chore(deps): update step-security/harden-runner action to v2.19.1 (main)#425

Merged

renovate[bot] merged 1 commit into

mainfrom

renovate/main-step-security-harden-runner-2.x

May 9, 2026

Contributor

renovate Bot commented May 9, 2026

This PR contains the following updates:

Package	Type	Update	Change
step-security/harden-runner	action	patch	`v2.19.0` → `v2.19.1`

Release Notes

step-security/harden-runner (step-security/harden-runner)

`v2.19.1`

What's Changed

fix: detect ubuntu-slim runners early and bail out by @devantler in #657

What the fix changes

Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.

What the fix does not do

Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).
Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.

For StepSecurity enterprise customers
If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.

New Contributors

@devantler made their first contribution in #657

Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1

Configuration

📅 Schedule: (UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          chore(deps): update step-security/harden-runner action to v2.19.1

018066f

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

renovate Bot enabled auto-merge (squash)

May 9, 2026 13:45

renovate-approve Bot approved these changes

View reviewed changes

renovate Bot merged commit cdf63c2 into main

10 checks passed

renovate Bot deleted the renovate/main-step-security-harden-runner-2.x branch

May 9, 2026 13:46

github-actions Bot commented May 9, 2026

renovate[bot]
This pull request has been included in the following image tags:

ghcr.io/vexxhost/python-base-almalinux:main
ghcr.io/vexxhost/python-base-almalinux:latest
ghcr.io/vexxhost/python-base-almalinux:cdf63c2

Digest: ghcr.io/vexxhost/python-base-almalinux@sha256:9dc33256998f45333562536fd404881779b22f55053c96cca96a0b5d64bce7ac

github-actions Bot commented May 9, 2026

renovate[bot]
This pull request has been included in the following image tags:

ghcr.io/vexxhost/python-base-ubuntu-cloud-archive:main
ghcr.io/vexxhost/python-base-ubuntu-cloud-archive:latest
ghcr.io/vexxhost/python-base-ubuntu-cloud-archive:cdf63c2

Digest: ghcr.io/vexxhost/python-base-ubuntu-cloud-archive@sha256:973a4db9afaaf55a91f9b4e6492c2beb9630831c3d446928696c968dbe649343

github-actions Bot commented May 9, 2026

renovate[bot]
This pull request has been included in the following image tags:

ghcr.io/vexxhost/python-base-ubuntu:main
ghcr.io/vexxhost/python-base-ubuntu:latest
ghcr.io/vexxhost/python-base-ubuntu:cdf63c2

Digest: ghcr.io/vexxhost/python-base-ubuntu@sha256:e8a4dcb6dd1cfa35571b50ef6a4d4c71b1c1ba1f33702d8e8eef22c7c578fb05

github-actions Bot commented May 9, 2026

renovate[bot]
This pull request has been included in the following image tags:

ghcr.io/vexxhost/python-base-debian:main
ghcr.io/vexxhost/python-base-debian:latest
ghcr.io/vexxhost/python-base-debian:cdf63c2

Digest: ghcr.io/vexxhost/python-base-debian@sha256:39b21cfdaed03a9c53f9ead65431835e9a22edc21a9e6d6239921b1372d745b6

github-actions Bot commented May 9, 2026

renovate[bot]
This pull request has been included in the following image tags:

ghcr.io/vexxhost/python-base:main
ghcr.io/vexxhost/python-base:latest
ghcr.io/vexxhost/python-base:cdf63c2

Digest: ghcr.io/vexxhost/python-base@sha256:7685a5be97973d7bed940ec4efcf0f34a70ac25cd74d857a80057c2c7286055d

github-actions Bot commented May 9, 2026

renovate[bot]
This pull request has been included in the following image tags:

ghcr.io/vexxhost/python-base-rockylinux:main
ghcr.io/vexxhost/python-base-rockylinux:latest
ghcr.io/vexxhost/python-base-rockylinux:cdf63c2

Digest: ghcr.io/vexxhost/python-base-rockylinux@sha256:6cf7253820db650f588e324dd672e891aa1275ae3c82650abc4fddf28667660e

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet