fix: detect ubuntu-slim runners early and bail out#657
Merged
varunsh-coder merged 3 commits intoMay 2, 2026
Conversation
ubuntu-slim runners (Hosted Compute Agent Docker containers) are GitHub-hosted but lack the standard USER environment variable set on full VM-based runners. This causes chownForFolder to fail with 'chown: invalid user: undefined'. Instead of patching chownForFolder, detect ubuntu-slim early informative message, matching the existing patterns for isDocker(), isARCRunner(), and other unsupported runner types. Fixes step-security#627 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
devantler
force-pushed
the
fix/ubuntu-slim-user-env
branch
from
e2d6d23 to
376d25a
Compare
devantler
changed the title
Member
|
Thanks for the pr @devantler ! |
Drop the parenthetical detail from UBUNTU_SLIM_MESSAGE so the user-facing log is concise, and regenerate dist/ so the action can run from this branch without a separate build step.
varunsh-coder
approved these changes
May 2, 2026
onap-github
pushed a commit
to onap/doc
that referenced
this pull request
May 4, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 376d25a fix: detect ubuntu-slim runners early and bail out See full diff in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: Ifc4f0ee400eb0a8d7ff433e3dfc1cfa14c45d64a GitHub-PR: #21 GitHub-Hash: 16753c729a7d1f65 Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/sdnc-oam
that referenced
this pull request
May 4, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 376d25a fix: detect ubuntu-slim runners early and bail out See full diff in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: Ic52570135df9c34d87ea26ca11e0a8720341bd10 GitHub-PR: #12 GitHub-Hash: 7ae42da59904029f Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/portal-ng-bff
that referenced
this pull request
May 6, 2026
Bumps step-security/harden-runner from 2.14.1 to 2.19.1. ## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 v2.19.0 What's Changed New Runner Support Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners. Automated Incident Response for Supply Chain Attacks Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode. System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets). Bug Fixes Windows and macOS: stability and reliability fixes Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0 v2.18.0 What's Changed Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes. Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible. Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0 v2.17.0 What's Changed Policy Store Support Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode. Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0 v2.16.1 ... (truncated) ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 8d3c67d Release v2.19.0 (#661) 6c3c2f2 Feature/deploy on self hosted vm (#658) 376d25a fix: detect ubuntu-slim runners early and bail out f808768 Feature/policy store (#656) fe10465 v2.16.1 (#654) fa2e9d6 Release v2.16.0 (#646) 58077d3 Release v2.15.1 (#641) Additional commits viewable in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: I95c5b1c86367f366823439cbd6e588ad661a440c GitHub-PR: #79 GitHub-Hash: 32f4958bb7f1d4cd Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/portal-ng-ui
that referenced
this pull request
May 7, 2026
Bumps step-security/harden-runner from 2.19.0 to 2.19.1. ## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 376d25a fix: detect ubuntu-slim runners early and bail out See full diff in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: Ie53ab821871f9e198a6d0762e92753e21e1e20e6 GitHub-PR: #187 GitHub-Hash: 3e039c1743712b3d Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/integration-python-onapsdk
that referenced
this pull request
May 13, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 v2.19.0 What's Changed New Runner Support Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners. Automated Incident Response for Supply Chain Attacks Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode. System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets). Bug Fixes Windows and macOS: stability and reliability fixes Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0 v2.18.0 What's Changed Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes. Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible. Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0 v2.17.0 What's Changed Policy Store Support Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode. Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0 v2.16.1 ... (truncated) ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 8d3c67d Release v2.19.0 (#661) 6c3c2f2 Feature/deploy on self hosted vm (#658) 376d25a fix: detect ubuntu-slim runners early and bail out f808768 Feature/policy store (#656) fe10465 v2.16.1 (#654) fa2e9d6 Release v2.16.0 (#646) 58077d3 Release v2.15.1 (#641) Additional commits viewable in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: Ia47c3f111339b6371b2bc9c5f8cc8f94051d0e3b GitHub-PR: #1 GitHub-Hash: 24bd715c088244b0 Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/aai-traversal
that referenced
this pull request
May 13, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 v2.19.0 What's Changed New Runner Support Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners. Automated Incident Response for Supply Chain Attacks Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode. System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets). Bug Fixes Windows and macOS: stability and reliability fixes Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0 v2.18.0 What's Changed Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes. Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible. Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0 v2.17.0 What's Changed Policy Store Support Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode. Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0 v2.16.1 ... (truncated) ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 8d3c67d Release v2.19.0 (#661) 6c3c2f2 Feature/deploy on self hosted vm (#658) 376d25a fix: detect ubuntu-slim runners early and bail out f808768 Feature/policy store (#656) fe10465 v2.16.1 (#654) fa2e9d6 Release v2.16.0 (#646) 58077d3 Release v2.15.1 (#641) Additional commits viewable in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: I7e55b5fb28a12e3a1efa02845c53815a62b2d889 GitHub-PR: #2 GitHub-Hash: 8ec98bdbc3648d9d Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/aai-sparky-be
