Skip to content

fix: detect ubuntu-slim runners early and bail out#657

Open
devantler wants to merge 1 commit intostep-security:mainfrom
devantler:fix/ubuntu-slim-user-env
Open

fix: detect ubuntu-slim runners early and bail out#657
devantler wants to merge 1 commit intostep-security:mainfrom
devantler:fix/ubuntu-slim-user-env

Conversation

@devantler
Copy link
Copy Markdown

@devantler devantler commented Apr 11, 2026
edited
Loading

Summary

Detect ubuntu-slim runners (Hosted Compute Agent Docker containers) early and bail out with an informative message, instead of crashing with chown: invalid user: 'undefined'.

Problem

ubuntu-slim runners are GitHub-hosted Linux containers that lack the standard USER environment variable (runner). When harden-runner runs on these runners, chownForFolder(process.env.USER, ...) executes sudo chown -R undefined /home/agent, which crashes the step.

The existing isDocker() check does not catch ubuntu-slim because the is-docker npm package looks for /.dockerenv, which Hosted Compute Agent containers do not have.

Fix

Add an early bail-out check in both setup.ts and cleanup.ts:

  console.log(common.UBUNTU_SLIM_MESSAGE);
  return;
}

This follows the existing patterns for isDocker(), isARCRunner(), and other unsupported runner type detection.

Detection rationale

  • Standard GitHub-hosted Ubuntu VMs always set USER=runner
  • ubuntu-slim (Hosted Compute Agent Docker containers) do not set USER
  • Combined with isGithubHosted() and process.platform === "linux", this reliably identifies ubuntu-slim

Files changed

File Change
src/common.ts Add UBUNTU_SLIM_MESSAGE constant
src/setup.ts Add early bail-out after isDocker() check
src/cleanup.ts Add early bail-out after isDocker() check

Fixes #627

@devantler devantler marked this pull request as draft April 11, 2026 10:10
@devantler
fix: detect ubuntu-slim runners early and bail out
376d25a 
ubuntu-slim runners (Hosted Compute Agent Docker containers) are
GitHub-hosted but lack the standard USER environment variable set
on full VM-based runners. This causes chownForFolder to fail with
'chown: invalid user: undefined'.

Instead of patching chownForFolder, detect ubuntu-slim early
informative message, matching the existing patterns for isDocker(),
isARCRunner(), and other unsupported runner types.

Fixes step-security#627

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@devantler devantler force-pushed the fix/ubuntu-slim-user-env branch from e2d6d23 to 376d25a Compare April 11, 2026 10:16
@devantler devantler changed the title fix: handle undefined USER env var on ubuntu-slim runners fix: detect ubuntu-slim runners early and bail out Apr 11, 2026
@devantler devantler mentioned this pull request Apr 11, 2026
Open
@devantler devantler marked this pull request as ready for review April 11, 2026 10:25
@varunsh-coder
Copy link
Copy Markdown
Member

varunsh-coder commented Apr 14, 2026

Thanks for the pr @devantler !
Will review soon

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Fix harden runner action on ubuntu-slim

2 participants

@devantler @varunsh-coder