Skip to content

chore(deps): bump step-security/harden-runner from 2.8.1 to 2.19.4#129

Merged
anurag-stepsecurity merged 1 commit into
mainfrom
dependabot/github_actions/step-security/harden-runner-2.13.1
Jun 1, 2026
Merged

chore(deps): bump step-security/harden-runner from 2.8.1 to 2.19.4#129
anurag-stepsecurity merged 1 commit into
mainfrom
dependabot/github_actions/step-security/harden-runner-2.13.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Oct 29, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps step-security/harden-runner from 2.8.1 to 2.19.4.

Release notes

Sourced from step-security/harden-runner's releases.

v2.19.4

What's Changed

  • Improvements for HTTPS Monitoring for the Enterprise tier of Harden Runner

Full Changelog: step-security/harden-runner@v2.19.3...v2.19.4

v2.19.3

What's Changed

Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3

v2.19.2

What's Changed

  • Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs.

Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2

v2.19.1

What's Changed

What the fix changes

  • Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.

What the fix does not do

  • Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).
  • Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.

For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.

New Contributors

Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1

v2.19.0

What's Changed

New Runner Support

Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners.

Automated Incident Response for Supply Chain Attacks

  • Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode.
  • System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets).

Bug Fixes

Windows and macOS: stability and reliability fixes

... (truncated)

Commits
  • 9af89fc Merge pull request #667 from step-security/update-agent-v1.8.6
  • 485dce8 Update agent to v1.8.6
  • ab7a940 Merge pull request #665 from step-security/fix/use-policy-store-default-audit
  • ec41b78 Default to audit mode when api-key missing with use-policy-store
  • 9ca718d Merge pull request #664 from step-security/update-agent-v1.8.5
  • 1dee3df Update agent to v1.8.5
  • a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env
  • 6e92856 build dist and trim ubuntu-slim message
  • 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env
  • 8d3c67d Release v2.19.0 (#661)
  • Additional commits viewable in compare view

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Oct 29, 2025
@dependabot dependabot Bot mentioned this pull request Oct 29, 2025
Closed
@dependabot dependabot Bot force-pushed the dependabot/github_actions/step-security/harden-runner-2.13.1 branch from 988608f to f669336 Compare October 29, 2025 13:01
@amanstep amanstep closed this Oct 29, 2025
@dependabot @github

dependabot Bot commented on behalf of github Oct 29, 2025

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@amanstep amanstep reopened this Oct 29, 2025
@amanstep

amanstep commented Oct 29, 2025

Copy link
Copy Markdown
Contributor

@dependabot rebase

@dependabot @github

dependabot Bot commented on behalf of github Oct 29, 2025

Copy link
Copy Markdown
Contributor Author

Looks like this PR is already up-to-date with main! If you'd still like to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

@amanstep

amanstep commented Oct 29, 2025

Copy link
Copy Markdown
Contributor

@dependabot recreate

@dependabot dependabot Bot force-pushed the dependabot/github_actions/step-security/harden-runner-2.13.1 branch 3 times, most recently from d1d6e89 to 921613f Compare October 30, 2025 04:49
@anurag-stepsecurity

anurag-stepsecurity commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

@dependabot rebase

@dependabot
chore(deps): bump step-security/harden-runner from 2.8.1 to 2.19.4
9423ac9 
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.8.1 to 2.19.4.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@v2.8.1...9af89fc)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.13.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title chore(deps): bump step-security/harden-runner from 2.8.1 to 2.13.1 chore(deps): bump step-security/harden-runner from 2.8.1 to 2.19.4 Jun 1, 2026
@dependabot dependabot Bot force-pushed the dependabot/github_actions/step-security/harden-runner-2.13.1 branch from 921613f to 9423ac9 Compare June 1, 2026 07:15
@anurag-stepsecurity anurag-stepsecurity merged commit 52bb558 into main Jun 1, 2026
7 checks passed
@dependabot dependabot Bot deleted the dependabot/github_actions/step-security/harden-runner-2.13.1 branch June 1, 2026 07:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anurag-stepsecurity anurag-stepsecurity anurag-stepsecurity approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@amanstep @anurag-stepsecurity