that referenced
this pull request
May 13, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 v2.19.0 What's Changed New Runner Support Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners. Automated Incident Response for Supply Chain Attacks Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode. System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets). Bug Fixes Windows and macOS: stability and reliability fixes Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0 v2.18.0 What's Changed Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes. Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible. Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0 v2.17.0 What's Changed Policy Store Support Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode. Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0 v2.16.1 ... (truncated) ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 8d3c67d Release v2.19.0 (#661) 6c3c2f2 Feature/deploy on self hosted vm (#658) 376d25a fix: detect ubuntu-slim runners early and bail out f808768 Feature/policy store (#656) fe10465 v2.16.1 (#654) fa2e9d6 Release v2.16.0 (#646) 58077d3 Release v2.15.1 (#641) Additional commits viewable in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: Ie1c033b2c49870be1a21feeb57397632ea67adaf GitHub-PR: #3 GitHub-Hash: 4d8fbf7e2a916957 Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/aai-schema-service
that referenced
this pull request
May 13, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 v2.19.0 What's Changed New Runner Support Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners. Automated Incident Response for Supply Chain Attacks Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode. System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets). Bug Fixes Windows and macOS: stability and reliability fixes Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0 v2.18.0 What's Changed Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes. Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible. Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0 v2.17.0 What's Changed Policy Store Support Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode. Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0 v2.16.1 ... (truncated) ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 8d3c67d Release v2.19.0 (#661) 6c3c2f2 Feature/deploy on self hosted vm (#658) 376d25a fix: detect ubuntu-slim runners early and bail out f808768 Feature/policy store (#656) fe10465 v2.16.1 (#654) fa2e9d6 Release v2.16.0 (#646) 58077d3 Release v2.15.1 (#641) Additional commits viewable in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: Iacdf5ee91b1522100cf6cce2edd67b19474cae7b GitHub-PR: #4 GitHub-Hash: a86a5131faa2f9e5 Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/portal-ng-preferences
that referenced
this pull request
May 13, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 v2.19.0 What's Changed New Runner Support Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners. Automated Incident Response for Supply Chain Attacks Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode. System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets). Bug Fixes Windows and macOS: stability and reliability fixes Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0 v2.18.0 What's Changed Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes. Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible. Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0 v2.17.0 What's Changed Policy Store Support Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode. Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0 v2.16.1 ... (truncated) ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 8d3c67d Release v2.19.0 (#661) 6c3c2f2 Feature/deploy on self hosted vm (#658) 376d25a fix: detect ubuntu-slim runners early and bail out f808768 Feature/policy store (#656) fe10465 v2.16.1 (#654) fa2e9d6 Release v2.16.0 (#646) 58077d3 Release v2.15.1 (#641) Additional commits viewable in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: If851f662f85f8e2006e42bc60d667427ad2724b3 GitHub-PR: #39 GitHub-Hash: b94f1498bbb000e7 Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/oparent
that referenced
this pull request
May 13, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 v2.19.0 What's Changed New Runner Support Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners. Automated Incident Response for Supply Chain Attacks Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode. System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets). Bug Fixes Windows and macOS: stability and reliability fixes Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0 v2.18.0 What's Changed Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes. Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible. Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0 v2.17.0 What's Changed Policy Store Support Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode. Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0 v2.16.1 ... (truncated) ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 8d3c67d Release v2.19.0 (#661) 6c3c2f2 Feature/deploy on self hosted vm (#658) 376d25a fix: detect ubuntu-slim runners early and bail out f808768 Feature/policy store (#656) fe10465 v2.16.1 (#654) See full diff in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: I5e04637c97658a03ded90fdd07dbc64bf5755e59 GitHub-PR: #14 GitHub-Hash: e96420ab2fc67eb8 Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/aai-aai-common
