step-security/harden-runner
1
0
Fork 0
mirror of synced 2026-06-05 16:58:19 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #541 from step-security/rc-20

Browse source 
Release v2.12.0
This commit is contained in:
Varun Sharma 2025-04-21 12:01:51 -07:00 committed by GitHub
commit 0634a2670c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
13 changed files with 49 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -66,7 +66,8 @@ To integrate Harden-Runner, follow these steps:
- Add the following code as the first step in each job: - Add the following code as the first step in each job:
```yaml ```yaml
steps: steps:
- uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 - name: Harden Runner
uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
with: with:
egress-policy: audit egress-policy: audit
@ -134,7 +135,7 @@ Explore the full feature set in the [Features Documentation](https://docs.stepse
## Trusted By and Case Studies ## Trusted By and Case Studies
Harden-Runner is trusted by over 5000 leading open-source projects and enterprises, including Microsoft, Google, Kubernetes, and more. Harden-Runner is trusted by over 6000 leading open-source projects and enterprises, including Microsoft, Google, Kubernetes, and more.
### Trusted by ### Trusted by
@ -147,6 +148,7 @@ Harden-Runner is trusted by over 5000 leading open-source projects and enterpris
- [How Coveo Strengthened GitHub Actions Security with StepSecurity](https://www.stepsecurity.io/case-studies/coveo) - [How Coveo Strengthened GitHub Actions Security with StepSecurity](https://www.stepsecurity.io/case-studies/coveo)
- [Hashgraph Achieves Comprehensive CI/CD Security Without Compromising Development Speed](https://www.stepsecurity.io/case-studies/hashgraph) - [Hashgraph Achieves Comprehensive CI/CD Security Without Compromising Development Speed](https://www.stepsecurity.io/case-studies/hashgraph)
- [Chainguard Secures GitHub Actions with StepSecurity](https://www.stepsecurity.io/case-studies/chainguard)
- [Kapiche secures their GitHub Actions software supply chain with Harden-Runner](https://www.stepsecurity.io/case-studies/kapiche) - [Kapiche secures their GitHub Actions software supply chain with Harden-Runner](https://www.stepsecurity.io/case-studies/kapiche)
- [Arcjet Enhances CI/CD Security with Harden-Runner](https://www.stepsecurity.io/case-studies/arcjet) - [Arcjet Enhances CI/CD Security with Harden-Runner](https://www.stepsecurity.io/case-studies/arcjet)

6
action.yml
View file

@ -17,7 +17,11 @@ inputs:
required: false required: false
default: "false" default: "false"
disable-sudo: disable-sudo:
description: "Disable sudo access for the runner account" description: "Disable sudo access for the runner account. Note: This parameter will be deprecated in the future. Please use disable-sudo-and-containers instead."
required: false
default: "false"
disable-sudo-and-containers:
description: "Disable sudo and container access for the runner account"
required: false required: false
default: "false" default: "false"
disable-file-monitoring: disable-file-monitoring:

3
dist/post/index.js vendored
View file

@ -27947,7 +27947,8 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
console.log(content); console.log(content);
} }
var disable_sudo = process.env.STATE_disableSudo; var disable_sudo = process.env.STATE_disableSudo;
if (disable_sudo !== "true") { var disable_sudo_and_containers = process.env.STATE_disableSudoAndContainers;
if (disable_sudo !== "true" && disable_sudo_and_containers !== "true") {
try { try {
