Commit c5708d8
authored
chore: remove step-security/harden-runner from workflows (#246)
## Description
Removed `step-security/harden-runner` action from all extension CI/CD
workflows. The action was configured with `egress-policy: audit` which
only monitored network activity without blocking anything, providing no
security enforcement value.
- chore(workflows): removed harden-runner from `extension-package.yml`
(1 instance in package job)
- chore(workflows): removed harden-runner from `extension-publish.yml`
(3 instances across prepare-changelog, normalize-version, publish jobs)
- chore(workflows): removed harden-runner from
`extension-publish-prerelease.yml` (3 instances across validate-version,
package, publish jobs)
### Additional Changes: Shell Improvements
While fixing CI lint failures caused by actionlint's shellcheck
integration, the following improvements were made to
`extension-publish.yml` and `extension-publish-prerelease.yml`:
| Issue | Fix | Rationale |
|-------|-----|-----------|
| SC2012 (`ls` parsing) | Replaced `ls -t *.vsix \| head -1` with `find
-printf` + `sort` | Robust file discovery that handles filenames with
spaces/special characters |
| SC2086 (unquoted vars) | Quoted `$GITHUB_OUTPUT` references | Prevents
word splitting on environment variable paths |
| SC2129 (multiple redirects) | Grouped `echo` commands with `{ ...; }
>> file` | Atomic write pattern, reduces file handle operations |
**Portability note**: The `find -printf` syntax is GNU-specific and
works on `ubuntu-latest` runners. These workflows are pinned to Ubuntu
and have no macOS runner requirements.
**Convention note**: The grouped redirect pattern differs from
individual `echo >> file` lines used elsewhere. This pattern is
intentional for atomic writes and is acceptable as a localized
improvement within these specific workflows.
## Related Issue(s)
Closes #226
## Type of Change
Select all that apply:
**Code & Documentation:**
- [ ] Bug fix (non-breaking change fixing an issue)
- [ ] New feature (non-breaking change adding functionality)
- [ ] Breaking change (fix or feature causing existing functionality to
change)
- [ ] Documentation update
**Infrastructure & Configuration:**
- [x] GitHub Actions workflow
- [ ] Linting configuration (markdown, PowerShell, etc.)
- [ ] Security configuration
- [ ] DevContainer configuration
- [ ] Dependency update
**AI Artifacts:**
- [ ] Reviewed contribution with `prompt-builder` agent and addressed
all feedback
- [ ] Copilot instructions (`.github/instructions/*.instructions.md`)
- [ ] Copilot prompt (`.github/prompts/*.prompt.md`)
- [ ] Copilot agent (`.github/agents/*.agent.md`)
> **Note for AI Artifact Contributors**:
>
> - **Agents**: Research, indexing/referencing other project (using
standard VS Code GitHub Copilot/MCP tools), planning, and general
implementation agents likely already exist. Review `.github/agents/`
before creating new ones.
> - **Model Versions**: Only contributions targeting the **latest
Anthropic and OpenAI models** will be accepted. Older model versions
(e.g., GPT-3.5, Claude 3) will be rejected.
> - See [Agents Not
Accepted](../docs/contributing/custom-agents.md#agents-not-accepted) and
[Model Version
Requirements](../docs/contributing/ai-artifacts-common.md#model-version-requirements).
