Skip to content

Bump step-security/harden-runner from 2.17.0 to 2.18.0#956

Merged
stephenegriffin merged 1 commit intomainfrom
dependabot/github_actions/step-security/harden-runner-2.18.0
Apr 16, 2026
Merged

Bump step-security/harden-runner from 2.17.0 to 2.18.0#956
stephenegriffin merged 1 commit intomainfrom
dependabot/github_actions/step-security/harden-runner-2.18.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 15, 2026
edited
Loading

Bumps step-security/harden-runner from 2.17.0 to 2.18.0.

Release notes

Sourced from step-security/harden-runner's releases.

v2.18.0

What's Changed

Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes.

Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible.

Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Apr 15, 2026
@dependabot dependabot Bot requested a review from a team as a code owner April 15, 2026 18:46
@dependabot dependabot Bot added the github_actions Pull requests that update GitHub Actions code label Apr 15, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 15, 2026
edited
Loading

Test Results

    8 files  ±0      8 suites  ±0   51s ⏱️ -1s
  251 tests ±0    251 ✅ ±0  0 💤 ±0  0 ❌ ±0 
2 008 runs  ±0  2 008 ✅ ±0  0 💤 ±0  0 ❌ ±0 

Results for commit 8d39229. ± Comparison against base commit df42d4a.

♻️ This comment has been updated with latest results.

@dependabot
Bump step-security/harden-runner from 2.17.0 to 2.18.0
8d39229 
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.17.0 to 2.18.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@f808768...6c3c2f2)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/step-security/harden-runner-2.18.0 branch from f8a5abd to 8d39229 Compare April 16, 2026 14:10
@stephenegriffin
Copy link
Copy Markdown
Member

stephenegriffin commented Apr 16, 2026

@dependabot rebase

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Apr 16, 2026

Looks like this PR is already up-to-date with main! If you'd still like to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

@stephenegriffin stephenegriffin merged commit 1bcf8d2 into main Apr 16, 2026
21 checks passed
@stephenegriffin stephenegriffin deleted the dependabot/github_actions/step-security/harden-runner-2.18.0 branch April 16, 2026 14:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stephenegriffin stephenegriffin stephenegriffin approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@stephenegriffin