that referenced
this pull request
May 13, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 v2.19.0 What's Changed New Runner Support Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners. Automated Incident Response for Supply Chain Attacks Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode. System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets). Bug Fixes Windows and macOS: stability and reliability fixes Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0 v2.18.0 What's Changed Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes. Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible. Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0 v2.17.0 What's Changed Policy Store Support Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode. Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0 v2.16.1 ... (truncated) ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 8d3c67d Release v2.19.0 (#661) 6c3c2f2 Feature/deploy on self hosted vm (#658) 376d25a fix: detect ubuntu-slim runners early and bail out f808768 Feature/policy store (#656) fe10465 v2.16.1 (#654) fa2e9d6 Release v2.16.0 (#646) 58077d3 Release v2.15.1 (#641) Additional commits viewable in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: Id7afa776a5ba86fc1a22a4fa3d17e151d13ae95b GitHub-PR: #39 GitHub-Hash: 2aa7eb380711f57d Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/usecase-ui
that referenced
this pull request
May 13, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 v2.19.0 What's Changed New Runner Support Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners. Automated Incident Response for Supply Chain Attacks Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode. System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets). Bug Fixes Windows and macOS: stability and reliability fixes Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0 v2.18.0 What's Changed Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes. Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible. Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0 v2.17.0 What's Changed Policy Store Support Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode. Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0 v2.16.1 ... (truncated) ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 8d3c67d Release v2.19.0 (#661) 6c3c2f2 Feature/deploy on self hosted vm (#658) 376d25a fix: detect ubuntu-slim runners early and bail out f808768 Feature/policy store (#656) fe10465 v2.16.1 (#654) fa2e9d6 Release v2.16.0 (#646) 58077d3 Release v2.15.1 (#641) Additional commits viewable in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: If9755a1f3a629dae75fb3ce0118806d671ac4a9a GitHub-PR: #4 GitHub-Hash: 3df06faf50fb6afc Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/sdc-sdc-workflow-designer
that referenced
this pull request
May 13, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 376d25a fix: detect ubuntu-slim runners early and bail out See full diff in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: I4e1e943ab41506db620d04bf1f0848d5d105d739 GitHub-PR: #11 GitHub-Hash: cac1a9a213e94e77 Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/multicloud-framework
that referenced
this pull request
May 13, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 v2.19.0 What's Changed New Runner Support Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners. Automated Incident Response for Supply Chain Attacks Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode. System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets). Bug Fixes Windows and macOS: stability and reliability fixes Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0 v2.18.0 What's Changed Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes. Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible. Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0 v2.17.0 What's Changed Policy Store Support Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode. Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0 v2.16.1 ... (truncated) ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 8d3c67d Release v2.19.0 (#661) 6c3c2f2 Feature/deploy on self hosted vm (#658) 376d25a fix: detect ubuntu-slim runners early and bail out f808768 Feature/policy store (#656) fe10465 v2.16.1 (#654) fa2e9d6 Release v2.16.0 (#646) 58077d3 Release v2.15.1 (#641) Additional commits viewable in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: I9a14050afc756d6d3c26e77d25cda8e9b67432e0 GitHub-PR: #2 GitHub-Hash: 9bfa344e1f1c2b7b Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/sdc-onap-ui-common
that referenced
this pull request
May 13, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 v2.19.0 What's Changed New Runner Support Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners. Automated Incident Response for Supply Chain Attacks Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode. System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets). Bug Fixes Windows and macOS: stability and reliability fixes Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0 v2.18.0 What's Changed Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes. Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible. Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0 v2.17.0 What's Changed Policy Store Support Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode. Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0 v2.16.1 ... (truncated) ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 8d3c67d Release v2.19.0 (#661) 6c3c2f2 Feature/deploy on self hosted vm (#658) 376d25a fix: detect ubuntu-slim runners early and bail out f808768 Feature/policy store (#656) fe10465 v2.16.1 (#654) fa2e9d6 Release v2.16.0 (#646) 58077d3 Release v2.15.1 (#641) Additional commits viewable in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: I1b0dd238aef419d6d57d8fee593faf30050a7c96 GitHub-PR: #4 GitHub-Hash: e37652f14dca910d Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/usecase-ui-intent-analysis
