From 6a650c2251f7eb606ed2d7c5ccf5d60567648899 Mon Sep 17 00:00:00 2001 From: Circle TechOps Repo Updater Date: Tue, 9 Dec 2025 23:11:35 +0000 Subject: [PATCH] chore(stepsecurity): update workflows to use custom hosted runners with built-in StepSecurity --- .github/workflows/actions-lint.yaml | 10 +--------- .github/workflows/attach-release-assets.yaml | 10 +--------- .../conventional-commit-release.yaml | 20 ++----------------- .github/workflows/pr-scan.yaml | 8 -------- 4 files changed, 4 insertions(+), 44 deletions(-) diff --git a/.github/workflows/actions-lint.yaml b/.github/workflows/actions-lint.yaml index 4642579..8455b96 100644 --- a/.github/workflows/actions-lint.yaml +++ b/.github/workflows/actions-lint.yaml @@ -21,17 +21,9 @@ on: jobs: lint_validate_actions: - runs-on: ubuntu-latest - permissions: - id-token: write + runs-on: github-hosted-small steps: - - name: Harden the runner - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 - with: - egress-policy: block - policy: global-allowed-endpoints-policy - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Checkout Actoinlint Configs diff --git a/.github/workflows/attach-release-assets.yaml b/.github/workflows/attach-release-assets.yaml index 2e3f29d..1c10ee5 100644 --- a/.github/workflows/attach-release-assets.yaml +++ b/.github/workflows/attach-release-assets.yaml @@ -62,18 +62,10 @@ permissions: jobs: release_attach_assets: - runs-on: ubuntu-latest + runs-on: github-hosted-small if: github.event_name == 'push' && format('refs/heads/{0}', github.event.repository.default_branch) == github.ref - permissions: - id-token: write steps: - - name: Harden the runner - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 - with: - egress-policy: block - policy: global-allowed-endpoints-policy - - name: Download all build artifacts uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 if: inputs.artifact_file_globs != '' diff --git a/.github/workflows/conventional-commit-release.yaml b/.github/workflows/conventional-commit-release.yaml index ccbc2d2..b16db41 100644 --- a/.github/workflows/conventional-commit-release.yaml +++ b/.github/workflows/conventional-commit-release.yaml @@ -108,17 +108,9 @@ jobs: commit-lint: name: PR Title and Commits Lint if: github.event_name == 'pull_request' - runs-on: ubuntu-latest - permissions: - id-token: write + runs-on: github-hosted-small steps: - - name: Harden the runner - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 - with: - egress-policy: block - policy: global-allowed-endpoints-policy - - name: Calculate Fetch Depth if: inputs.lint_commits id: fetch-depth @@ -196,23 +188,15 @@ jobs: release: if: github.event_name == 'push' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) name: Release Please - runs-on: ubuntu-latest + runs-on: github-hosted-small outputs: release_created: ${{ steps.release.outputs.release_created }} release_tag: ${{ steps.release.outputs.tag_name }} additional_tags: ${{ steps.additional_tags.outputs.tags }} major_minor_tag: ${{ steps.additional_tags.outputs.major_minor_tag }} major_tag: ${{ steps.additional_tags.outputs.major_tag }} - permissions: - id-token: write steps: - - name: Harden the runner - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 - with: - egress-policy: block - policy: global-allowed-endpoints-policy - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Merge default and user input changelog types diff --git a/.github/workflows/pr-scan.yaml b/.github/workflows/pr-scan.yaml index 2509f19..89d7066 100644 --- a/.github/workflows/pr-scan.yaml +++ b/.github/workflows/pr-scan.yaml @@ -43,16 +43,8 @@ on: jobs: scan: runs-on: ${{ inputs.runs-on }} - permissions: - id-token: write steps: - - name: Harden the runner - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 - with: - egress-policy: block - policy: global-allowed-endpoints-policy - - name: Setup shell: bash run: |-