonarqubecloud/SonarCloud Code Analysis
@mergify mergify Bot added the queued label Jun 30, 2026
@mergify mergify Bot merged commit 29f23bb into GitTools:main Jun 30, 2026
125 checks passed
@mergify mergify Bot removed the queued label Jun 30, 2026
@mergify

mergify Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Thank you @step-security-bot for your contribution!

@arturcic arturcic added this to the 6.8.0 milestone Jun 30, 2026
@arturcic

Copy link
Copy Markdown
Member

🎉 This issue has been resolved in version 6.8.0 🎉
The release is available on:

Your GitReleaseManager bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

2 participants