that referenced
this pull request
May 13, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 v2.19.0 What's Changed New Runner Support Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners. Automated Incident Response for Supply Chain Attacks Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode. System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets). Bug Fixes Windows and macOS: stability and reliability fixes Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0 v2.18.0 What's Changed Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes. Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible. Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0 v2.17.0 What's Changed Policy Store Support Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode. Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0 v2.16.1 ... (truncated) ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 8d3c67d Release v2.19.0 (#661) 6c3c2f2 Feature/deploy on self hosted vm (#658) 376d25a fix: detect ubuntu-slim runners early and bail out f808768 Feature/policy store (#656) fe10465 v2.16.1 (#654) fa2e9d6 Release v2.16.0 (#646) 58077d3 Release v2.15.1 (#641) Additional commits viewable in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: I33229df4cb6a964cbb200999c7e64dac469a639e GitHub-PR: #1 GitHub-Hash: 33e8fc4ca350e618 Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/sdc-onap-ui-angular
that referenced
this pull request
May 13, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 v2.19.0 What's Changed New Runner Support Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners. Automated Incident Response for Supply Chain Attacks Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode. System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets). Bug Fixes Windows and macOS: stability and reliability fixes Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0 v2.18.0 What's Changed Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes. Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible. Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0 v2.17.0 What's Changed Policy Store Support Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode. Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0 v2.16.1 ... (truncated) ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 8d3c67d Release v2.19.0 (#661) 6c3c2f2 Feature/deploy on self hosted vm (#658) 376d25a fix: detect ubuntu-slim runners early and bail out f808768 Feature/policy store (#656) fe10465 v2.16.1 (#654) fa2e9d6 Release v2.16.0 (#646) 58077d3 Release v2.15.1 (#641) Additional commits viewable in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: I929d232555fd924da77bc74786371f73fbb0e9bd GitHub-PR: #4 GitHub-Hash: a7e667bdd2a12470 Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/ccsdk-distribution
that referenced
this pull request
May 13, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 v2.19.0 What's Changed New Runner Support Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners. Automated Incident Response for Supply Chain Attacks Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode. System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets). Bug Fixes Windows and macOS: stability and reliability fixes Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0 v2.18.0 What's Changed Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes. Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible. Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0 v2.17.0 What's Changed Policy Store Support Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode. Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0 v2.16.1 ... (truncated) ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 8d3c67d Release v2.19.0 (#661) 6c3c2f2 Feature/deploy on self hosted vm (#658) 376d25a fix: detect ubuntu-slim runners early and bail out f808768 Feature/policy store (#656) fe10465 v2.16.1 (#654) fa2e9d6 Release v2.16.0 (#646) 58077d3 Release v2.15.1 (#641) Additional commits viewable in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: I365b8be23874b04cecc2fc8b72b5999bec819139 GitHub-PR: #3 GitHub-Hash: 07db4ed7e1ee1684 Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/ccsdk-parent
that referenced
this pull request
May 13, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 376d25a fix: detect ubuntu-slim runners early and bail out See full diff in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: Idcd3b1721b1a814558135551ebec675bf2ae970b GitHub-PR: #15 GitHub-Hash: 14f3cc12253e561e Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/integration
that referenced
this pull request
May 13, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 v2.19.0 What's Changed New Runner Support Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners. Automated Incident Response for Supply Chain Attacks Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode. System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets). Bug Fixes Windows and macOS: stability and reliability fixes Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0 v2.18.0 What's Changed Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes. Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible. Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0 v2.17.0 What's Changed Policy Store Support Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode. Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0 v2.16.1 ... (truncated) ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 8d3c67d Release v2.19.0 (#661) 6c3c2f2 Feature/deploy on self hosted vm (#658) 376d25a fix: detect ubuntu-slim runners early and bail out f808768 Feature/policy store (#656) fe10465 v2.16.1 (#654) fa2e9d6 Release v2.16.0 (#646) 58077d3 Release v2.15.1 (#641) Additional commits viewable in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: I1718a68b4e175776b59307a85fa456285ca356c0 GitHub-PR: #2 GitHub-Hash: 1cec8a6e89252edf Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/aai-rest-client
