Sourced from step-security/harden-runner's releases.
v2.19.1
What's Changed
- fix: detect ubuntu-slim runners early and bail out by
@​devantlerin step-security/harden-runner#657What the fix changes
- Harden-Runner will detect
ubuntu-slimrunners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.What the fix does not do
- Jobs running on
ubuntu-slimwill not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).- Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.
For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of
ubuntu-slimvia workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.New Contributors
@​devantlermade their first contribution in step-security/harden-runner#657Full Changelog: https://github.com/step-security/harden-runner/compare/v2.19.0...v2.19.1