var journalLog = external_child_process_.execSync("sudo journalctl -u agent.service --lines=1000", { var journalLog = external_child_process_.execSync("sudo journalctl -u agent.service --lines=1000", {
encoding: "utf8", encoding: "utf8",

2
dist/post/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

17
dist/pre/index.js vendored
View file

@ -87890,6 +87890,9 @@ function mergeConfigs(localConfig, remoteConfig) {
if (remoteConfig.disable_sudo !== undefined) { if (remoteConfig.disable_sudo !== undefined) {
localConfig.disable_sudo = remoteConfig.disable_sudo; localConfig.disable_sudo = remoteConfig.disable_sudo;
} }
if (remoteConfig.disable_sudo_and_containers !== undefined) {
localConfig.disable_sudo_and_containers = remoteConfig.disable_sudo_and_containers;
}
if (remoteConfig.disable_file_monitoring !== undefined) { if (remoteConfig.disable_file_monitoring !== undefined) {
localConfig.disable_file_monitoring = remoteConfig.disable_file_monitoring; localConfig.disable_file_monitoring = remoteConfig.disable_file_monitoring;
} }
@ -88004,11 +88007,11 @@ var external_crypto_ = __nccwpck_require__(6417);
const CHECKSUMS = { const CHECKSUMS = {
tls: { tls: {
amd64: "38e7ed97ced6fe0c1cf0fb5ee3b3d521dfe28d5ddf1cdca72d130c8d1b4a314e", amd64: "e7c0c5f96efbf96806d27dcbf65f71f72ecd34cdd596c556bb2ded0f2037c260",
arm64: "f67c80cc578c996d4f882c14fcdb63df57927d907cd22f1ec65f9fa940c08cf3", arm64: "813a4cd40f6740bd9623a40884a78f14960c6bd3794391693a165f2ca71c90e3",
}, },
non_tls: { non_tls: {
amd64: "a9f1842e3d7f3d38c143dbe8ffe1948e6c8173cd04da072d9f9d128bb400844a", // v0.13.7 amd64: "f0a8bb49ce5480744f8c836af2abd5f311e918efef5b36b4cce7521d7b9dffe6", // v0.14.0
}, },
}; };
function verifyChecksum(downloadPath, isTLS, variant) { function verifyChecksum(downloadPath, isTLS, variant) {
@ -88058,14 +88061,14 @@ function installAgent(isTLS, configStr) {
encoding: "utf8", encoding: "utf8",
}); });
if (isTLS) { if (isTLS) {
downloadPath = yield tool_cache.downloadTool(`https://packages.stepsecurity.io/github-hosted/harden-runner_1.4.2_linux_${variant}.tar.gz`); downloadPath = yield tool_cache.downloadTool(`https://packages.stepsecurity.io/github-hosted/harden-runner_1.6.3_linux_${variant}.tar.gz`);
} }
else { else {
if (variant === "arm64") { if (variant === "arm64") {
console.log(ARM64_RUNNER_MESSAGE); console.log(ARM64_RUNNER_MESSAGE);
return false; return false;
} }
downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.13.7/agent_0.13.7_linux_amd64.tar.gz", undefined, auth); downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.14.0/agent_0.14.0_linux_amd64.tar.gz", undefined, auth);
} }
verifyChecksum(downloadPath, isTLS, variant); verifyChecksum(downloadPath, isTLS, variant);
const extractPath = yield tool_cache.extractTar(downloadPath); const extractPath = yield tool_cache.extractTar(downloadPath);
@ -88142,6 +88145,7 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
egress_policy: lib_core.getInput("egress-policy"), egress_policy: lib_core.getInput("egress-policy"),
disable_telemetry: lib_core.getBooleanInput("disable-telemetry"), disable_telemetry: lib_core.getBooleanInput("disable-telemetry"),
disable_sudo: lib_core.getBooleanInput("disable-sudo"), disable_sudo: lib_core.getBooleanInput("disable-sudo"),
disable_sudo_and_containers: lib_core.getBooleanInput("disable-sudo-and-containers"),
disable_file_monitoring: lib_core.getBooleanInput("disable-file-monitoring"), disable_file_monitoring: lib_core.getBooleanInput("disable-file-monitoring"),
private: ((_b = (_a = github.context === null || github.context === void 0 ? void 0 : github.context.payload) === null || _a === void 0 ? void 0 : _a.repository) === null || _b === void 0 ? void 0 : _b.private) || false, private: ((_b = (_a = github.context === null || github.context === void 0 ? void 0 : github.context.payload) === null || _a === void 0 ? void 0 : _a.repository) === null || _b === void 0 ? void 0 : _b.private) || false,
is_github_hosted: isGithubHosted(), is_github_hosted: isGithubHosted(),
@ -88164,6 +88168,9 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
external_fs_.appendFileSync(process.env.GITHUB_STATE, `disableSudo=${confg.disable_sudo}${external_os_.EOL}`, { external_fs_.appendFileSync(process.env.GITHUB_STATE, `disableSudo=${confg.disable_sudo}${external_os_.EOL}`, {
encoding: "utf8", encoding: "utf8",
}); });
external_fs_.appendFileSync(process.env.GITHUB_STATE, `disableSudoAndContainers=${confg.disable_sudo_and_containers}${external_os_.EOL}`, {
encoding: "utf8",
});
lib_core.info(`[!] Current Configuration: \n${JSON.stringify(confg)}\n`); lib_core.info(`[!] Current Configuration: \n${JSON.stringify(confg)}\n`);
if (confg.egress_policy !== "audit" && confg.egress_policy !== "block") { if (confg.egress_policy !== "audit" && confg.egress_policy !== "block") {
lib_core.setFailed("egress-policy must be either audit or block"); lib_core.setFailed("egress-policy must be either audit or block");

2
dist/pre/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

6
src/checksum.ts
View file

@ -4,11 +4,11 @@ import * as fs from "fs";
const CHECKSUMS = { const CHECKSUMS = {
tls: { tls: {
amd64: "38e7ed97ced6fe0c1cf0fb5ee3b3d521dfe28d5ddf1cdca72d130c8d1b4a314e", // v1.4.2 amd64: "e7c0c5f96efbf96806d27dcbf65f71f72ecd34cdd596c556bb2ded0f2037c260", // v1.6.3
arm64: "f67c80cc578c996d4f882c14fcdb63df57927d907cd22f1ec65f9fa940c08cf3", arm64: "813a4cd40f6740bd9623a40884a78f14960c6bd3794391693a165f2ca71c90e3",
}, },
non_tls: { non_tls: {
amd64: "a9f1842e3d7f3d38c143dbe8ffe1948e6c8173cd04da072d9f9d128bb400844a", // v0.13.7 amd64: "f0a8bb49ce5480744f8c836af2abd5f311e918efef5b36b4cce7521d7b9dffe6", // v0.14.0
}, },
}; };

4
src/cleanup.ts
View file

@ -81,7 +81,9 @@ import { isGithubHosted } from "./tls-inspect";
} }
var disable_sudo = process.env.STATE_disableSudo; var disable_sudo = process.env.STATE_disableSudo;
if (disable_sudo !== "true") { var disable_sudo_and_containers = process.env.STATE_disableSudoAndContainers;
if (disable_sudo !== "true" && disable_sudo_and_containers !== "true") {
try { try {
var journalLog = cp.execSync("sudo journalctl -u agent.service --lines=1000", { var journalLog = cp.execSync("sudo journalctl -u agent.service --lines=1000", {
encoding: "utf8", encoding: "utf8",

4
src/install-agent.ts
View file

@ -25,7 +25,7 @@ export async function installAgent(
if (isTLS) { if (isTLS) {
downloadPath = await tc.downloadTool( downloadPath = await tc.downloadTool(
`https://packages.stepsecurity.io/github-hosted/harden-runner_1.4.2_linux_${variant}.tar.gz` `https://packages.stepsecurity.io/github-hosted/harden-runner_1.6.3_linux_${variant}.tar.gz`
); );
} else { } else {
if (variant === "arm64") { if (variant === "arm64") {
@ -33,7 +33,7 @@ export async function installAgent(
return false; return false;
} }
downloadPath = await tc.downloadTool( downloadPath = await tc.downloadTool(
"https://github.com/step-security/agent/releases/download/v0.13.7/agent_0.13.7_linux_amd64.tar.gz", "https://github.com/step-security/agent/releases/download/v0.14.0/agent_0.14.0_linux_amd64.tar.gz",
undefined, undefined,
auth auth
); );

2
src/interfaces.ts
