Skip to content

chore(deps): Update GitHub Actions to v2.19.3#37

Merged
williaby merged 1 commit into
mainfrom
renovate/github-actions
May 21, 2026
Merged

chore(deps): Update GitHub Actions to v2.19.3#37
williaby merged 1 commit into
mainfrom
renovate/github-actions

Conversation

@williaby

@williaby williaby commented May 21, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Contributor

Summary

Why

Scheduled patch update, bug fixes and security patches with no API changes.

Changes

This PR contains the following updates:

Package Type Update Change OpenSSF
step-security/harden-runner action patch v2.19.1v2.19.3 OpenSSF Scorecard

Impact

  • ✅ Patch update: bug fixes and security patches only
  • ✅ No breaking changes

Acceptance Criteria

  • All CI checks pass

Testing

  • CI gates pass (tests, lint, type checking, security scan)

Notes

Release Notes

step-security/harden-runner (step-security/harden-runner)

v2.19.3

Compare Source

What's Changed

Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3

v2.19.2

Compare Source

What's Changed
  • Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs.

Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2

Configuration

📅 Schedule: Branch creation - "after 10pm every weekday,before 5am every weekday,every weekend" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

Summary by CodeRabbit

  • Chores
    • Updated GitHub Actions workflow dependency to the latest stable version.

Review Change Stack

Copilot AI review requested due to automatic review settings May 21, 2026 05:23
@williaby williaby enabled auto-merge (squash) May 21, 2026 05:23
@coderabbitai

coderabbitai Bot commented May 21, 2026
edited
Loading

Copy link
Copy Markdown

Walkthrough

The dependency-review workflow receives a targeted security update: the step-security/harden-runner action is pinned to version v2.19.3, upgrading from v2.19.1. The hardening configuration remains unchanged.

Changes

Workflow Dependency Update

Layer / File(s) Summary
Harden runner version upgrade
.github/workflows/dependency-review.yml		 The step-security/harden-runner action is bumped from v2.19.1 to v2.19.3 while preserving the existing egress-policy hardening configuration.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related issues

Possibly related PRs

  • ByronWilliamsCPA/rag-processor#19: Updates pinned GitHub Action versions in .github/workflows/dependency-review.yml (this PR bumps harden-runner; related PR updates actions/checkout).

Suggested labels

ci, security

Poem

🐰 A hop, a skip, a version bump,
The harden-runner takes a jump,
From v2.19.1 to v2.19.3 with cheer,
Security patches draw ever near! 🔐

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'chore(deps): Update GitHub Actions to v2.19.3' directly and specifically describes the main change—a dependency update of the harden-runner GitHub Action to v2.19.3, which matches the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch renovate/github-actions

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions

github-actions Bot commented May 21, 2026

Copy link
Copy Markdown

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/step-security/harden-runner ab7a9404c0f3da075243ca237b5fac12c98deaa5 🟢 8.1
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
CI-Tests🟢 1016 out of 16 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Code-Review🟢 10all changesets reviewed
Contributors🟢 6project has 2 contributing companies or organizations -- score normalized to 6
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Maintained🟢 1016 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
SAST🟢 10SAST tool is run on all commits
Security-Policy🟢 10security policy file detected
Signed-Releases⚠️ -1no releases found
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Vulnerabilities⚠️ 28 existing vulnerabilities detected

Scanned Files

  • .github/workflows/dependency-review.yml

Copilot AI reviewed May 21, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the step-security/harden-runner GitHub Action used by the Dependency Review workflow to the latest patch release, keeping the workflow’s runner-hardening step current with upstream bugfixes/security patches.

Changes:

  • Bumped step-security/harden-runner from v2.19.1 to v2.19.3 (still pinned to a commit SHA) in the dependency review workflow.

coderabbitai[bot]
coderabbitai Bot reviewed May 21, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/dependency-review.yml (1)

34-36: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Harden checkout to avoid token persistence on the runner.

Please set persist-credentials: false on the checkout step; otherwise the GitHub token is written into local git config during the job.

Suggested patch 
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
Based on learnings: “In .github/workflows/*.yml, ensure every `actions/checkout` step sets `persist-credentials: false` … and if the PR modifies the workflow, add it there.”
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependency-review.yml around lines 34 - 36, The checkout
step using actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd must set
persist-credentials: false to prevent the GitHub token being written to the
runner git config; update the checkout step (the block starting with "name:
Checkout repository" / the actions/checkout usage) to include
persist-credentials: false and ensure any other actions/checkout occurrences in
this workflow are similarly hardened.
🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/dependency-review.yml:
- Around line 34-36: The checkout step using
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd must set
persist-credentials: false to prevent the GitHub token being written to the
runner git config; update the checkout step (the block starting with "name:
Checkout repository" / the actions/checkout usage) to include
persist-credentials: false and ensure any other actions/checkout occurrences in
this workflow are similarly hardened.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3b90a2ba-b953-4039-b4f8-262f935a2ee3

📥 Commits

Reviewing files that changed from the base of the PR and between 7cc9803 and a1c72d5.

📒 Files selected for processing (1)
  • .github/workflows/dependency-review.yml

@sonarqubecloud

sonarqubecloud Bot commented May 21, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@williaby williaby merged commit 2737b29 into main May 21, 2026
34 checks passed
@williaby williaby deleted the renovate/github-actions branch May 21, 2026 08:26
@coderabbitai coderabbitai Bot mentioned this pull request May 22, 2026
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

automated ci security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@williaby