(for reference: it took me longer than I care to admit to find out you were referring to https://github.com/step-security/harden-runner :D )
On Wed, Mar 25, 2026 at 11:41 AM Arnout Engelen <[email protected]> wrote: > I have no experience with it. It looks interesting. If you're confident, > would you like to be a trailblazer and try it? Perhaps it would be worth a > message to [email protected] to announce your > experiment and see if there's people who already have experience with it. > > Of course like with any tool there's a trade-off between the additional > security this might bring and the increased attack surface - sadly > 'security tools' regularly get compromised themselves. If you're confident > the trade-off is favourable for you in this case I don't see reason to > argue with that. > > > Kind regards, > > Arnout > > On Wed, Mar 25, 2026 at 11:11 AM Jacques Le Roux via security < > [email protected]> wrote: > >> Hi Infra and Security teams, >> >> What is your opinion about using step-security/hardened-runner in GitHub >> actions? >> >> Thanks in advance >> >> Jacques >> >> > > -- > Arnout Engelen > ASF Security Response > Apache Pekko PMC member, ASF Member > NixOS Committer > Independent Open Source consultant > -- Arnout Engelen ASF Security Response Apache Pekko PMC member, ASF Member NixOS Committer Independent Open Source consultant
