Skip to content

fix(tfvalidate): remove harden security restriction for community/enterprise#180

Open
billyjbryant wants to merge 3 commits into
fleetdm:mainfrom
billyjbryant:billyjbryant/fix-tfvalidate
Open

fix(tfvalidate): remove harden security restriction for community/enterprise#180
billyjbryant wants to merge 3 commits into
fleetdm:mainfrom
billyjbryant:billyjbryant/fix-tfvalidate

Conversation

@billyjbryant
Copy link
Copy Markdown

@billyjbryant billyjbryant commented Feb 17, 2026
edited
Loading

Summary

Using the harden-runner action requires a license seat with Step Security's platform. For those that do not have this, the automations featured here will fail. This PR disables this action step by default.

For those that do have Step Security, it can be easily re-enabled by adding a Repository Variable of TFVALIDATE_USE_HARDEN_RUNNER with a value of true to the GitHub repository.

The PR also adds a visual for the TFValidate on the PR as a comment and updates the versions of all action includes.

Changes

  • .github/workflows/tfvalidate.yml: Adjusted workflow so tfvalidate can run in contexts that don't have the harden security option enabled.

Testing

  • Workflow runs successfully on push/PR when only **.tf paths change.
  • No dependency on harden security / enterprise-only features.

@billyjbryant
fix(tfvalidate): Removes harden security which doesn't allow use with…
3b542f8 
…out a community edition or enterprise agreement
@billyjbryant billyjbryant requested review from a team, ddribeiro and edwardsb as code owners February 17, 2026 23:04
@rfairburn
Copy link
Copy Markdown
Contributor

rfairburn commented Feb 18, 2026

Thank you for the submission. I am going to look at updating the PR to allow us to optionally still use the harden runner but to still allow any Forks to bypass it if specific conditions are not present. Hopefully this will meet your needs while not changing functionality on our end.

@billyjbryant
feat(tfvalidate): optional harden runner, PR validation status comment
bf1555e 
- Make step-security/harden-runner optional via vars.TFVALIDATE_USE_HARDEN_RUNNER
- Add PR comment with validation status using peter-evans/find-comment and create-or-update-comment
- Build comment body with gh/jq in tfvalidate job step
@billyjbryant
Copy link
Copy Markdown
Author

billyjbryant commented Feb 19, 2026

Thank you for the submission. I am going to look at updating the PR to allow us to optionally still use the harden runner but to still allow any Forks to bypass it if specific conditions are not present. Hopefully this will meet your needs while not changing functionality on our end.

I made a few changes, let me know if that works for you :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@edwardsb edwardsb Awaiting requested review from edwardsb

@ddribeiro ddribeiro Awaiting requested review from ddribeiro ddribeiro is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@billyjbryant @rfairburn