Releases: step-security/harden-runner
v2.12.1
What's Changed
- Detection capabilities have been upgraded to better recognize attempts at runner tampering. These improvements are informed by real-world incident learnings, including analysis of anomalous behaviors observed in the tj-actions and reviewdog supply chain attack.
- Resolved an issue where the block policy was not enforced correctly when the GitHub Actions job was running inside a container on a self-hosted VM runner.
Full Changelog: v2...v2.12.1
v2.12.0
What's Changed
-
A new option,
disable-sudo-and-containers, is now available to replace thedisable-sudo policy, addressing Docker-based privilege escalation (CVE-2025-32955). More details can be found in this blog post. -
New detections have been added based on insights from the tj-actions and reviewdog actions incidents.
Full Changelog: v2...v2.12.0
v2.11.1
What's Changed
Full Changelog: v2...v2.11.1
Contributors
Assets 2
v2.11.0
What's Changed
Release v2.11.0 in #498
Harden-Runner Enterprise tier now supports the use of eBPF for DNS resolution and network call monitoring
Full Changelog: v2...v2.11.0
v2.10.4
What's Changed
Fixed a potential Harden-Runner post step failure that could occur when printing agent service logs. The fix gracefully handles failures without failing the post step.
Full Changelog: v2...v2.10.4
v2.10.3
What's Changed
Fixed an issue where DNS requests using uppercase characters (e.g., EXAMPLE.com) were blocked even when the domain was present in the allowed list. This update standardizes domain names to lowercase for consistent comparison.
Full Changelog: v2...v2.10.3
v2.10.2
What's Changed
-
Fixes low-severity command injection weaknesses
The advisory is here: GHSA-g85v-wf27-67xc -
Bug fix to improve detection of whether Harden-Runner is running in a container
Full Changelog: v2...v2.10.2
v2.10.1
What's Changed
Release v2.10.1 by @varunsh-coder in #463
Bug fix: Resolves an issue where DNS resolution of .local domains was failing when using a Kind cluster in a GitHub Actions workflow.
Full Changelog: v2...v2.10.1
Contributors
Assets 2
v2.10.0
What's Changed
Release v2.10.0 by @h0x0er and @varunsh-coder in #455
ARM Support: Harden-Runner Enterprise tier now supports GitHub-hosted ARM runners. This includes all the features that apply to previously supported GitHub-hosted x64 Linux runners.
Full Changelog: v2...v2.10.0
Contributors
Assets 2
v2.9.1
What's Changed
Release v2.9.1 by @h0x0er and @varunsh-coder in #440
This release includes two changes:
- Updated markdown displayed in the job summary by the Harden-Runner Action.
- Fixed a bug affecting Enterprise Tier customers where the agent attempted to upload telemetry for jobs with disable-telemetry set to true. No telemetry was uploaded as the endpoint was not in the allowed list.
Full Changelog: v2...v2.9.1