step-security/harden-runner
1
0
Fork 0
mirror of synced 2026-06-05 16:15:14 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #544 from step-security/rc-21

Browse source 
Release v2.12.1
This commit is contained in:
Varun Sharma 2025-06-11 07:18:17 -07:00 committed by GitHub
commit 002fdce3c6
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
13 changed files with 88 additions and 81 deletions
Download patch file Download diff file Expand all files Collapse all files

2
dist/index.js vendored
View file

@ -27752,7 +27752,7 @@ function addSummary() {
const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
const CONTAINER_MESSAGE = "This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored.";
const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
const SELF_HOSTED_NO_AGENT_MESSAGE = "This job is running on a self-hosted runner, but the runner does not have Harden-Runner installed. This job will not be monitored.";
const SELF_HOSTED_RUNNER_MESSAGE = "This job is running on a self-hosted runner.";
const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner.";
const ARM64_RUNNER_MESSAGE = "ARM runners are not supported in the Harden-Runner community tier.";

2
dist/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

25
dist/post/index.js vendored
View file

@ -27751,7 +27751,7 @@ function addSummary() {
const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
const CONTAINER_MESSAGE = "This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored.";
const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
const SELF_HOSTED_NO_AGENT_MESSAGE = "This job is running on a self-hosted runner, but the runner does not have Harden-Runner installed. This job will not be monitored.";
const SELF_HOSTED_RUNNER_MESSAGE = "This job is running on a self-hosted runner.";
const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner.";
const ARM64_RUNNER_MESSAGE = "ARM runners are not supported in the Harden-Runner community tier.";
@ -27792,7 +27792,7 @@ function isDocker() {
;// CONCATENATED MODULE: ./src/arc-runner.ts
function isArcRunner() {
function isARCRunner() {
const runnerUserAgent = process.env["GITHUB_ACTIONS_RUNNER_EXTRA_USER_AGENT"];
let isARC = false;
if (!runnerUserAgent) {
@ -27805,20 +27805,27 @@ function isArcRunner() {
}
function isSecondaryPod() {
const workDir = "/__w";
return external_fs_.existsSync(workDir);
let hasKubeEnv = process.env["KUBERNETES_PORT"] !== undefined;
return external_fs_.existsSync(workDir) && hasKubeEnv;
}
function sendAllowedEndpoints(endpoints) {
const startTime = Date.now();
const allowedEndpoints = endpoints.split(" "); // endpoints are space separated
for (const endpoint of allowedEndpoints) {
if (endpoint) {
let sent = 0;
for (let endpoint of allowedEndpoints) {
endpoint = endpoint.trim();
if (endpoint.length > 0) {
let encodedEndpoint = Buffer.from(endpoint).toString("base64");
let endpointPolicyStr = `step_policy_endpoint_${encodedEndpoint}`;
echo(endpointPolicyStr);
sent++;
}
}
if (allowedEndpoints.length > 0) {
applyPolicy(allowedEndpoints.length);
if (sent > 0) {
applyPolicy(sent);
}
const duration = Date.now() - startTime;
console.log(`[harden-runner] sendAllowedEndpoints completed in ${duration}ms (sent ${sent} endpoints)`);
}
function applyPolicy(count) {
let applyPolicyStr = `step_policy_apply_${count}`;
@ -27897,7 +27904,7 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
console.log(CONTAINER_MESSAGE);
return;
}
if (isArcRunner()) {
if (isARCRunner()) {
console.log(`[!] ${ARC_RUNNER_MESSAGE}`);
return;
}
@ -27952,7 +27959,7 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
try {
var journalLog = external_child_process_.execSync("sudo journalctl -u agent.service --lines=1000", {
encoding: "utf8",
maxBuffer: 1024 * 1024 * 10 // 10MB buffer
maxBuffer: 1024 * 1024 * 10, // 10MB buffer
});
console.log("agent.service log:");
console.log(journalLog);

2
dist/post/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

51
dist/pre/index.js vendored
View file

@ -87779,7 +87779,7 @@ function addSummary() {
const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
const CONTAINER_MESSAGE = "This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored.";
const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
const SELF_HOSTED_NO_AGENT_MESSAGE = "This job is running on a self-hosted runner, but the runner does not have Harden-Runner installed. This job will not be monitored.";
const SELF_HOSTED_RUNNER_MESSAGE = "This job is running on a self-hosted runner.";
const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner.";
const ARM64_RUNNER_MESSAGE = "ARM runners are not supported in the Harden-Runner community tier.";
@ -87920,7 +87920,7 @@ var cacheUtils = __nccwpck_require__(1518);
;// CONCATENATED MODULE: ./src/arc-runner.ts
function isArcRunner() {
function isARCRunner() {
const runnerUserAgent = process.env["GITHUB_ACTIONS_RUNNER_EXTRA_USER_AGENT"];
let isARC = false;
if (!runnerUserAgent) {
@ -87933,20 +87933,27 @@ function isArcRunner() {
}
function isSecondaryPod() {
const workDir = "/__w";
return external_fs_.existsSync(workDir);
let hasKubeEnv = process.env["KUBERNETES_PORT"] !== undefined;
return external_fs_.existsSync(workDir) && hasKubeEnv;
}
function sendAllowedEndpoints(endpoints) {
const startTime = Date.now();
const allowedEndpoints = endpoints.split(" "); // endpoints are space separated
for (const endpoint of allowedEndpoints) {
if (endpoint) {
let sent = 0;
for (let endpoint of allowedEndpoints) {
endpoint = endpoint.trim();
if (endpoint.length > 0) {
let encodedEndpoint = Buffer.from(endpoint).toString("base64");
let endpointPolicyStr = `step_policy_endpoint_${encodedEndpoint}`;
echo(endpointPolicyStr);
sent++;
}
}
if (allowedEndpoints.length > 0) {
applyPolicy(allowedEndpoints.length);
if (sent > 0) {
applyPolicy(sent);
}
const duration = Date.now() - startTime;
console.log(`[harden-runner] sendAllowedEndpoints completed in ${duration}ms (sent ${sent} endpoints)`);
}
function applyPolicy(count) {
let applyPolicyStr = `step_policy_apply_${count}`;
@ -88007,11 +88014,11 @@ var external_crypto_ = __nccwpck_require__(6417);
const CHECKSUMS = {
tls: {
amd64: "e7c0c5f96efbf96806d27dcbf65f71f72ecd34cdd596c556bb2ded0f2037c260",
arm64: "813a4cd40f6740bd9623a40884a78f14960c6bd3794391693a165f2ca71c90e3",
amd64: "75c821517eefde0dc5a9309e6b6d01372c7ce7c061eeb36892a3718b0ab7506c",
arm64: "41e255e43ff95c26323692fc58d460db3ac503326a1d47589032e92723fe08d4",
},
non_tls: {
amd64: "f0a8bb49ce5480744f8c836af2abd5f311e918efef5b36b4cce7521d7b9dffe6", // v0.14.0
amd64: "336093af8ebe969567b66fd035af3bd4f7e1c723ce680d6b4b5b2a1f79bc329e", // v0.14.2
},
};
function verifyChecksum(downloadPath, isTLS, variant) {
@ -88061,14 +88068,14 @@ function installAgent(isTLS, configStr) {
encoding: "utf8",
});
if (isTLS) {
downloadPath = yield tool_cache.downloadTool(`https://packages.stepsecurity.io/github-hosted/harden-runner_1.6.3_linux_${variant}.tar.gz`);
downloadPath = yield tool_cache.downloadTool(`https://packages.stepsecurity.io/github-hosted/harden-runner_1.6.10_linux_${variant}.tar.gz`);
}
else {
if (variant === "arm64") {
console.log(ARM64_RUNNER_MESSAGE);
return false;
}
downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.14.0/agent_0.14.0_linux_amd64.tar.gz", undefined, auth);
downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.14.2/agent_0.14.2_linux_amd64.tar.gz", undefined, auth);
}
verifyChecksum(downloadPath, isTLS, variant);
const extractPath = yield tool_cache.extractTar(downloadPath);
@ -88242,7 +88249,7 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
if (!confg.disable_telemetry || confg.egress_policy === "audit") {
printInfo(web_url);
}
if (isArcRunner()) {
if (isARCRunner()) {
console.log(`[!] ${ARC_RUNNER_MESSAGE}`);
if (confg.egress_policy === "block") {
sendAllowedEndpoints(confg.allowed_endpoints);
@ -88256,22 +88263,10 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
external_fs_.appendFileSync(process.env.GITHUB_STATE, `selfHosted=true${external_os_.EOL}`, {
encoding: "utf8",
});
if (!external_fs_.existsSync("/home/agent/agent")) {
lib_core.info(SELF_HOSTED_NO_AGENT_MESSAGE);
return;
}
lib_core.info(SELF_HOSTED_RUNNER_MESSAGE);
if (confg.egress_policy === "block") {
try {
if (process.env.USER) {
chownForFolder(process.env.USER, "/home/agent");
}
const confgStr = JSON.stringify(confg);
external_fs_.writeFileSync("/home/agent/block_event.json", confgStr);
yield setup_sleep(5000);
}
catch (error) {
lib_core.info(`[!] Unable to write block_event.json: ${error}`);
}
sendAllowedEndpoints(confg.allowed_endpoints);
yield setup_sleep(5000);
}
return;
}

