step-security/harden-runner
1
0
Fork 0
mirror of synced 2026-06-05 17:44:04 +00:00
Code Issues Projects Releases Packages Wiki Activity
harden-runner/action.yml
Varun Sharma 85b3620336 Fix policy store to use correct API endpoint and auth scheme 
Use /actions/policies/workflow-policy with query params (workflow,
run_id, correlationId) and vm-api-key auth header to match the
existing backend API. Update action.yml descriptions to clarify
policy store is the preferred method.
2026-04-03 20:45:39 -07:00

51 lines
2 KiB
YAML
Raw Blame History

name: "Harden-Runner"
description: "Harden-Runner provides runtime security for GitHub-hosted and self-hosted runners"
inputs:
allowed-endpoints:
description: "Only these endpoints will be allowed if egress-policy is set to block"
required: false
default: ""
egress-policy:
description: "Policy for outbound traffic, can be either audit or block"
required: false
default: "block"
token:
description: "Used to avoid github rate limiting"
default: ${{ github.token }}
disable-telemetry:
description: "Disable sending telemetry to StepSecurity API, can be set to true or false. This can only be set to true when egress-policy is set to block"
required: false
default: "false"
disable-sudo:
description: "Disable sudo access for the runner account. Note: This parameter will be deprecated in the future. Please use disable-sudo-and-containers instead."
required: false
default: "false"
disable-sudo-and-containers:
description: "Disable sudo and container access for the runner account"
required: false
default: "false"
disable-file-monitoring:
description: "Disable file monitoring"
required: false
default: "false"
policy:
description: "Policy name to be used from the policy store. Requires id-token: write permission."
required: false
default: ""
api-key:
description: "StepSecurity API key for authenticating with the policy store. Required when use-policy-store is set to true."
required: false
default: ""
use-policy-store:
description: "Set to true to fetch policy from the policy store using the API key. This is the preferred method over the policy input which requires id-token: write permission. Policies can be defined and attached at workflow, repo, org, or cluster (for ARC) level in the policy store. The most granular policy will apply."
required: false
default: "false"
branding:
icon: "check-square"
color: "green"
runs:
using: "node24"
pre: "dist/pre/index.js"
main: "dist/index.js"
post: "dist/post/index.js"
Reference in a new issue View git blame Copy permalink