Running the action optionally, including pre and post scripts

[jenstroeger]

We tried to make running Harden Runner optional:

    steps:
    - name: Harden Runner
      if: ${{ vars.USE_HARDEN_RUNNER }}
      uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f
      with:
        egress-policy: audit

However, this seems to impact only the main script and not the pre & post scripts

harden-runner/action.yml

Lines 37 to 39 in 0080882

	pre: "dist/pre/index.js"
	main: "dist/index.js"
	post: "dist/post/index.js"

Is there a way to en/disable all of them? The runs documentation mentions pre-if and post-if and I’m not quite sure if this is something we ought to implement, or the action?

Do you guys have a suggestion?

[varunsh-coder]

Thank you for raising this issue!

You’re correct that pre-if and post-if could potentially enable conditional execution of the pre and post scripts.

We’ll experiment with implementing pre-if and post-if to see if it can address your use case effectively. Once we’ve explored this approach and validated whether it works as expected, we’ll update you here with our findings or next steps.

Out of curiosity, could you share a bit more about your use case for conditional execution? Understanding why you’re looking to enable or disable Harden-Runner in certain scenarios will help us provide an alternate solution in case pre-if/ post-if does not work.

[jenstroeger]

[…] Once we’ve explored this approach and validated whether it works as expected, we’ll update you here with our findings or next steps.

Thank you!

Out of curiosity, could you share a bit more about your use case for conditional execution? Understanding why you’re looking to enable or disable Harden-Runner in certain scenarios will help us provide an alternate solution in case pre-if/ post-if does not work.

The problem for us is runtime. Having multiple repos and quite a number of action workflows, each starting out with hardening the runner, the setup runtime of ~3m has become a noticeable portion of the billing time.

So instead of removing the step from our workflows we wanted to make it optional…

[h0x0er]

From the attached screenshot, i can see the workflow is container-based, currently harden-runner doesn't supports container-based workflows. Ideally pre-step should have just skipped, as we have logic to detect this scenario. checkout this sample run

Can you please attach screenshot of logs from pre-step ? I am just curious what's happening in there.

[jenstroeger]

Can you please attach screenshot of logs from pre-step ? I am just curious what's happening in there.

As in debug logs when I rerun the workflow?

[h0x0er]

As in debug logs when I rerun the workflow?

you can attach these as well for more context.

I was actually referring to just clicking on the Pre Harden Runner step to expand it. Something like below

[jenstroeger]

I should mention that we’re running v1.5.0 so we have:

Run step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
Step Security Job Correlation ID: 4088e16b-5dc9-46c5-984a-fb2b8360bb5d
Unable to fetch cacheURL
/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/60e81887-14e5-4fd7-909e-db82915b827e -f /home/runner/work/_temp/50ca6b7f-be68-4ae9-9ab3-f01514233df1
View security insights and recommended policy at:
https://app.stepsecurity.io/github/org/repo/actions/runs/12471801516
Initialized

[h0x0er]

These appears to be interesting logs. Ideally harden-runner shouldn't have logged them in-case of container-based workflows because of a conditional-check.

I should mention that we’re running v1.5.0

I tried running v1.5.0 on my test workflow, it appears to be working fine checkout this run.

If possible can you run the workflow with v2.10.2 ?

Anyways i will keep updated. Just curious are you guys using self-hosted runners ?

Thanks

[jenstroeger]

I tried running v1.5.0 on my test workflow, it appears to be working fine checkout this run.

Try adding an

if: ${{ false }}

or some such here. It should still run the pre- and post-steps, which is what we’d like to avoid.

[varunsh-coder]

[…] Once we’ve explored this approach and validated whether it works as expected, we’ll update you here with our findings or next steps.

Thank you!

Out of curiosity, could you share a bit more about your use case for conditional execution? Understanding why you’re looking to enable or disable Harden-Runner in certain scenarios will help us provide an alternate solution in case pre-if/ post-if does not work.

The problem for us is runtime. Having multiple repos and quite a number of action workflows, each starting out with hardening the runner, the setup runtime of ~3m has become a noticeable portion of the billing time.

@jenstroeger harden-runner should not be taking 3m. This is likely because of use of a very old version v1.5 which uses node16. Once you upgrade to the latest version, it should not take more than 5-7 seconds. Please let us know if this is not the case. Given that updating to a more recent version should fix the root cause, we would prefer to not spend time researching/ implementing optional execution.

So instead of removing the step from our workflows we wanted to make it optional…