2
dist/pre/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

4
src/arc-runner.test.ts
View file

@ -1,9 +1,9 @@
import { isArcRunner, sendAllowedEndpoints } from "./arc-runner";
import { isARCRunner } from "./arc-runner";
it("should correctly recognize arc based runner", async () => {
process.env["GITHUB_ACTIONS_RUNNER_EXTRA_USER_AGENT"] =
"actions-runner-controller/2.0.1";
let isArc: boolean = await isArcRunner();
let isArc: boolean = await isARCRunner();
expect(isArc).toBe(true);
});

22
src/arc-runner.ts
View file

@ -2,7 +2,7 @@ import * as cp from "child_process";
import * as fs from "fs";
import path from "path";
export function isArcRunner(): boolean {
export function isARCRunner(): boolean {
const runnerUserAgent = process.env["GITHUB_ACTIONS_RUNNER_EXTRA_USER_AGENT"];
let isARC = false;
@ -18,23 +18,33 @@ export function isArcRunner(): boolean {
function isSecondaryPod(): boolean {
const workDir = "/__w";
return fs.existsSync(workDir);
let hasKubeEnv = process.env["KUBERNETES_PORT"] !== undefined;
return fs.existsSync(workDir) && hasKubeEnv;
}
export function sendAllowedEndpoints(endpoints: string): void {
const startTime = Date.now();
const allowedEndpoints = endpoints.split(" "); // endpoints are space separated
for (const endpoint of allowedEndpoints) {
if (endpoint) {
let sent = 0;
for (let endpoint of allowedEndpoints) {
endpoint = endpoint.trim();
if (endpoint.length > 0) {
let encodedEndpoint = Buffer.from(endpoint).toString("base64");
let endpointPolicyStr = `step_policy_endpoint_${encodedEndpoint}`;
echo(endpointPolicyStr);
sent++;
}
}
if (allowedEndpoints.length > 0) {
applyPolicy(allowedEndpoints.length);
if (sent > 0) {
applyPolicy(sent);
}
const duration = Date.now() - startTime;
console.log(
`[harden-runner] sendAllowedEndpoints completed in ${duration}ms (sent ${sent} endpoints)`
);
}
function applyPolicy(count: number): void {

6
src/checksum.ts
View file

@ -4,11 +4,11 @@ import * as fs from "fs";
const CHECKSUMS = {
tls: {
amd64: "e7c0c5f96efbf96806d27dcbf65f71f72ecd34cdd596c556bb2ded0f2037c260", // v1.6.3
arm64: "813a4cd40f6740bd9623a40884a78f14960c6bd3794391693a165f2ca71c90e3",
amd64: "75c821517eefde0dc5a9309e6b6d01372c7ce7c061eeb36892a3718b0ab7506c", // v1.6.10
arm64: "41e255e43ff95c26323692fc58d460db3ac503326a1d47589032e92723fe08d4",
},
non_tls: {
amd64: "f0a8bb49ce5480744f8c836af2abd5f311e918efef5b36b4cce7521d7b9dffe6", // v0.14.0
amd64: "336093af8ebe969567b66fd035af3bd4f7e1c723ce680d6b4b5b2a1f79bc329e", // v0.14.2
},
};

17
src/cleanup.ts
View file

@ -2,7 +2,7 @@ import * as fs from "fs";
import * as cp from "child_process";
import * as common from "./common";
import isDocker from "is-docker";
import { isArcRunner } from "./arc-runner";
import { isARCRunner } from "./arc-runner";
import { isGithubHosted } from "./tls-inspect";
(async () => {
console.log("[harden-runner] post-step");
@ -16,7 +16,7 @@ import { isGithubHosted } from "./tls-inspect";
return;
}
if (isArcRunner()) {
if (isARCRunner()) {
console.log(`[!] ${common.ARC_RUNNER_MESSAGE}`);
return;
}
@ -82,13 +82,16 @@ import { isGithubHosted } from "./tls-inspect";
var disable_sudo = process.env.STATE_disableSudo;
var disable_sudo_and_containers = process.env.STATE_disableSudoAndContainers;
if (disable_sudo !== "true" && disable_sudo_and_containers !== "true") {
try {
var journalLog = cp.execSync("sudo journalctl -u agent.service --lines=1000", {
encoding: "utf8",
maxBuffer: 1024 * 1024 * 10 // 10MB buffer
});
var journalLog = cp.execSync(
"sudo journalctl -u agent.service --lines=1000",
{
encoding: "utf8",
maxBuffer: 1024 * 1024 * 10, // 10MB buffer
}
);
console.log("agent.service log:");
console.log(journalLog);
} catch (error) {

