Bump ruby/setup-ruby from 1.295.0 to 1.299.0

[dependabot]

Bumps ruby/setup-ruby from 1.295.0 to 1.299.0.

Also adds release-assets.githubusercontent.com:443 and objects.githubusercontent.com:443 to the StepSecurity harden-runner allowed-endpoints in both pullrequest.yml and main.yml to allow the ruby/setup-ruby action to download Ruby from GitHub releases, which redirects to release-assets.githubusercontent.com.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 670d953.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

OpenSSF Scorecard

Package	Version	Score	Details
actions/ruby/setup-ruby	3ff19f5e2baf30647122352b96108b1fbe250c64	🟢 4.8	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 5 Found 13/22 approved changesets -- score normalized to 5 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• .github/workflows/pullrequest.yml

[pethers]

@copilot issues downloding, step security blocks

verifypr summary

🛡 Network Activity Monitored by StepSecurity Harden-Runner

Preview of network calls made by the runner during this job run. These were automatically monitored and logged in real-time by StepSecurity Harden-Runner.

Process	Destination	Port	Status	Timestamp
node	release-assets.githubusercontent.com	443	❌ Blocked	Mar 28 2026 15:33:25
node	github.com	443	✅ Allowed	Mar 28 2026 15:33:25

[verifypr summary](https://github.com/Hack23/lambda-in-private-vpc/actions/runs/23688390302?pr=795#summary-69011650536) 🛡 Network Activity Monitored by StepSecurity Harden-Runner Preview of network calls made by the runner during this job run. These were automatically monitored and logged in real-time by [StepSecurity Harden-Runner](https://github.com/step-security/harden-runner).

Process Destination Port Status Timestamp
node Logo release-assets.githubusercontent.com 443 ❌ Blocked Mar 28 2026 15:33:25
node Logo github.com 443 ✅ Allowed Mar 28 2026 15:33:25
📊 Additional Actions

View all outbound calls correlated to each job step →
View baseline from previous job runs →
Configure Harden Runner in block mode →
Job summary generated at run-time
Annotations
1 error
verifypr
Error: connect ECONNREFUSED 54.185.253.63:443 at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1645:16)

[Copilot]

@copilot issues downloding, step security blocks

<job-summaries class="js-updatable-content js-socket-channel" data-retain-focus="" data-channel="eyJjIjoiY2hlY2tfc3VpdGVzOjYyNDI2Mj...

The ruby/setup-ruby action downloads Ruby from github.com/ruby/ruby-builder/releases/, which redirects to objects.githubusercontent.com. That endpoint was missing from the harden-runner allowed-endpoints in pullrequest.yml. Added objects.githubusercontent.com:443 in commit f0228dc. The main.yml already had this endpoint listed.

[Copilot]

Pull request overview

This PR updates the GitHub Actions workflows to use a newer pinned commit of ruby/setup-ruby and adjusts the StepSecurity harden-runner egress allow-list to accommodate Ruby downloads that redirect via GitHub’s objects.githubusercontent.com.

Changes:

• Bump ruby/setup-ruby from v1.295.0 to v1.299.0 (pinned SHA) in both workflows.
• Add objects.githubusercontent.com:443 to pullrequest.yml harden-runner allowed-endpoints so Ruby downloads can succeed under egress blocking.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
.github/workflows/pullrequest.yml	Adds objects.githubusercontent.com:443 to the egress allow-list and bumps ruby/setup-ruby to v1.299.0.
.github/workflows/main.yml	Bumps ruby/setup-ruby to v1.299.0.

Comments suppressed due to low confidence (1)

.github/workflows/pullrequest.yml:24

• docs.github.com:433 looks like a typo (HTTPS is typically 443). If this endpoint is intended to be reachable under the hardened egress policy, it should be docs.github.com:443; otherwise remove it to avoid a misleading allow-list entry.

            pypi.org:443
            www.bridgecrew.cloud:443
            docs.github.com:433
            api.github.com:443

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[pethers]

@copilot fix Verify Pull Request / verifypr (pull_request)
Verify Pull Request / verifypr (pull_request)Failing after 1m

[Copilot]

@copilot fix Verify Pull Request / verifypr (pull_request)
Verify Pull Request / verifypr (pull_requ...

The Ruby download URL (github.com/ruby/ruby-builder/releases/...) redirects to release-assets.githubusercontent.com, which was not in the allowed-endpoints list. The previous fix incorrectly added objects.githubusercontent.com — that's a different domain. Added release-assets.githubusercontent.com:443 to both pullrequest.yml and main.yml in commit 670d953.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• 63.253.185.54.in-addr.arpa
  • Triggering command: /usr/bin/host host 54.185.253.63 (dns block)
  • Triggering command: /usr/bin/nslookup nslookup 54.185.253.63 (dns block)
  • Triggering command: /usr/bin/dig dig -x 54.185.253.63 +short (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)