HARDEN-RUNNER v2.20.0 introduces egress block mode for macOS and Windows GitHub-hosted runners, enhancing security by preventing secret exfiltration across all supported operating systems. Previous attacks exposed vulnerabilities where compromised workflows could send secrets externally. The new feature transitions from visibility in audit mode to enforcement in block mode, preventing unauthorized outbound calls on sensitive credentials.
This update is crucial for handling macOS and Windows pipelines, which use sensitive materials like code signing certificates. Users are encouraged to start in audit mode to establish baseline policies before switching to block mode, with offers for free security audits and demonstrations.