4
src/common.ts
View file

@ -173,8 +173,8 @@ export const CONTAINER_MESSAGE =
export const UBUNTU_MESSAGE =
"This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
export const SELF_HOSTED_NO_AGENT_MESSAGE =
"This job is running on a self-hosted runner, but the runner does not have Harden-Runner installed. This job will not be monitored.";
export const SELF_HOSTED_RUNNER_MESSAGE =
"This job is running on a self-hosted runner.";
export const HARDEN_RUNNER_UNAVAILABLE_MESSAGE =
"Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";

4
src/install-agent.ts
View file

@ -25,7 +25,7 @@ export async function installAgent(
if (isTLS) {
downloadPath = await tc.downloadTool(
`https://packages.stepsecurity.io/github-hosted/harden-runner_1.6.3_linux_${variant}.tar.gz`
`https://packages.stepsecurity.io/github-hosted/harden-runner_1.6.10_linux_${variant}.tar.gz`
);
} else {
if (variant === "arm64") {
@ -33,7 +33,7 @@ export async function installAgent(
return false;
}
downloadPath = await tc.downloadTool(
"https://github.com/step-security/agent/releases/download/v0.14.0/agent_0.14.0_linux_amd64.tar.gz",
"https://github.com/step-security/agent/releases/download/v0.14.2/agent_0.14.2_linux_amd64.tar.gz",
undefined,
auth
);

28
src/setup.ts
View file

@ -24,7 +24,7 @@ import { GetCacheEntryDownloadURLRequest } from "@actions/cache/lib/generated/re
import { getCacheServiceVersion } from "@actions/cache/lib/internal/config";
import * as utils from "@actions/cache/lib/internal/cacheUtils";
import { isArcRunner, sendAllowedEndpoints } from "./arc-runner";
import { isARCRunner, sendAllowedEndpoints } from "./arc-runner";
import { STEPSECURITY_API_URL, STEPSECURITY_WEB_URL } from "./configs";
import { isGithubHosted, isTLSEnabled } from "./tls-inspect";
import { installAgent } from "./install-agent";
@ -62,7 +62,9 @@ interface MonitorResponse {
egress_policy: core.getInput("egress-policy"),
disable_telemetry: core.getBooleanInput("disable-telemetry"),
disable_sudo: core.getBooleanInput("disable-sudo"),
disable_sudo_and_containers: core.getBooleanInput("disable-sudo-and-containers"),
disable_sudo_and_containers: core.getBooleanInput(
"disable-sudo-and-containers"
),
disable_file_monitoring: core.getBooleanInput("disable-file-monitoring"),
private: context?.payload?.repository?.private || false,
is_github_hosted: isGithubHosted(),
@ -205,7 +207,7 @@ interface MonitorResponse {
common.printInfo(web_url);
}
if (isArcRunner()) {
if (isARCRunner()) {
console.log(`[!] ${common.ARC_RUNNER_MESSAGE}`);
if (confg.egress_policy === "block") {
sendAllowedEndpoints(confg.allowed_endpoints);
@ -220,22 +222,12 @@ interface MonitorResponse {
fs.appendFileSync(process.env.GITHUB_STATE, `selfHosted=true${EOL}`, {
encoding: "utf8",
});
if (!fs.existsSync("/home/agent/agent")) {
core.info(common.SELF_HOSTED_NO_AGENT_MESSAGE);
return;
}
if (confg.egress_policy === "block") {
try {
if (process.env.USER) {
chownForFolder(process.env.USER, "/home/agent");
}
const confgStr = JSON.stringify(confg);
fs.writeFileSync("/home/agent/block_event.json", confgStr);
await sleep(5000);
} catch (error) {
core.info(`[!] Unable to write block_event.json: ${error}`);
}
core.info(common.SELF_HOSTED_RUNNER_MESSAGE);
if (confg.egress_policy === "block") {
sendAllowedEndpoints(confg.allowed_endpoints);
await sleep(5000);
}
return;
}