that referenced
this pull request
May 13, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 v2.19.0 What's Changed New Runner Support Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners. Automated Incident Response for Supply Chain Attacks Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode. System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets). Bug Fixes Windows and macOS: stability and reliability fixes Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0 v2.18.0 What's Changed Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes. Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible. Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0 v2.17.0 What's Changed Policy Store Support Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode. Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0 v2.16.1 ... (truncated) ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 8d3c67d Release v2.19.0 (#661) 6c3c2f2 Feature/deploy on self hosted vm (#658) 376d25a fix: detect ubuntu-slim runners early and bail out f808768 Feature/policy store (#656) fe10465 v2.16.1 (#654) fa2e9d6 Release v2.16.0 (#646) 58077d3 Release v2.15.1 (#641) Additional commits viewable in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: I5960aea7ad4d5d32932a5a9fbddc2fde6fc0eb87 GitHub-PR: #3 GitHub-Hash: 9dfe5c151aa4a150 Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/aai-sparky-fe
that referenced
this pull request
May 13, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 v2.19.0 What's Changed New Runner Support Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners. Automated Incident Response for Supply Chain Attacks Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode. System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets). Bug Fixes Windows and macOS: stability and reliability fixes Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0 v2.18.0 What's Changed Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes. Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible. Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0 v2.17.0 What's Changed Policy Store Support Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode. Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0 v2.16.1 ... (truncated) ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 8d3c67d Release v2.19.0 (#661) 6c3c2f2 Feature/deploy on self hosted vm (#658) 376d25a fix: detect ubuntu-slim runners early and bail out f808768 Feature/policy store (#656) fe10465 v2.16.1 (#654) fa2e9d6 Release v2.16.0 (#646) 58077d3 Release v2.15.1 (#641) Additional commits viewable in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: I50eea14f47ec4af9224e6e3df021bdb938085b9e GitHub-PR: #5 GitHub-Hash: 07b2e67411057aa9 Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/dcaegen2
that referenced
this pull request
May 13, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 v2.19.0 What's Changed New Runner Support Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners. Automated Incident Response for Supply Chain Attacks Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode. System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets). Bug Fixes Windows and macOS: stability and reliability fixes Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0 v2.18.0 What's Changed Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes. Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible. Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0 v2.17.0 What's Changed Policy Store Support Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode. Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0 v2.16.1 ... (truncated) ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 8d3c67d Release v2.19.0 (#661) 6c3c2f2 Feature/deploy on self hosted vm (#658) 376d25a fix: detect ubuntu-slim runners early and bail out f808768 Feature/policy store (#656) fe10465 v2.16.1 (#654) fa2e9d6 Release v2.16.0 (#646) 58077d3 Release v2.15.1 (#641) Additional commits viewable in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: Ifd7a50b63ffde21a49f5ad43d069c1c4fc18cebe GitHub-PR: #5 GitHub-Hash: cd903cb19e6c2d91 Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/sdc-sdc-tosca
that referenced
this pull request
May 13, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 376d25a fix: detect ubuntu-slim runners early and bail out See full diff in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: Iad06851fe384185f0d6de05167ead74d93f52419 GitHub-PR: #11 GitHub-Hash: ff9ee7045af00281 Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/policy-drools-pdp
that referenced
this pull request
May 13, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 v2.19.0 What's Changed New Runner Support Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners. Automated Incident Response for Supply Chain Attacks Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode. System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets). Bug Fixes Windows and macOS: stability and reliability fixes Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0 v2.18.0 What's Changed Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes. Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible. Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0 v2.17.0 What's Changed Policy Store Support Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode. Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0 v2.16.1 ... (truncated) ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 8d3c67d Release v2.19.0 (#661) 6c3c2f2 Feature/deploy on self hosted vm (#658) 376d25a fix: detect ubuntu-slim runners early and bail out f808768 Feature/policy store (#656) fe10465 v2.16.1 (#654) fa2e9d6 Release v2.16.0 (#646) 58077d3 Release v2.15.1 (#641) Additional commits viewable in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: I5a522ae25ea8870944fcf9c7f121a38e8c00f042 GitHub-PR: #5 GitHub-Hash: 35f4b958d1719df2 Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/so
