From 26897a75dffa0e65789363366b2e7fb5519a3b89 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 7 Jul 2026 18:32:58 +0000 Subject: [PATCH 1/6] build(deps): bump step-security/harden-runner from 2.19.4 to 2.20.0 Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.19.4 to 2.20.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/9af89fc71515a100421586dfdb3dc9c984fbf411...bf7454d06d71f1098171f2acdf0cd4708d7b5920) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.20.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 4 ++-- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/dependency-review.yml | 2 +- .github/workflows/devcontainer.yml | 2 +- .github/workflows/docs.yml | 6 +++--- .github/workflows/python-publish.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/run.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- .github/workflows/source-provenance.yml | 4 ++-- .github/workflows/test.yml | 2 +- .github/workflows/winget-publish.yml | 2 +- 12 files changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d7e93356..030fb929 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -25,7 +25,7 @@ jobs: steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: >+ @@ -335,7 +335,7 @@ jobs: steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: >+ diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index e6c1c150..f70665a8 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -35,7 +35,7 @@ jobs: steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: >+ diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 51a3f236..e9bbe3d8 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: >+ diff --git a/.github/workflows/devcontainer.yml b/.github/workflows/devcontainer.yml index 45b87e89..7aff91d7 100644 --- a/.github/workflows/devcontainer.yml +++ b/.github/workflows/devcontainer.yml @@ -16,7 +16,7 @@ jobs: steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: >+ diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index ea1bcd24..65077d06 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -20,7 +20,7 @@ jobs: runs-on: ubuntu-latest steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: >+ @@ -53,7 +53,7 @@ jobs: runs-on: ubuntu-latest steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: >+ @@ -97,7 +97,7 @@ jobs: contents: write steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: >+ diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index c7196350..1933310c 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -25,7 +25,7 @@ jobs: steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: >+ diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4ab644a3..c8c3639a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,7 +21,7 @@ jobs: release_id: ${{ steps.release_info.outputs.tag }} steps: - - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + - uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: >+ diff --git a/.github/workflows/run.yml b/.github/workflows/run.yml index 6f10b053..3169e44b 100644 --- a/.github/workflows/run.yml +++ b/.github/workflows/run.yml @@ -16,7 +16,7 @@ jobs: steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: >+ @@ -149,7 +149,7 @@ jobs: steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: ${{ matrix.allowed-endpoints }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 2a062c9d..aeb60a58 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -27,7 +27,7 @@ jobs: steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: >+ diff --git a/.github/workflows/source-provenance.yml b/.github/workflows/source-provenance.yml index 1c7edf76..b9e873d2 100644 --- a/.github/workflows/source-provenance.yml +++ b/.github/workflows/source-provenance.yml @@ -21,7 +21,7 @@ jobs: steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: >+ @@ -55,7 +55,7 @@ jobs: steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: >+ diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8f9c9826..c2b69ec4 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -18,7 +18,7 @@ jobs: id-token: write steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block # dfetch.invalid and giiiiiidhub.com are intentionally invalid test diff --git a/.github/workflows/winget-publish.yml b/.github/workflows/winget-publish.yml index 052399e7..e0c2a21a 100644 --- a/.github/workflows/winget-publish.yml +++ b/.github/workflows/winget-publish.yml @@ -32,7 +32,7 @@ jobs: steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: >+ From 8c05460facc13f1453eb906cdc2c6d5d4e1db63c Mon Sep 17 00:00:00 2001 From: Claude Date: Mon, 13 Jul 2026 17:13:50 +0000 Subject: [PATCH 2/6] Allow sourceforge and svn.code.sf.net endpoints for Windows runners harden-runner v2.20.0 enforces egress blocking on Windows runners for the first time, which broke the svn choco install (fetched from sourceforge) and the SVN-based example fetch in the cygwin job. --- .github/workflows/run.