Changes for v2.0.0 (#207)

2026-06-05 16:18:19 +00:00 · 2022-11-08 13:43:02 -08:00 · 2022-11-08 13:43:02 -08:00 · 118e4001a7
commit 118e4001a7
parent 3888ae1b9f
12 changed files with 10737 additions and 3384 deletions
--- a/action.yml
+++ b/action.yml
@ -16,6 +16,14 @@ inputs:
    description: "Disable sending telemetry to StepSecurity API, can be set to true or false. This can only be set to true when egress-policy is set to block"
    required: false
    default: "false"
+  disable-sudo:
+    description: "Disable sudo access for the runner account"
+    required: false
+    default: "false"
+  disable-file-monitoring:
+    description: "Disable file monitoring"
+    required: false
+    default: "false"
 branding:
  icon: "check-square"
  color: "green"
--- a/dist/index.js
+++ b/dist/index.js
--- a/dist/index.js.map
+++ b/dist/index.js.map
--- a/dist/post/index.js
+++ b/dist/post/index.js
--- a/dist/post/index.js.map
+++ b/dist/post/index.js.map
--- a/dist/pre/index.js
+++ b/dist/pre/index.js
--- a/dist/pre/index.js.map
+++ b/dist/pre/index.js.map
--- a/package-lock.json
+++ b/package-lock.json
@ -1,12 +1,12 @@
 {
  "name": "step-security-harden-runner",
-  "version": "1.5.0",
+  "version": "1.6.0",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
    "": {
      "name": "step-security-harden-runner",
-      "version": "1.5.0",
+      "version": "1.6.0",
      "license": "Apache License 2.0",
      "dependencies": {
        "@actions/cache": "^3.0.4",
@ -35,15 +35,16 @@
      }
    },
    "node_modules/@actions/cache": {
-      "version": "3.0.4",
-      "resolved": "https://registry.npmjs.org/@actions/cache/-/cache-3.0.4.tgz",
-      "integrity": "sha512-9RwVL8/ISJoYWFNH1wR/C26E+M3HDkGPWmbFJMMCKwTkjbNZJreMT4XaR/EB1bheIvN4PREQxEQQVJ18IPnf/Q==",
+      "version": "3.0.6",
+      "resolved": "https://registry.npmjs.org/@actions/cache/-/cache-3.0.6.tgz",
+      "integrity": "sha512-Tttit+nqmxgb2M5Ufj5p8Lwd+fx329HOTLzxMrY4aaaZqBzqetgWlEfszMyiXfX4cJML+bzLJbyD9rNYt8TJ8g==",
      "dependencies": {
-        "@actions/core": "^1.2.6",
+        "@actions/core": "^1.10.0",
        "@actions/exec": "^1.0.1",
        "@actions/glob": "^0.1.0",
        "@actions/http-client": "^2.0.1",
        "@actions/io": "^1.0.1",
+        "@azure/abort-controller": "^1.1.0",
        "@azure/ms-rest-js": "^2.6.0",
        "@azure/storage-blob": "^12.8.0",
        "semver": "^6.1.0",
@ -60,19 +61,12 @@
      }
    },
    "node_modules/@actions/core": {
-      "version": "1.6.0",
-      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.6.0.tgz",
-      "integrity": "sha512-NB1UAZomZlCV/LmJqkLhNTqtKfFXJZAUPcfl/zqG7EfsQdeUJtaWO98SGbuQ3pydJ3fHl2CvI/51OKYlCYYcaw==",
+      "version": "1.10.0",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.10.0.tgz",
+      "integrity": "sha512-2aZDDa3zrrZbP5ZYg159sNoLRb61nQ7awl5pSvIq5Qpj81vwDzdMRKzkWJGJuwVvWpvZKx7vspJALyvaaIQyug==",
      "dependencies": {
-        "@actions/http-client": "^1.0.11"
-      }
-    },
-    "node_modules/@actions/core/node_modules/@actions/http-client": {
-      "version": "1.0.11",
-      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.11.tgz",
-      "integrity": "sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg==",
-      "dependencies": {
-        "tunnel": "0.0.6"
+        "@actions/http-client": "^2.0.1",
+        "uuid": "^8.3.2"
      }
    },