that referenced
this pull request
May 13, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 376d25a fix: detect ubuntu-slim runners early and bail out See full diff in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: I2899022a7d068c7eb6b8b27db7c493131846a5a5 GitHub-PR: #19 GitHub-Hash: 3efc8aca96cff393 Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/policy-docker
that referenced
this pull request
May 13, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 v2.19.0 What's Changed New Runner Support Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners. Automated Incident Response for Supply Chain Attacks Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode. System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets). Bug Fixes Windows and macOS: stability and reliability fixes Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0 v2.18.0 What's Changed Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes. Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible. Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0 v2.17.0 What's Changed Policy Store Support Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode. Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0 v2.16.1 ... (truncated) ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 8d3c67d Release v2.19.0 (#661) 6c3c2f2 Feature/deploy on self hosted vm (#658) 376d25a fix: detect ubuntu-slim runners early and bail out f808768 Feature/policy store (#656) fe10465 v2.16.1 (#654) fa2e9d6 Release v2.16.0 (#646) 58077d3 Release v2.15.1 (#641) Additional commits viewable in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: Icf239cb286d9701fa1e5488185160ce7f595a80d GitHub-PR: #5 GitHub-Hash: 27d3801c8f5e6ddd Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/usecase-ui-llm-adaptation
that referenced
this pull request
May 13, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 v2.19.0 What's Changed New Runner Support Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners. Automated Incident Response for Supply Chain Attacks Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode. System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets). Bug Fixes Windows and macOS: stability and reliability fixes Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0 v2.18.0 What's Changed Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes. Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible. Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0 v2.17.0 What's Changed Policy Store Support Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode. Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0 v2.16.1 ... (truncated) ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 8d3c67d Release v2.19.0 (#661) 6c3c2f2 Feature/deploy on self hosted vm (#658) 376d25a fix: detect ubuntu-slim runners early and bail out f808768 Feature/policy store (#656) fe10465 v2.16.1 (#654) fa2e9d6 Release v2.16.0 (#646) 58077d3 Release v2.15.1 (#641) Additional commits viewable in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: I3950b750a5b857afeae1f7f64dbb3a4799e52fd1 GitHub-PR: #3 GitHub-Hash: 79f1e0c1d9b25003 Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/sdc-sdc-be-common
that referenced
this pull request
May 13, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 376d25a fix: detect ubuntu-slim runners early and bail out See full diff in compare view Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: I14ee3977cfbb8581e33bf3ef57134749844d2779 GitHub-PR: #16 GitHub-Hash: 51faf32a9d1f2fac Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/aai-model-loader
that referenced
this pull request
May 13, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 376d25a fix: detect ubuntu-slim runners early and bail out See full diff in compare view Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: Iabea98a122d7fc5bcf84e0c811e62c0063019f92 GitHub-PR: #16 GitHub-Hash: 0f2fc08daf0de206 Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
fdio-github
pushed a commit
to FDio/csit
that referenced
this pull request
May 13, 2026
Bumps step-security/harden-runner from 2.19.0 to 2.19.1. ## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 376d25a fix: detect ubuntu-slim runners early and bail out See full diff in compare view  Signed-off-by: dependabot[bot] <support@github.com> Change-Id: I19987e3d0e0805f3f6ac3876f39760d462f98bea GitHub-PR: #4147 GitHub-Hash: 4f9f807f2e69d352 Signed-off-by: fdio.github <releng+fdio-github@linuxfoundation.org>
onap-github
pushed a commit
to onap/doc-doc-best-practice
that referenced
this pull request
May 18, 2026
