From c50fb58760e4c28d5708cf53b613271804466a84 Mon Sep 17 00:00:00 2001 From: Sebastian Mendel Date: Wed, 1 Apr 2026 11:09:57 +0200 Subject: [PATCH 1/3] chore: update actions and force Node.js 24 for node20 actions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Update step-security/harden-runner v2.16.0 → v2.16.1 (all workflows) - Add FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true for gitleaks-action and dependency-review-action (both still ship node20, no newer release available — upstream tracking in #3) --- .github/workflows/auto-merge-deps.yml | 2 +- .github/workflows/build-go-attest.yml | 2 +- .github/workflows/ci.yml | 6 +++--- .github/workflows/codeql.yml | 2 +- .github/workflows/dependency-review.yml | 4 +++- .github/workflows/gitleaks.yml | 3 ++- .github/workflows/greetings.yml | 2 +- .github/workflows/labeler.yml | 2 +- .github/workflows/lock.yml | 2 +- .github/workflows/node-audit.yml | 2 +- .github/workflows/pr-quality.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- .github/workflows/stale.yml | 2 +- 13 files changed, 19 insertions(+), 16 deletions(-) diff --git a/.github/workflows/auto-merge-deps.yml b/.github/workflows/auto-merge-deps.yml index 85d83bb..a67641c 100644 --- a/.github/workflows/auto-merge-deps.yml +++ b/.github/workflows/auto-merge-deps.yml @@ -17,7 +17,7 @@ jobs: pull-requests: write steps: - name: Harden Runner - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 with: egress-policy: audit diff --git a/.github/workflows/build-go-attest.yml b/.github/workflows/build-go-attest.yml index db391bc..27e4675 100644 --- a/.github/workflows/build-go-attest.yml +++ b/.github/workflows/build-go-attest.yml @@ -67,7 +67,7 @@ jobs: attestations: write steps: - name: Harden Runner - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 with: egress-policy: audit diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8eef1ce..02a2644 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 with: egress-policy: audit @@ -32,7 +32,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 with: egress-policy: audit @@ -49,7 +49,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 with: egress-policy: audit diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 070c679..5f1113a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -21,7 +21,7 @@ jobs: actions: read steps: - name: Harden Runner - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 with: egress-policy: audit diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index adfbdfc..9b2b5d7 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -21,7 +21,7 @@ jobs: pull-requests: write steps: - name: Harden Runner - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 with: egress-policy: audit @@ -32,6 +32,8 @@ jobs: - name: Dependency Review uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 + env: + FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true with: fail-on-severity: ${{ inputs.fail-on-severity || 'high' }} comment-summary-in-pr: always diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml index 78d0ed0..6c24dcb 100644 --- a/.github/workflows/gitleaks.yml +++ b/.github/workflows/gitleaks.yml @@ -29,7 +29,7 @@ jobs: security-events: write steps: - name: Harden Runner - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 with: egress-policy: audit @@ -42,5 +42,6 @@ jobs: - name: Run Gitleaks uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9 env: + FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} diff --git a/.github/workflows/greetings.yml b/.github/workflows/greetings.yml index 214437f..b0946c1 100644 --- a/.github/workflows/greetings.yml +++ b/.github/workflows/greetings.yml @@ -30,7 +30,7 @@ jobs: pull-requests: write steps: - name: Harden Runner - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 with: egress-policy: audit diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 4264a57..1a99e6c 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -21,7 +21,7 @@ jobs: pull-requests: write steps: - name: Harden Runner - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 with: egress-policy: audit diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml index 95bde98..aed5a56 100644 --- a/.github/workflows/lock.yml +++ b/.github/workflows/lock.yml @@ -41,7 +41,7 @@ jobs: pull-requests: write steps: - name: Harden Runner - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 with: egress-policy: audit diff --git a/.github/workflows/node-audit.yml b/.github/workflows/node-audit.yml index 767aab0..9cc64f1 100644 --- a/.github/workflows/node-audit.yml +++ b/.github/workflows/node-audit.yml @@ -35,7 +35,7 @@ jobs: contents: read steps: - name: Harden Runner - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 with: egress-policy: audit diff --git a/.github/workflows/pr-quality.yml b/.github/workflows/pr-quality.yml index 908467a..2fddeb6 100644 --- a/.github/workflows/pr-quality.yml +++ b/.github/workflows/pr-quality.yml @@ -32,7 +32,7 @@ jobs: pull-requests: write steps: - name: Harden Runner - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 with: egress-policy: audit @@ -82,7 +82,7 @@ jobs: pull-requests: write steps: - name: Harden Runner - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 with: egress-policy: audit diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 9166c11..5fa6b79 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -17,7 +17,7 @@ jobs: actions: read steps: - name: Harden Runner - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 with: egress-policy: audit diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 093eea8..4ee9097 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -71,7 +71,7 @@ jobs: pull-requests: write steps: - name: Harden Runner - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 with: egress-policy: audit From d4445f780a09cfb915db95cbce92979c98e0830c Mon Sep 17 00:00:00 2001 From: Sebastian Mendel Date: Wed, 1 Apr 2026 11:11:58 +0200 Subject: [PATCH 2/3] chore: fix pre-existing lint issues (trailing space, table formatting) --- .github/workflows/pr-quality.yml | 2 +- docs/supply-chain-security.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr-quality.yml b/.github/workflows/pr-quality.yml index 2fddeb6..ec58bbe 100644 --- a/.github/workflows/pr-quality.yml +++ b/.github/workflows/pr-quality.yml @@ -65,7 +65,7 @@ jobs: if (total > warning) size = 'large'; else if (total > Math.floor(warning / 2.5)) size = 'medium'; - console.log(`PR Size: ${size} (${additions}+ / ${deletions}-)`); + console.log(`PR Size: ${size} (${additions}+ / ${deletions}-)`); if (total > alert) { core.warning(`Large PR with ${total} changes. Consider breaking into smaller PRs.`); diff --git a/docs/supply-chain-security.md b/docs/supply-chain-security.md index fd868cb..7073b1a 100644 --- a/docs/supply-chain-security.md +++ b/docs/supply-chain-security.md @@ -3,7 +3,7 @@ ## Defense Layers | Layer | Mechanism | Scope | When | -|-------|-----------|-------|------| +| ----- | --------- | ----- | ---- | | 1. Stability delay | Renovate `stabilityDays: 3` | All repos with Renovate | Before PR creation | | 2. Dependency review | `dependency-review-action` | All repos (org-wide default) | On every PR | | 3. Package audit | `pnpm audit` / `composer audit` | Repos with audit workflow | On every PR | From b75bd7ab4e19a4ebcb1f14b155cca0c651578d32 Mon Sep 17 00:00:00 2001 From: Sebastian Mendel Date: Wed, 1 Apr 2026 11:13:59 +0200 Subject: [PATCH 3/3] chore: fix remaining lint issues in supply-chain-security.md --- docs/supply-chain-security.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/supply-chain-security.md b/docs/supply-chain-security.md index 7073b1a..af479f9 100644 --- a/docs/supply-chain-security.md +++ b/docs/supply-chain-security.md @@ -35,14 +35,14 @@ When a supply chain attack is discovered: ### Short-term (within 24 hours) -3. **Revert affected repos** — downgrade to last safe version, regenerate lockfiles -4. **Rotate secrets** — if the malicious package could have exfiltrated credentials -5. **Audit CI logs** — check if the malicious code ran in any CI pipeline +1. **Revert affected repos** — downgrade to last safe version, regenerate lockfiles +2. **Rotate secrets** — if the malicious package could have exfiltrated credentials +3. **Audit CI logs** — check if the malicious code ran in any CI pipeline ### Post-incident -6. **Review auto-merge logs** — identify if/how the compromised version was merged -7. **Update this document** with lessons learned +1. **Review auto-merge logs** — identify if/how the compromised version was merged +2. **Update this document** with lessons learned ## Workflow Architecture @@ -79,7 +79,7 @@ netresearch/renovate-config ## Key Repos | Repo | Role | -|------|------| +| ---- | ---- | | [`netresearch/renovate-config`](https://github.com/netresearch/renovate-config) | Org-wide Renovate preset (deny-lists, stability delay) | | [`netresearch/.github`](https://github.com/netresearch/.github) | Org-wide default workflows + generic reusable workflows | | [`netresearch/typo3-ci-workflows`](https://github.com/netresearch/typo3-ci-workflows) | TYPO3/PHP-specific reusable workflows |