View file

@ -8,6 +8,7 @@ export interface Configuration {
egress_policy: string; egress_policy: string;
disable_telemetry: boolean; disable_telemetry: boolean;
disable_sudo: boolean; disable_sudo: boolean;
disable_sudo_and_containers: boolean;
disable_file_monitoring: boolean; disable_file_monitoring: boolean;
is_github_hosted: boolean; is_github_hosted: boolean;
private: string; private: string;
@ -20,6 +21,7 @@ export interface PolicyResponse {
policyName?: string; policyName?: string;
allowed_endpoints?: string[]; allowed_endpoints?: string[];
disable_sudo?: boolean; disable_sudo?: boolean;
disable_sudo_and_containers?: boolean;
disable_file_monitoring?: boolean; disable_file_monitoring?: boolean;
disable_telemetry?: boolean; disable_telemetry?: boolean;
egress_policy?: string; egress_policy?: string;

2
src/policy-utils.test.ts
View file

@ -36,6 +36,7 @@ test("merge configs", async () => {
egress_policy: "audit", egress_policy: "audit",
disable_telemetry: false, disable_telemetry: false,
disable_sudo: false, disable_sudo: false,
disable_sudo_and_containers: false,
disable_file_monitoring: false, disable_file_monitoring: false,
private: "true", private: "true",
is_github_hosted: true, is_github_hosted: true,
@ -62,6 +63,7 @@ test("merge configs", async () => {
egress_policy: "audit", egress_policy: "audit",
disable_telemetry: false, disable_telemetry: false,
disable_sudo: false, disable_sudo: false,
disable_sudo_and_containers: false,
disable_file_monitoring: false, disable_file_monitoring: false,
private: "true", private: "true",
is_github_hosted: true, is_github_hosted: true,

4
src/policy-utils.ts
View file

@ -56,6 +56,10 @@ export function mergeConfigs(
localConfig.disable_sudo = remoteConfig.disable_sudo; localConfig.disable_sudo = remoteConfig.disable_sudo;
} }
if (remoteConfig.disable_sudo_and_containers !== undefined) {
localConfig.disable_sudo_and_containers = remoteConfig.disable_sudo_and_containers;
}
if (remoteConfig.disable_file_monitoring !== undefined) { if (remoteConfig.disable_file_monitoring !== undefined) {
localConfig.disable_file_monitoring = remoteConfig.disable_file_monitoring; localConfig.disable_file_monitoring = remoteConfig.disable_file_monitoring;
} }

8
src/setup.ts
View file

@ -62,6 +62,7 @@ interface MonitorResponse {
egress_policy: core.getInput("egress-policy"), egress_policy: core.getInput("egress-policy"),
disable_telemetry: core.getBooleanInput("disable-telemetry"), disable_telemetry: core.getBooleanInput("disable-telemetry"),
disable_sudo: core.getBooleanInput("disable-sudo"), disable_sudo: core.getBooleanInput("disable-sudo"),
disable_sudo_and_containers: core.getBooleanInput("disable-sudo-and-containers"),
disable_file_monitoring: core.getBooleanInput("disable-file-monitoring"), disable_file_monitoring: core.getBooleanInput("disable-file-monitoring"),
private: context?.payload?.repository?.private || false, private: context?.payload?.repository?.private || false,
is_github_hosted: isGithubHosted(), is_github_hosted: isGithubHosted(),
@ -92,6 +93,13 @@ interface MonitorResponse {
encoding: "utf8", encoding: "utf8",
} }
); );
fs.appendFileSync(
process.env.GITHUB_STATE,
`disableSudoAndContainers=${confg.disable_sudo_and_containers}${EOL}`,
{
encoding: "utf8",
}
);
core.info(`[!] Current Configuration: \n${JSON.stringify(confg)}\n`); core.info(`[!] Current Configuration: \n${JSON.stringify(confg)}\n`);
if (confg.egress_policy !== "audit" && confg.egress_policy !== "block") { if (confg.egress_policy !== "audit" && confg.egress_policy !== "block") {