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.github/workflows/run.yml b/.github/workflows/run.yml index 3169e44b..4b60efc1 100644 --- a/.github/workflows/run.yml +++ b/.github/workflows/run.yml @@ -28,6 +28,16 @@ jobs: community.chocolatey.org:443 community.chocolatey.org:80 packages.chocolatey.org:443 + cfhcable.dl.sourceforge.net:443 + cytranet-dal.dl.sourceforge.net:443 + downloads.sourceforge.net:443 + gigenet.dl.sourceforge.net:443 + netactuate.dl.sourceforge.net:443 + pilotfiber.dl.sourceforge.net:443 + psychz.dl.sourceforge.net:443 + sourceforge.net:443 + svn.code.sf.net:443 + svn.code.sf.net:3690 - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: @@ -130,17 +140,25 @@ jobs: allowed-endpoints: >+ _https._tcp.packages.microsoft.com:443 api.github.com:443 + cfhcable.dl.sourceforge.net:443 community.chocolatey.org:443 community.chocolatey.org:80 + cytranet-dal.dl.sourceforge.net:443 dc.services.visualstudio.com:443 + downloads.sourceforge.net:443 fe2cr.update.microsoft.com:443 files.pythonhosted.org:443 + gigenet.dl.sourceforge.net:443 github.com:443 mobile.events.data.microsoft.com:443 + netactuate.dl.sourceforge.net:443 packages.chocolatey.org:443 packages.microsoft.com:443 + pilotfiber.dl.sourceforge.net:443 + psychz.dl.sourceforge.net:443 pypi.org:443 release-assets.githubusercontent.com:443 + sourceforge.net:443 ziglang.org:443 runs-on: ${{ matrix.platform }} permissions: From d4e7758891ec7232938b726ae9c09fad69398668 Mon Sep 17 00:00:00 2001 From: Claude Date: Mon, 13 Jul 2026 17:47:05 +0000 Subject: [PATCH 3/6] Fix remaining Windows egress blocks: cygwin.com, sourceforge mirrors The previous fix only covered one sourceforge mirror; CI hit a different one (phoenixnap.dl.sourceforge.net) on retry, since the mirror sourceforge redirects to varies per run. Switch to a *.dl.sourceforge.net wildcard to cover any mirror instead of listing them one by one. Also add cygwin.com and its default package mirror (mirrors.kernel.org), which cygwin-install-action needs and which was never reachable even before harden-runner enforced blocking on Windows. --- .github/workflows/run.yml | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/.github/workflows/run.yml b/.github/workflows/run.yml index 4b60efc1..65781b0c 100644 --- a/.github/workflows/run.yml +++ b/.github/workflows/run.yml @@ -28,13 +28,10 @@ jobs: community.chocolatey.org:443 community.chocolatey.org:80 packages.chocolatey.org:443 - cfhcable.dl.sourceforge.net:443 - cytranet-dal.dl.sourceforge.net:443 + cygwin.com:443 + mirrors.kernel.org:443 + *.dl.sourceforge.net:443 downloads.sourceforge.net:443 - gigenet.dl.sourceforge.net:443 - netactuate.dl.sourceforge.net:443 - pilotfiber.dl.sourceforge.net:443 - psychz.dl.sourceforge.net:443 sourceforge.net:443 svn.code.sf.net:443 svn.code.sf.net:3690 @@ -140,22 +137,17 @@ jobs: allowed-endpoints: >+ _https._tcp.packages.microsoft.com:443 api.github.com:443 - cfhcable.dl.sourceforge.net:443 + *.dl.sourceforge.net:443 community.chocolatey.org:443 community.chocolatey.org:80 - cytranet-dal.dl.sourceforge.net:443 dc.services.visualstudio.com:443 downloads.sourceforge.net:443 fe2cr.update.microsoft.com:443 files.pythonhosted.org:443 - gigenet.dl.sourceforge.net:443 github.com:443 mobile.events.data.microsoft.com:443 - netactuate.dl.sourceforge.net:443 packages.chocolatey.org:443 packages.microsoft.com:443 - pilotfiber.dl.sourceforge.net:443 - psychz.dl.sourceforge.net:443 pypi.org:443 release-assets.githubusercontent.com:443 sourceforge.net:443 From c6e8f88bdab174428feebb06d88c727a5f29da69 Mon Sep 17 00:00:00 2001 From: Claude Date: Mon, 13 Jul 2026 17:49:47 +0000 Subject: [PATCH 4/6] Allow Let's Encrypt CRL lookups for mirrors.kernel.org download Windows hard-fails a WinHTTP download with error 12057 (WINHTTP_ERROR_SECURE_FAILURE) when it can't reach the CA's certificate revocation endpoint. mirrors.kernel.org's cert chains to Let's Encrypt, whose CRL responders (x1/x2/ye/ye1.c.lencr.org, seen rotating across runs) were still being blocked, breaking the cygwin setup.exe download even though DNS/connect to the mirror itself was already allowed. --- .github/workflows/run.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/run.yml b/.github/workflows/run.yml index 65781b0c..287c76ed 100644 --- a/.github/workflows/run.yml +++ b/.github/workflows/run.yml @@ -30,6 +30,7 @@ jobs: packages.chocolatey.org:443 cygwin.com:443 mirrors.kernel.org:443 + *.c.lencr.org:443 *.dl.sourceforge.net:443 downloads.sourceforge.net:443 sourceforge.net:443 From 6f723616404c9d0315b0f02f684bda8beeb6d198 Mon Sep 17 00:00:00 2001 From: Claude Date: Mon, 13 Jul 2026 17:56:22 +0000 Subject: [PATCH 5/6] Allow Let's Encrypt CRL fetch over plain HTTP, not just HTTPS CRL distribution points are conventionally served over plain HTTP (port 80), never HTTPS, precisely to avoid a circular TLS-validation dependency (this repo's own macos-latest allowlist already reflects that convention via ocsp.sectigo.com:80). The previous fix only opened *.c.lencr.org:443, so the real port-80 CRL fetch for mirrors.kernel.org's cert was still silently dropped, hanging until schannel gave up with a generic secure-channel failure (12057) - same symptom as before despite every relevant domain now resolving and being allowed on port 443. --- .github/workflows/run.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/run.yml b/.github/workflows/run.yml index 287c76ed..d6ea5645 100644 --- a/.github/workflows/run.yml +++ b/.github/workflows/run.yml @@ -31,6 +31,7 @@ jobs: cygwin.com:443 mirrors.kernel.org:443 *.c.lencr.org:443 + *.c.lencr.org:80 *.dl.sourceforge.net:443 downloads.sourceforge.net:443 sourceforge.net:443 From ac1e6f90a09f965de97911e811f985413ec16018 Mon Sep 17 00:00:00 2001 From: Claude Date: Mon, 13 Jul 2026 18:01:10 +0000 Subject: [PATCH 6/6] Allow ziglang.org for the test-cygwin job's Zig install step The cygwin.com/mirrors.kernel.org fixes let this job progress past the cygwin install for the first time, surfacing the next missing endpoint: choco install zig needs ziglang.org, already allowlisted for the separate windows-latest matrix job but never added here. --- .github/workflows/run.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/run.yml b/.github/workflows/run.yml index d6ea5645..cdad3d26 100644 --- a/.github/workflows/run.yml +++ b/.github/workflows/run.yml @@ -37,6 +37,7 @@ jobs: sourceforge.net:443 svn.code.sf.net:443 svn.code.sf.net:3690 + ziglang.org:443 - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: