fix: detect ubuntu-slim runners early and bail out#657
Merged
varunsh-coder merged 3 commits intostep-security:mainfrom May 2, 2026
Merged
fix: detect ubuntu-slim runners early and bail out#657varunsh-coder merged 3 commits intostep-security:mainfrom
varunsh-coder merged 3 commits intostep-security:mainfrom
Conversation
ubuntu-slim runners (Hosted Compute Agent Docker containers) are GitHub-hosted but lack the standard USER environment variable set on full VM-based runners. This causes chownForFolder to fail with 'chown: invalid user: undefined'. Instead of patching chownForFolder, detect ubuntu-slim early informative message, matching the existing patterns for isDocker(), isARCRunner(), and other unsupported runner types. Fixes step-security#627 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
devantler
force-pushed
the
fix/ubuntu-slim-user-env
branch
from
e2d6d23 to
376d25a
Compare
devantler
changed the title
Member
|
Thanks for the pr @devantler ! |
Drop the parenthetical detail from UBUNTU_SLIM_MESSAGE so the user-facing log is concise, and regenerate dist/ so the action can run from this branch without a separate build step.
varunsh-coder
approved these changes
May 2, 2026
onap-github
pushed a commit
to onap/doc
that referenced
this pull request
May 4, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 376d25a fix: detect ubuntu-slim runners early and bail out See full diff in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: Ifc4f0ee400eb0a8d7ff433e3dfc1cfa14c45d64a GitHub-PR: #21 GitHub-Hash: 16753c729a7d1f65 Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/sdnc-oam
that referenced
this pull request
May 4, 2026
## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 376d25a fix: detect ubuntu-slim runners early and bail out See full diff in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: Ic52570135df9c34d87ea26ca11e0a8720341bd10 GitHub-PR: #12 GitHub-Hash: 7ae42da59904029f Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/portal-ng-bff
that referenced
this pull request
May 6, 2026
Bumps step-security/harden-runner from 2.14.1 to 2.19.1. ## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 v2.19.0 What's Changed New Runner Support Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners. Automated Incident Response for Supply Chain Attacks Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode. System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets). Bug Fixes Windows and macOS: stability and reliability fixes Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0 v2.18.0 What's Changed Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes. Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible. Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0 v2.17.0 What's Changed Policy Store Support Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode. Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0 v2.16.1 ... (truncated) ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 8d3c67d Release v2.19.0 (#661) 6c3c2f2 Feature/deploy on self hosted vm (#658) 376d25a fix: detect ubuntu-slim runners early and bail out f808768 Feature/policy store (#656) fe10465 v2.16.1 (#654) fa2e9d6 Release v2.16.0 (#646) 58077d3 Release v2.15.1 (#641) Additional commits viewable in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: I95c5b1c86367f366823439cbd6e588ad661a440c GitHub-PR: #79 GitHub-Hash: 32f4958bb7f1d4cd Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
onap-github
pushed a commit
to onap/portal-ng-ui
that referenced
this pull request
May 7, 2026
Bumps step-security/harden-runner from 2.19.0 to 2.19.1. ## Release notes Sourced from step-security/harden-runner's releases. v2.19.1 What's Changed fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657 What the fix changes Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'. What the fix does not do Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities). Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today. For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types. New Contributors @devantler made their first contribution in step-security/harden-runner#657 Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1 ## Commits a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env 6e92856 build dist and trim ubuntu-slim message 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env 376d25a fix: detect ubuntu-slim runners early and bail out See full diff in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <support@github.com> Change-Id: Ie53ab821871f9e198a6d0762e92753e21e1e20e6 GitHub-PR: #187 GitHub-Hash: 3e039c1743712b3d Signed-off-by: onap.gh2gerrit <releng+onap-gh2gerrit@linuxfoundation.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Detect
ubuntu-slimrunners (Hosted Compute Agent Docker containers) early and bail out with an informative message, instead of crashing withchown: invalid user: 'undefined'.Problem
ubuntu-slimrunners are GitHub-hosted Linux containers that lack the standardUSERenvironment variable (runner). When harden-runner runs on these runners,chownForFolder(process.env.USER, ...)executessudo chown -R undefined /home/agent, which crashes the step.The existing
isDocker()check does not catchubuntu-slimbecause theis-dockernpm package looks for/.dockerenv, which Hosted Compute Agent containers do not have.Fix
Add an early bail-out check in both
setup.tsandcleanup.ts:This follows the existing patterns for
isDocker(),isARCRunner(), and other unsupported runner type detection.Detection rationale
USER=runnerubuntu-slim(Hosted Compute Agent Docker containers) do not setUSERisGithubHosted()andprocess.platform === "linux", this reliably identifiesubuntu-slimFiles changed
src/common.tsUBUNTU_SLIM_MESSAGEconstantsrc/setup.tsisDocker()checksrc/cleanup.tsisDocker()checkFixes #627