Skip to content

[Issue]: Remove step-security/harden-runner from extension workflows #226

New issue
New issue
Closed
#246
Closed
[Issue]: Remove step-security/harden-runner from extension workflows#226
#246
Labels
needs-triageRequires triage and prioritizationworkflowsGitHub Actions workflows
@WilliamBerryiii

Description

@WilliamBerryiii
WilliamBerryiii
opened on Jan 21, 2026

Issue Description

Remove the step-security/harden-runner action from all GitHub Actions workflows. The action is currently configured in audit-only mode (egress-policy: audit), which provides network egress monitoring but does not block any traffic. This adds workflow complexity and execution time without meaningful security enforcement.

Current State

The action is used in 3 workflow files with 7 total instances:

Workflow Jobs Instances
.github/workflows/extension-package.yml package 1
.github/workflows/extension-publish.yml prepare-changelog, normalize-version, publish 3
.github/workflows/extension-publish-prerelease.yml validate-version, package, publish 3

All instances use identical configuration:

- name: Harden Runner
  uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
  with:
    egress-policy: audit

Why Remove

  1. Audit-only mode provides no enforcement - Traffic is monitored but never blocked
  2. Adds ~2-5 seconds per job - Seven instances add measurable overhead
  3. Increases maintenance burden - SHA pinning must be maintained for an action that provides no functional value
  4. Other workflows don't use it - 16 of 19 workflows already operate without it

Implementation Instructions

Step 1: Create feature branch

git checkout main
git pull
git checkout -b chore/remove-harden-runner

Step 2: Remove harden-runner from extension-package.yml

Edit .github/workflows/extension-package.yml and delete the entire step block containing:

      - name: Harden Runner
        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with:
          egress-policy: audit

This step appears in the package job. After removal, the Checkout code step should become the first step in that job.

Step 3: Remove harden-runner from extension-publish.yml

Edit .github/workflows/extension-publish.yml and delete the harden-runner step block from each of these jobs:

  • Job: prepare-changelog - Remove the Harden Runner step (first step in job)
  • Job: normalize-version - Remove the Harden Runner step (first step in job)
  • Job: publish - Remove the Harden Runner step (first step in job)

Each block to remove matches this pattern:

      - name: Harden Runner
        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with:
          egress-policy: audit

Step 4: Remove harden-runner from extension-publish-prerelease.yml

Edit .github/workflows/extension-publish-prerelease.yml and delete the harden-runner step block from each of these jobs:

  • Job: validate-version - Remove the Harden Runner step (first step in job)
  • Job: package - Remove the Harden Runner step (first step in job)
  • Job: publish - Remove the Harden Runner step (first step in job)

Each block to remove matches this pattern:

      - name: Harden Runner
        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with:
          egress-policy: audit

Step 5: Validate workflow YAML syntax

Validate each modified workflow file has correct YAML syntax:

# Using PowerShell to validate YAML parses correctly
$files = @(
    '.github/workflows/extension-package.yml',
    '.github/workflows/extension-publish.yml',
    '.github/workflows/extension-publish-prerelease.yml'
)

foreach ($file in $files) {
    try {
        $content = Get-Content $file -Raw
        # Basic validation - file should not be empty and should contain expected keys
        if ($content -match 'name:' -and $content -match 'jobs:') {
            Write-Host "$file - Valid structure" -ForegroundColor Green
        } else {
            Write-Host "$file - Missing expected keys" -ForegroundColor Red
        }
    } catch {
        Write-Host "$file - Parse error: $_" -ForegroundColor Red
    }
}

Step 6: Verify permissions blocks remain unchanged

Confirm each workflow retains its permissions block at the workflow and job levels. Do NOT modify these:

extension-package.yml must retain:

permissions:
  contents: read

extension-publish.yml must retain:

  • Workflow-level: permissions: contents: read
  • Job publish level: permissions: contents: read and id-token: write

extension-publish-prerelease.yml must retain:

  • Workflow-level: permissions: contents: read
  • Job publish level: permissions: contents: read and id-token: write

Step 7: Verify complete removal

Search the codebase to confirm no references remain:

# Should return no matches
Select-String -Path ".github/**/*.yml" -Pattern "step-security|harden-runner" -Recurse

# Alternative with grep
grep -r "step-security" .github/
grep -r "harden-runner" .github/

Both searches should return no results after removal.

Step 8: Run repository tests

Execute the test suite to verify no regressions:

npm run test:ps

All tests should pass.

Step 9: Commit and push

git add .github/workflows/extension-package.yml
git add .github/workflows/extension-publish.yml
git add .github/workflows/extension-publish-prerelease.yml
git commit -m "chore: remove step-security/harden-runner from extension workflows

Remove audit-only harden-runner action that provides monitoring
without enforcement. Reduces workflow complexity and execution time.

Removed from:
- extension-package.yml (1 instance)
- extension-publish.yml (3 instances)
- extension-publish-prerelease.yml (3 instances)"

git push -u origin chore/remove-harden-runner

Step 10: Create pull request

Create a PR targeting main with:

  • Title: chore: remove step-security/harden-runner from extension workflows
  • Description: Reference this issue number

Acceptance Criteria

  • All 7 instances of step-security/harden-runner removed from workflows
  • All 3 modified workflow files contain valid YAML
  • Permissions blocks unchanged in all workflows (both workflow-level and job-level)
  • No remaining references to step-security or harden-runner in .github/ directory
  • npm run test:ps passes
  • Commit message follows repository conventions (type: description format)
  • PR created targeting main branch

Additional Context

Files to Modify

  1. .github/workflows/extension-package.yml - Remove 1 step from package job
  2. .github/workflows/extension-publish.yml - Remove 3 steps from prepare-changelog, normalize-version, publish jobs
  3. .github/workflows/extension-publish-prerelease.yml - Remove 3 steps from validate-version, package, publish jobs

Workflows NOT Affected (no changes needed)

These 16 workflows do not use harden-runner and require no changes:

Workflow Workflow
codeql-analysis.yml pr-validation.yml
dependency-pinning-scan.yml ps-script-analyzer.yml
dependency-review.yml security-scan.yml
frontmatter-validation.yml sha-staleness-check.yml
link-lang-check.yml spell-check.yml
main.yml table-format.yml
markdown-link-check.yml weekly-security-maintenance.yml
markdown-lint.yml pester-tests.yml

Metadata

Metadata

Assignees

No one assigned

    Labels

    needs-triageRequires triage and prioritizationworkflowsGitHub Actions workflows

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions