ci: drop step-security/harden-runner steps (egress-policy was breaking builds)#26
Merged
Merged
Conversation
…g builds) The StepSecurity bot PR (a31cbc4) layered step-security/harden-runner on every job with `egress-policy: audit`. The documented behaviour under `audit` is observe-only, but the agent's `armour` eBPF module runs regardless of policy mode — it engages kernel hooks and "protection maps" over /etc/docker/daemon.json, /proc/<pid>/mem etc. and watches for Runner.Worker behaviour patterns. That interacted badly with Armbian build's chroot + qemu-user-static flow on x86 specifically: jobs failed with DNS resolution errors inside the build container ('Temporary failure resolving github.armbian.com' / 'archive.ubuntu.com'). All 6 x86 cells in run 25845037398 failed the same way; all 6 arm64 cells succeeded. `egress-policy: audit` is also harden-runner's default — so dropping just the `with:` block wouldn't have changed behaviour. The only effective fix is to remove the step entirely. Removes 8 step instances across 6 workflows: - build-armbian-sdk.yml: 3 (one per top-level job) - infrastructure-dispatch-download-index.yml: 1 - maintenance-watchdog.yml: 1 - delete-old-releases.yml: 1 - dependency-review.yml: 1 - scorecards.yml: 1 What's kept from a31cbc4: - SHA-pinned actions (supply-chain hygiene, zero runtime side effect) - scorecards.yml + dependency-review.yml workflows (separate from the build matrix; they run on PRs / schedule and don't touch builds) - .pre-commit-config.yaml (local-only)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does
Removes the 8
step-security/harden-runnerstep instances added bya31cbc47across 6 workflows. -40 lines net.Why
Run 25845037398 — all 6 x86 cells failed identically with DNS resolution errors inside the build container:
All 6 arm64 cells (same workflow, same code, same revision) succeeded earlier the same day.
The harden-runner step is documented as observe-only under
egress-policy: audit, but the agent'sarmoureBPF module engages kernel hooks and "protection maps" over/etc/docker/daemon.json,/proc/<pid>/memetc. regardless of policy mode — see the agent log captured in the failed run:That interacts badly with Armbian build's chroot + qemu-user-static flow on x86 specifically (the
runner_worker_mem_readpolicy is explicitly watching for/proc/<pid>/memreads against Runner.Worker — exactly what qemu-user-static does during binfmt emulation).Why not just drop
with: egress-policy: audit?egress-policy: auditis harden-runner's default. Removing thewith:block wouldn't change behaviour. The only effective fix is to remove the step entirely.What's kept from
a31cbc47Independently useful, no runtime side effect on the build matrix:
scorecards.yml— runs on its own schedule, doesn't touch buildsdependency-review.yml— runs on PR only, doesn't touch builds.pre-commit-config.yaml— local-onlyTest plan
workflow_dispatchofBuild Armbian SDKafter merge.armbian-images.jsonin the resulting release contains entries for all 12 (board × os × ext) combinations.