Niels Lohmann
899cf31255
Harden CI: validate PR artifact inputs, migrate off deprecated Semgrep action ( #5232 )
...
* Harden CI workflows: validate PR artifact inputs and migrate off deprecated Semgrep action
Address two CI/supply-chain hardening items from the 2026-07-03 security
audit:
- comment_check_amalgamation.yml (todo 117): the privileged `workflow_run`
job consumes an untrusted PR artifact. Validate `author` against a strict
GitHub-username pattern and `number` as a positive integer before use, and
extract the artifact into a dedicated directory (`unzip -o pr.zip -d
./pr_artifact`), reading only the two expected files by fixed path. This
prevents Markdown/mention injection via the attacker-controlled `author`
text and avoids a malicious archive touching the workspace.
- semgrep.yml (todo 118): `returntocorp/semgrep-action` is deprecated (the
org was renamed to `semgrep/*`). Replace it with an explicit `semgrep ci`
invocation via the maintained CLI; the deployment is inferred from
SEMGREP_APP_TOKEN.
Todo 116 (CIFuzz `@master` refs) already carries a comment documenting the
OSS-Fuzz-recommended exception, so no change is needed there.
Signed-off-by: Niels Lohmann <mail@nlohmann.me >
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com >
* Fix Semgrep step: use `semgrep scan` instead of token-gated `semgrep ci`
The CI `Scan` job failed with "Path does not exist: semgrep.sarif" because
`semgrep ci` requires a login token (SEMGREP_APP_TOKEN), which this repo does
not have configured, so it bailed without producing a SARIF file. The former
returntocorp/semgrep-action, given no token, fell back to plain
`semgrep scan --sarif`; match that with `semgrep scan --config auto`, which
needs no token and always produces the SARIF for upload.
Signed-off-by: Niels Lohmann <mail@nlohmann.me >
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com >
---------
Signed-off-by: Niels Lohmann <mail@nlohmann.me >
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com >
2026-07-04 11:10:02 +02:00
Niels Lohmann
972f5cc10b
Attach a ready-to-apply patch when the amalgamation check fails ( #5229 )
...
When a PR is not amalgamated/formatted, the astyle version friction (see
the recurring blocker across many PRs) means contributors often struggle
to reproduce the exact fix locally. The check now regenerates the
amalgamation and formatting, captures the difference as a patch, and
uploads it as the `amalgamation-patch` artifact. The failure comment
links to that artifact and tells contributors to run
`git apply amalgamation.patch`, so they no longer need to install the
pinned astyle version themselves.
The pass/fail verdict is unchanged: the same PRs fail as before, and a
correctly amalgamated PR uploads nothing and passes.
Signed-off-by: Niels Lohmann <mail@nlohmann.me >
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com >
2026-07-02 23:05:00 +02:00
dependabot[bot]
a69a42a930
Bump step-security/harden-runner from 2.19.3 to 2.19.4 ( #5188 )
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.19.3 to 2.19.4.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](https://github.com/step-security/harden-runner/compare/ab7a9404c0f3da075243ca237b5fac12c98deaa5...9af89fc71515a100421586dfdb3dc9c984fbf411 )
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-version: 2.19.4
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-21 22:20:29 +02:00
dependabot[bot]
e08b3cab68
Bump step-security/harden-runner from 2.19.2 to 2.19.3 ( #5173 )
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.19.2 to 2.19.3.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](https://github.com/step-security/harden-runner/compare/9ca718d3bf646d6534007c269a635b3e54cadf99...ab7a9404c0f3da075243ca237b5fac12c98deaa5 )
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-version: 2.19.3
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-15 20:59:12 +02:00
dependabot[bot]
630beaeb05
Bump step-security/harden-runner from 2.19.1 to 2.19.2 ( #5170 )
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.19.1 to 2.19.2.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](https://github.com/step-security/harden-runner/compare/a5ad31d6a139d249332a2605b85202e8c0b78450...9ca718d3bf646d6534007c269a635b3e54cadf99 )
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-version: 2.19.2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-14 20:04:56 +02:00
dependabot[bot]
a038cc4ef8
Bump step-security/harden-runner from 2.19.0 to 2.19.1 ( #5157 )
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.19.0 to 2.19.1.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](https://github.com/step-security/harden-runner/compare/8d3c67de8e2fe68ef647c8db1e6a09f647780f40...a5ad31d6a139d249332a2605b85202e8c0b78450 )
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-version: 2.19.1
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-08 07:49:26 +02:00
dependabot[bot]
8d849594f8
Bump step-security/harden-runner from 2.17.0 to 2.19.0 ( #5147 )
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.17.0 to 2.19.0.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](https://github.com/step-security/harden-runner/compare/f808768d1510423e83855289c910610ca9b43176...8d3c67de8e2fe68ef647c8db1e6a09f647780f40 )
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-version: 2.19.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-24 20:27:17 +02:00
dependabot[bot]
a5381281bf
Bump step-security/harden-runner from 2.16.1 to 2.17.0 ( #5132 )
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.16.1 to 2.17.0.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](https://github.com/step-security/harden-runner/compare/fe104658747b27e96e4f7e80cd0a94068e53901d...f808768d1510423e83855289c910610ca9b43176 )
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-version: 2.17.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-24 16:48:22 +02:00
dependabot[bot]
a8e7442b29
Bump actions/github-script from 8.0.0 to 9.0.0 ( #5134 )
...
Bumps [actions/github-script](https://github.com/actions/github-script ) from 8.0.0 to 9.0.0.
- [Release notes](https://github.com/actions/github-script/releases )
- [Commits](https://github.com/actions/github-script/compare/ed597411d8f924073f98dfc5c65a23a2325f34cd...3a2844b7e9c422d3c10d287c895573f7108da1b3 )
---
updated-dependencies:
- dependency-name: actions/github-script
dependency-version: 9.0.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-24 16:48:17 +02:00
dependabot[bot]
3946872265
Bump step-security/harden-runner from 2.16.0 to 2.16.1 ( #5127 )
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.16.0 to 2.16.1.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](https://github.com/step-security/harden-runner/compare/fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594...fe104658747b27e96e4f7e80cd0a94068e53901d )
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-version: 2.16.1
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-06 18:35:48 +02:00
dependabot[bot]
2413fc0b1d
Bump step-security/harden-runner from 2.15.1 to 2.16.0 ( #5113 )
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.15.1 to 2.16.0.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](https://github.com/step-security/harden-runner/compare/58077d3c7e43986b6b15fba718e8ea69e387dfcc...fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 )
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-version: 2.16.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-28 21:03:14 +01:00
dependabot[bot]
707c012e9c
Bump step-security/harden-runner from 2.15.0 to 2.15.1 ( #5100 )
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.15.0 to 2.15.1.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](https://github.com/step-security/harden-runner/compare/a90bcbc6539c36a85cdfeb73f7e2f433735f215b...58077d3c7e43986b6b15fba718e8ea69e387dfcc )
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-version: 2.15.1
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-13 07:17:01 +01:00
dependabot[bot]
4fd26a4ead
🤜 Bump step-security/harden-runner from 2.14.2 to 2.15.0 ( #5088 )
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.14.2 to 2.15.0.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](https://github.com/step-security/harden-runner/compare/5ef0c079ce82195b2a36a210272d6b661572d83e...a90bcbc6539c36a85cdfeb73f7e2f433735f215b )
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-version: 2.15.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-03 08:00:34 +01:00
dependabot[bot]
904592d2a8
🤜 Bump step-security/harden-runner from 2.14.1 to 2.14.2 ( #5075 )
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.14.1 to 2.14.2.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](https://github.com/step-security/harden-runner/compare/e3f713f2d8f53843e71c69a996d56f51aa9adfb9...5ef0c079ce82195b2a36a210272d6b661572d83e )
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-version: 2.14.2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-09 20:15:00 +01:00
dependabot[bot]
fa02f62316
🤜 Bump step-security/harden-runner from 2.14.0 to 2.14.1 ( #5062 )
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.14.0 to 2.14.1.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](https://github.com/step-security/harden-runner/compare/20cf305ff2072d973412fa9b1e3a4f227bda3c76...e3f713f2d8f53843e71c69a996d56f51aa9adfb9 )
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-version: 2.14.1
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-01-27 17:08:28 +01:00
dependabot[bot]
75d9166a68
🤜 Bump step-security/harden-runner from 2.13.3 to 2.14.0 ( #5029 )
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.13.3 to 2.14.0.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](https://github.com/step-security/harden-runner/compare/df199fb7be9f65074067a9eb93f12bb4c5547cf2...20cf305ff2072d973412fa9b1e3a4f227bda3c76 )
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-version: 2.14.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-12-10 15:57:58 +00:00
dependabot[bot]
baceef2286
🤜 Bump step-security/harden-runner from 2.13.2 to 2.13.3 ( #5020 )
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.13.2 to 2.13.3.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](https://github.com/step-security/harden-runner/compare/95d9a5deda9de15063e7595e9719c11c38c90ae2...df199fb7be9f65074067a9eb93f12bb4c5547cf2 )
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-version: 2.13.3
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-12-02 16:54:33 +01:00
dependabot[bot]
af524ab666
🤜 Bump step-security/harden-runner from 2.13.1 to 2.13.2 ( #4990 )
2025-11-05 18:07:31 +01:00
dependabot[bot]
44b5a6d535
🤜 Bump step-security/harden-runner from 2.13.0 to 2.13.1 ( #4915 )
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.13.0 to 2.13.1.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](https://github.com/step-security/harden-runner/compare/ec9f2d5744a09debf3a187a3f4f675c53b671911...f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a )
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-version: 2.13.1
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-09-15 20:17:48 +02:00
dependabot[bot]
07babee604
🤜 Bump actions/github-script from 7.0.1 to 8.0.0 ( #4907 )
...
Bumps [actions/github-script](https://github.com/actions/github-script ) from 7.0.1 to 8.0.0.
- [Release notes](https://github.com/actions/github-script/releases )
- [Commits](https://github.com/actions/github-script/compare/60a0d83039c74a4aee543508d2ffcb1c3799cdea...ed597411d8f924073f98dfc5c65a23a2325f34cd )
---
updated-dependencies:
- dependency-name: actions/github-script
dependency-version: 8.0.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-09-05 17:28:54 +02:00
dependabot[bot]
095d2b3a16
🤜 Bump step-security/harden-runner from 2.12.2 to 2.13.0 ( #4848 )
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.12.2 to 2.13.0.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](https://github.com/step-security/harden-runner/compare/6c439dc8bdf85cadbbce9ed30d1c7b959517bc49...ec9f2d5744a09debf3a187a3f4f675c53b671911 )
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-version: 2.13.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-07-31 22:45:24 +02:00
dependabot[bot]
d33ecd3f3b
🤜 Bump step-security/harden-runner from 2.12.1 to 2.12.2 ( #4837 )
2025-06-30 23:28:49 +02:00
dependabot[bot]
568b708fd4
🤜 Bump step-security/harden-runner from 2.12.0 to 2.12.1 ( #4815 )
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.12.0 to 2.12.1.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](https://github.com/step-security/harden-runner/compare/0634a2670c59f64b4a01f0f96f84700a4088b9f0...002fdce3c6a235733a90a27c80493a3241e56863 )
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-version: 2.12.1
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-06-11 18:42:32 +02:00
dependabot[bot]
2be2c83d5c
🤜 Bump step-security/harden-runner from 2.11.1 to 2.12.0 ( #4754 )
2025-04-22 18:56:49 +02:00
dependabot[bot]
71884486d1
🤜 Bump step-security/harden-runner from 2.11.0 to 2.11.1 ( #4718 )
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.11.0 to 2.11.1.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](https://github.com/step-security/harden-runner/compare/4d991eb9b905ef189e4c376166672c3f2f230481...c6295a65d1254861815972266d5933fd6e532bdf )
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-04-03 07:40:09 +02:00
dependabot[bot]
a3143f5f2f
🤜 Bump step-security/harden-runner from 2.10.4 to 2.11.0 ( #4652 )
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.10.4 to 2.11.0.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](https://github.com/step-security/harden-runner/compare/cb605e52c26070c328afc4562f0b4ada7618a84e...4d991eb9b905ef189e4c376166672c3f2f230481 )
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-20 07:34:06 +01:00
dependabot[bot]
8c7dcd3b43
Bump step-security/harden-runner from 2.10.3 to 2.10.4 ( #4614 )
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.10.3 to 2.10.4.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](https://github.com/step-security/harden-runner/compare/c95a14d0e5bab51a9f56296a4eb0e416910cd350...cb605e52c26070c328afc4562f0b4ada7618a84e )
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-01-20 19:31:05 +01:00
dependabot[bot]
e72046ef9f
Bump step-security/harden-runner from 2.10.2 to 2.10.3 ( #4604 )
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.10.2 to 2.10.3.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](https://github.com/step-security/harden-runner/compare/0080882f6c36860b6ba35c610c98ce87d4e2f26f...c95a14d0e5bab51a9f56296a4eb0e416910cd350 )
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-01-17 10:52:26 +01:00
StepSecurity Bot
5362012fdd
[StepSecurity] ci: Harden GitHub Actions ( #4551 )
...
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io >
2024-12-17 15:20:06 +01:00
Niels Lohmann
861ec9c3c6
Fix token permissions warnings ( #4550 )
...
* 🎓 fix token permissions warnings
* 🎓 fix token permissions warnings
* 🎓 fix token permissions warnings
2024-12-17 12:55:19 +01:00
dependabot[bot]
58949c0ad5
🤜 Bump actions/github-script from 6.4.0 to 7.0.1 ( #4540 )
2024-12-15 20:13:29 +00:00
StepSecurity Bot
4003f8da02
[StepSecurity] Apply security best practices ( #4539 )
...
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io >
2024-12-15 18:31:21 +01:00
Joyce
31c00dc729
Refactor amalgamation workflow to avoid dangerous use of pull_request_target ( #3969 )
2023-03-08 13:41:20 +01:00