Bumps step-security/harden-runner from 2.14.1 to 2.19.3. ## Release notes Sourced from step-security/harden-runner's releases. v2.19.3 What's Changed Default to audit mode when api-key missing with use-policy-store by @varunsh-coder in step-security/harden-runner#665 Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3 v2.19.2 What's Changed Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs. Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2 v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 v2.19.0 What's Changed New Runner Support Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners. Automated Incident Response for Supply Chain Attacks Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode. System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets). Bug Fixes Windows and macOS: stability and reliability fixes Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0 v2.18.0 What's Changed Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes. ... (truncated) ## Commits ab7a940 Merge pull request #665 from step-security/fix/use-policy-store-default-audit ec41b78 Default to audit mode when api-key missing with use-policy-store 9ca718d Merge pull request #664 from step-security/update-agent-v1.8.5 1dee3df Update agent to v1.8.5 a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 8d3c67d Release v2.19.0 (#661) 6c3c2f2 Feature/deploy on self hosted vm (#658) 376d25a fix: detect ubuntu-slim runners early and bail out Additional commits viewable in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: I2309b256cc278f2c61730ee38e020a5cae95e103 GitHub-PR: #5 GitHub-Hash: 0be516127e73d3e3 Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/ccsdk-cds
that referenced
this pull request
May 19, 2026
Bumps step-security/harden-runner from 2.19.0 to 2.19.1. ## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 376d25a fix: detect ubuntu-slim runners early and bail out See full diff in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: Iaa6fe3a6120339b82bbf89dc284fdefd5c12a249 GitHub-PR: #12 GitHub-Hash: 2c9b99c8e030dd37 Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/ccsdk-apps
that referenced
this pull request
Jun 2, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.4 What's Changed Improvements for HTTPS Monitoring for the Enterprise tier of Harden Runner Full Changelog: step-security/harden-runner@v2.19.3...v2.19.4 v2.19.3 What's Changed Default to audit mode when api-key missing with use-policy-store by @varunsh-coder in step-security/harden-runner#665 Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3 v2.19.2 What's Changed Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs. Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2 v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 v2.19.0 What's Changed New Runner Support Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners. Automated Incident Response for Supply Chain Attacks Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode. System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets). Bug Fixes Windows and macOS: stability and reliability fixes ... (truncated) ## Commits 9af89fc Merge pull request #667 from step-security/update-agent-v1.8.6 485dce8 Update agent to v1.8.6 ab7a940 Merge pull request #665 from step-security/fix/use-policy-store-default-audit ec41b78 Default to audit mode when api-key missing with use-policy-store 9ca718d Merge pull request #664 from step-security/update-agent-v1.8.5 1dee3df Update agent to v1.8.5 a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 8d3c67d Release v2.19.0 (#661) Additional commits viewable in compare view Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: Id1b392ae8bccba6589eef5e60ff88d26b8a6540c GitHub-PR: #8 GitHub-Hash: 112447c819fa3eb0 Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/portal-ng-history
that referenced
this pull request
Jun 3, 2026
Bumps step-security/harden-runner from 2.18.0 to 2.19.4. ## Release notes Sourced from step-security/harden-runner's releases. v2.19.4 What's Changed Improvements for HTTPS Monitoring for the Enterprise tier of Harden Runner Full Changelog: step-security/harden-runner@v2.19.3...v2.19.4 v2.19.3 What's Changed Default to audit mode when api-key missing with use-policy-store by @varunsh-coder in step-security/harden-runner#665 Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3 v2.19.2 What's Changed Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs. Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2 v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 v2.19.0 What's Changed New Runner Support Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners. Automated Incident Response for Supply Chain Attacks Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode. System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets). Bug Fixes Windows and macOS: stability and reliability fixes ... (truncated) ## Commits 9af89fc Merge pull request #667 from step-security/update-agent-v1.8.6 485dce8 Update agent to v1.8.6 ab7a940 Merge pull request #665 from step-security/fix/use-policy-store-default-audit ec41b78 Default to audit mode when api-key missing with use-policy-store 9ca718d Merge pull request #664 from step-security/update-agent-v1.8.5 1dee3df Update agent to v1.8.5 a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 8d3c67d Release v2.19.0 (#661) Additional commits viewable in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: Iaa18f702878326c26575321cf174343d8a904f65 GitHub-PR: #68 GitHub-Hash: 66f7a122f3a4e993 Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Detect
ubuntu-slimrunners (Hosted Compute Agent Docker containers) early and bail out with an informative message, instead of crashing withchown: invalid user: 'undefined'.Problem
ubuntu-slimrunners are GitHub-hosted Linux containers that lack the standardUSERenvironment variable (runner). When harden-runner runs on these runners,chownForFolder(process.env.USER, ...)executessudo chown -R undefined /home/agent, which crashes the step.The existing
isDocker()check does not catchubuntu-slimbecause theis-dockernpm package looks for/.dockerenv, which Hosted Compute Agent containers do not have.Fix
Add an early bail-out check in both
setup.tsandcleanup.ts:This follows the existing patterns for
isDocker(),isARCRunner(), and other unsupported runner type detection.Detection rationale
USER=runnerubuntu-slim(Hosted Compute Agent Docker containers) do not setUSERisGithubHosted()andprocess.platform === "linux", this reliably identifiesubuntu-slimFiles changed
src/common.tsUBUNTU_SLIM_MESSAGEconstantsrc/setup.tsisDocker()checksrc/cleanup.tsisDocker()checkFixes #627