Skip to content

fix(workflows): revert step-security actions to original authors#24

Merged
botantler[bot] merged 1 commit intomainfrom
fix/revert-stepsecurity-actions
Apr 25, 2026
Merged

fix(workflows): revert step-security actions to original authors#24
botantler[bot] merged 1 commit intomainfrom
fix/revert-stepsecurity-actions

Conversation

@devantler
Copy link
Copy Markdown
Contributor

@devantler devantler commented Apr 25, 2026

Replace step-security forks with original upstream actions using SHA pinning, and remove harden-runner steps (trial expired).

Changes

Replaced actions

step-security fork Original upstream
step-security/docker-login-action v3.7.0 docker/login-action@c94ce9fb v3.7.0
step-security/git-auto-commit-action v7.1.0/v7.1.1 stefanzweifel/git-auto-commit-action@04702edd v7.1.0

Removed steps

  • step-security/harden-runner (all versions) — trial expired, no upstream equivalent

@devantler
fix(workflows): revert step-security actions to original authors
192c34b 
Remove harden-runner steps (trial expired). Replace step-security forks
with original upstream actions using SHA pinning.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 25, 2026 15:11
@botantler botantler Bot enabled auto-merge (squash) April 25, 2026 15:11
@botantler botantler Bot merged commit 0ac8bad into main Apr 25, 2026
16 checks passed
Copilot AI reviewed Apr 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates GitHub Actions workflows to remove StepSecurity’s harden-runner step (trial expired) and revert a forked action back to its upstream author while keeping SHA pinning, aligning workflow dependencies with upstream sources.

Changes:

  • Removed step-security/harden-runner steps from CI and scheduled report workflows.
  • Replaced step-security/git-auto-commit-action with stefanzweifel/git-auto-commit-action (SHA-pinned) in CI.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/report-repos-with-no-team.yml Removes the harden-runner step from the scheduled “no team” report workflow.
.github/workflows/report-repos-with-no-admin-team.yml Removes the harden-runner step from the scheduled “no admin team” report workflow.
.github/workflows/report-repos-with-multi-admin-teams.yml Removes the harden-runner step from the scheduled “multi admin teams” report workflow.
.github/workflows/ci.yml Removes harden-runner across CI jobs and switches auto-commit action back to upstream (SHA-pinned).

Comment thread .github/workflows/ci.yml
Comment on lines 184 to 186
- name: Commit and push changes
uses: step-security/git-auto-commit-action@905c3cd6e9ed2b67b4d46ff401fdb6d745d0ff9d # v7.1.0
uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0
with:
Copy link

Copilot AI Apr 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description lists a replacement of step-security/docker-login-action with docker/login-action, but there is no docker/login-action usage (or step-security/docker-login-action) anywhere in the repo’s workflow YAML. Please either update the PR description to reflect the actual changes, or include the intended action replacement in this PR.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@botantler botantler[bot] botantler[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@devantler