Merge pull request #617 from instructlab/ihrachyshka-harden-runner-remove

mergify[bot] · web-flow · commit a479f0b99c7f · 2025-06-23T12:58:15.000Z
ci: Remove harden-runner steps from jobs
diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
@@ -29,11 +29,6 @@ jobs:
   actionlint:
     runs-on: ubuntu-latest
     steps:
-      - name: "Harden Runner"
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
-        with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
       - name: "Checkout"
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -32,10 +32,6 @@ jobs:
   markdown-lint:
     runs-on: ubuntu-latest
     steps:
-      - name: "Harden Runner"
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
-        with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
       - name: "Checkout"
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
diff --git a/.github/workflows/e2e-nvidia-l40s-x4-py312.yml b/.github/workflows/e2e-nvidia-l40s-x4-py312.yml
@@ -87,12 +87,6 @@ jobs:
       pull-requests: write
 
     steps:
-      - name: "Harden Runner"
-        # v2.10.1
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0
-        with:
-          egress-policy: audit
-
       - name: Checkout instructlab/training
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -138,12 +132,6 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ always() }}
     steps:
-      - name: "Harden Runner"
-        # v2.10.1
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0
-        with:
-          egress-policy: audit
-
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
         with:
diff --git a/.github/workflows/e2e-nvidia-l40s-x4-sdk.yml b/.github/workflows/e2e-nvidia-l40s-x4-sdk.yml
@@ -101,11 +101,6 @@ jobs:
       pull-requests: write
 
     steps:
-      - name: "Harden Runner"
-        # v2.10.1
-        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf
-        with:
-          egress-policy: audit
       - name: Install Packages
         run: |
           cat /etc/os-release
@@ -207,12 +202,6 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ always() }}
     steps:
-      - name: "Harden Runner"
-        # v2.10.1
-        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf
-        with:
-          egress-policy: audit
-
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
@@ -234,12 +223,6 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ always() }}
     steps:
-      - name: "Harden Runner"
-        # v2.10.1
-        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf
-        with:
-          egress-policy: audit
-
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
@@ -324,4 +307,4 @@ jobs:
         if: steps.phase-2-upload-s3.outcome == 'failure'
         run: |
           echo "::warning::Failed to upload Phase 2 loss graph to S3. This won't block the workflow, but you may want to investigate."
-          echo "Loss graph upload failed" >> "${GITHUB_STEP_SUMMARY}"
+          echo "Loss graph upload failed" >> "${GITHUB_STEP_SUMMARY}"
diff --git a/.github/workflows/e2e-nvidia-l40s-x4.yml b/.github/workflows/e2e-nvidia-l40s-x4.yml
@@ -87,12 +87,6 @@ jobs:
       pull-requests: write
 
     steps:
-      - name: "Harden Runner"
-        # v2.10.1
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0
-        with:
-          egress-policy: audit
-
       - name: Checkout instructlab/training
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -138,12 +132,6 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ always() }}
     steps:
-      - name: "Harden Runner"
-        # v2.10.1
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0
-        with:
-          egress-policy: audit
-
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
         with:
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -59,11 +59,6 @@ jobs:
             commands: |
               tox -e mypy
     steps:
-      - name: "Harden Runner"
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
-        with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
       - name: "Checkout"
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
diff --git a/.github/workflows/pypi.yaml b/.github/workflows/pypi.yaml
@@ -36,11 +36,6 @@ jobs:
         name: Build and check packages
         runs-on: ubuntu-latest
         steps:
-            - name: "Harden Runner"
-              uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
-              with:
-                  egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
             - name: "Checkout"
               uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
               with:
@@ -65,11 +60,6 @@ jobs:
         needs: build-package
 
         steps:
-            - name: "Harden Runner"
-              uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
-              with:
-                  egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
             - name: "Download build artifacts"
               uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
               with:
@@ -97,11 +87,6 @@ jobs:
         needs: build-package
 
         steps:
-            - name: "Harden Runner"
-              uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
-              with:
-                  egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
             - name: "Download build artifacts"
               uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
               with:
diff --git a/.github/workflows/smoke-py312.yaml b/.github/workflows/smoke-py312.yaml
@@ -107,11 +107,6 @@ jobs:
     # untrusted code from PRs.
     permissions: {}
     steps:
-      - name: "Harden runner"
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.10.1
-        with:
-          egress-policy: audit
-
       - name: "Checkout code"
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -130,11 +125,6 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ always() }}
     steps:
-      - name: "Harden runner"
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.10.1
-        with:
-          egress-policy: audit
-
       - name: "Configure AWS credentials"
         uses: "aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df" # v4.2.1
         with:
diff --git a/.github/workflows/smoke.yaml b/.github/workflows/smoke.yaml
@@ -103,11 +103,6 @@ jobs:
     # untrusted code from PRs.
     permissions: {}
     steps:
-      - name: "Harden runner"
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.10.1
-        with:
-          egress-policy: audit
-
       - name: "Checkout code"
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -132,11 +127,6 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ always() }}
     steps:
-      - name: "Harden runner"
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.10.1
-        with:
-          egress-policy: audit
-
       - name: "Configure AWS credentials"
         uses: "aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df" # v4.2.1
         with:
diff --git a/.github/workflows/stale_bot.yml b/.github/workflows/stale_bot.yml
@@ -23,11 +23,6 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-      - name: "Harden Runner"
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
-        with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
       - name: "Stale Action"
         uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
         with:
diff --git a/.github/workflows/unit.yaml b/.github/workflows/unit.yaml
@@ -52,11 +52,6 @@ jobs:
     # untrusted code from PRs.
     permissions: {}
     steps:
-      - name: "Harden runner"
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.10.1
-        with:
-          egress-policy: audit
-
       - name: Setup Python ${{ matrix.python }}
         uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