**Other:**
- [ ] Script/automation (`.ps1`, `.sh`, `.py`)
- [ ] Other (please describe):
## Sample Prompts (for AI Artifact Contributions)
## Testing
- Verified all 7 harden-runner step blocks removed across 3 workflow
files
- Confirmed no remaining `step-security` or `harden-runner` references
in `.github/workflows/` via Select-String
- All 253 Pester tests pass with 0 failures
- Local actionlint validation passes with exit code 0
## Checklist
### Required Checks
- [x] Documentation is updated (if applicable)
- [x] Files follow existing naming conventions
- [x] Changes are backwards compatible (if applicable)
### AI Artifact Contributions
### Required Automated Checks
The following validation commands must pass before merging:
- [ ] Markdown linting: `npm run lint:md`
- [ ] Spell checking: `npm run spell-check`
- [ ] Frontmatter validation: `npm run lint:frontmatter`
- [ ] Link validation: `npm run lint:md-links`
- [ ] PowerShell analysis: `npm run lint:ps`
## Security Considerations
- [x] This PR does not contain any sensitive or NDA information
- [x] Any new dependencies have been reviewed for security issues
- [x] Security-related scripts follow the principle of least privilege
This change removes a monitoring-only security tool. No security
regression occurs because:
- `egress-policy: audit` only logged network activity without blocking
- All other security measures remain intact (SHA-pinned actions, OIDC
publishing, minimal permissions)
## Additional Notes
Total: 3 files changed, 35 deletions (7 harden-runner blocks removed,
each was a 5-line YAML step)
🧹 - Generated by Copilot1 parent 4a41c16 commit c5708d8
3 files changed
Lines changed: 26 additions & 57 deletions
File tree
- .github/workflows
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
43 | 43 | | |
44 | 44 | | |
45 | 45 | | |
46 | | - | |
47 | | - | |
48 | | - | |
49 | | - | |
50 | | - | |
51 | 46 | | |
52 | 47 | | |
53 | 48 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
23 | 23 | | |
24 | 24 | | |
25 | 25 | | |
26 | | - | |
27 | | - | |
28 | | - | |
29 | | - | |
30 | | - | |
31 | 26 | | |
32 | 27 | | |
33 | 28 | | |
| |||
52 | 47 | | |
53 | 48 | | |
54 | 49 | | |
55 | | - | |
| 50 | + | |
56 | 51 | | |
57 | 52 | | |
58 | 53 | | |
| |||
62 | 57 | | |
63 | 58 | | |
64 | 59 | | |
65 | | - | |
66 | | - | |
67 | | - | |
68 | | - | |
69 | | - | |
70 | 60 | | |
71 | 61 | | |
72 | 62 | | |
| |||
118 | 108 | | |
119 | 109 | | |
120 | 110 | | |
121 | | - | |
122 | | - | |
123 | | - | |
124 | | - | |
125 | | - | |
126 | 111 | | |
127 | 112 | | |
128 | 113 | | |
| |||
151 | 136 | | |
152 | 137 | | |
153 | 138 | | |
154 | | - | |
| 139 | + | |
155 | 140 | | |
156 | 141 | | |
157 | 142 | | |
158 | 143 | | |
159 | 144 | | |
160 | | - | |
161 | | - | |
162 | | - | |
163 | | - | |
164 | | - | |
165 | | - | |
166 | | - | |
167 | | - | |
168 | | - | |
| 145 | + | |
| 146 | + | |
| 147 | + | |
| 148 | + | |
| 149 | + | |
| 150 | + | |
| 151 | + | |
| 152 | + | |
| 153 | + | |
| 154 | + | |
| 155 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
28 | 28 | | |
29 | 29 | | |
30 | 30 | | |
31 | | - | |
32 | | - | |
33 | | - | |
34 | | - | |
35 | | - | |
36 | 31 | | |
37 | 32 | | |
38 | 33 | | |
| |||
45 | 40 | | |
46 | 41 | | |
47 | 42 | | |
48 | | - | |
| 43 | + | |
49 | 44 | | |
50 | | - | |
| 45 | + | |
51 | 46 | | |
52 | | - | |
| 47 | + | |
53 | 48 | | |
54 | 49 | | |
55 | 50 | | |
| |||
66 | 61 | | |
67 | 62 | | |
68 | 63 | | |
69 | | - | |
70 | | - | |
71 | | - | |
72 | | - | |
73 | | - | |
74 | 64 | | |
75 | 65 | | |
76 | 66 | | |
| |||
81 | 71 | | |
82 | 72 | | |
83 | 73 | | |
84 | | - | |
| 74 | + | |
85 | 75 | | |
86 | 76 | | |
87 | 77 | | |
| |||
103 | 93 | | |
104 | 94 | | |
105 | 95 | | |
106 | | - | |
107 | | - | |
108 | | - | |
109 | | - | |
110 | | - | |
111 | 96 | | |
112 | 97 | | |
113 | 98 | | |
| |||
136 | 121 | | |
137 | 122 | | |
138 | 123 | | |
139 | | - | |
| 124 | + | |
140 | 125 | | |
141 | 126 | | |
142 | 127 | | |
143 | 128 | | |
144 | 129 | | |
145 | | - | |
146 | | - | |
147 | | - | |
148 | | - | |
149 | | - | |
150 | | - | |
| 130 | + | |
| 131 | + | |
| 132 | + | |
| 133 | + | |
| 134 | + | |
| 135 | + | |
| 136 | + | |
| 137 | + | |
0 commit comments