    "node_modules/@actions/exec": {
@ -84,24 +78,16 @@
      }
    },
    "node_modules/@actions/github": {
-      "version": "5.0.1",
-      "resolved": "https://registry.npmjs.org/@actions/github/-/github-5.0.1.tgz",
-      "integrity": "sha512-JZGyPM9ektb8NVTTI/2gfJ9DL7Rk98tQ7OVyTlgTuaQroariRBsOnzjy0I2EarX4xUZpK88YyO503fhmjFdyAg==",
+      "version": "5.1.1",
+      "resolved": "https://registry.npmjs.org/@actions/github/-/github-5.1.1.tgz",
+      "integrity": "sha512-Nk59rMDoJaV+mHCOJPXuvB1zIbomlKS0dmSIqPGxd0enAXBnOfn4VWF+CGtRCwXZG9Epa54tZA7VIRlJDS8A6g==",
      "dependencies": {
-        "@actions/http-client": "^1.0.11",
+        "@actions/http-client": "^2.0.1",
        "@octokit/core": "^3.6.0",
        "@octokit/plugin-paginate-rest": "^2.17.0",
        "@octokit/plugin-rest-endpoint-methods": "^5.13.0"
      }
    },
-    "node_modules/@actions/github/node_modules/@actions/http-client": {
-      "version": "1.0.11",
-      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.11.tgz",
-      "integrity": "sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg==",
-      "dependencies": {
-        "tunnel": "0.0.6"
-      }
-    },
    "node_modules/@actions/glob": {
      "version": "0.1.2",
      "resolved": "https://registry.npmjs.org/@actions/glob/-/glob-0.1.2.tgz",
@ -4745,9 +4731,9 @@
      }
    },
    "node_modules/node-fetch": {
-      "version": "3.2.3",
-      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-3.2.3.tgz",
-      "integrity": "sha512-AXP18u4pidSZ1xYXRDPY/8jdv3RAozIt/WLNR/MBGZAz+xjtlr90RvCnsvHQRiXyWliZF/CpytExp32UU67/SA==",
+      "version": "3.2.10",
+      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-3.2.10.tgz",
+      "integrity": "sha512-MhuzNwdURnZ1Cp4XTazr69K0BTizsBroX7Zx3UgDSVcZYKF/6p0CBe4EUb/hLqmzVhl0UpYfgRljQ4yxE+iCxA==",
      "dependencies": {
        "data-uri-to-buffer": "^4.0.0",
        "fetch-blob": "^3.1.4",
@ -6073,15 +6059,16 @@
  },
  "dependencies": {
    "@actions/cache": {
-      "version": "3.0.4",
-      "resolved": "https://registry.npmjs.org/@actions/cache/-/cache-3.0.4.tgz",
-      "integrity": "sha512-9RwVL8/ISJoYWFNH1wR/C26E+M3HDkGPWmbFJMMCKwTkjbNZJreMT4XaR/EB1bheIvN4PREQxEQQVJ18IPnf/Q==",
+      "version": "3.0.6",
+      "resolved": "https://registry.npmjs.org/@actions/cache/-/cache-3.0.6.tgz",
+      "integrity": "sha512-Tttit+nqmxgb2M5Ufj5p8Lwd+fx329HOTLzxMrY4aaaZqBzqetgWlEfszMyiXfX4cJML+bzLJbyD9rNYt8TJ8g==",
      "requires": {
-        "@actions/core": "^1.2.6",
+        "@actions/core": "^1.10.0",
        "@actions/exec": "^1.0.1",
        "@actions/glob": "^0.1.0",
        "@actions/http-client": "^2.0.1",
        "@actions/io": "^1.0.1",
+        "@azure/abort-controller": "^1.1.0",
        "@azure/ms-rest-js": "^2.6.0",
        "@azure/storage-blob": "^12.8.0",
        "semver": "^6.1.0",
@ -6096,21 +6083,12 @@
      }
    },
    "@actions/core": {
-      "version": "1.6.0",
-      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.6.0.tgz",
-      "integrity": "sha512-NB1UAZomZlCV/LmJqkLhNTqtKfFXJZAUPcfl/zqG7EfsQdeUJtaWO98SGbuQ3pydJ3fHl2CvI/51OKYlCYYcaw==",
+      "version": "1.10.0",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.10.0.tgz",
+      "integrity": "sha512-2aZDDa3zrrZbP5ZYg159sNoLRb61nQ7awl5pSvIq5Qpj81vwDzdMRKzkWJGJuwVvWpvZKx7vspJALyvaaIQyug==",
      "requires": {
-        "@actions/http-client": "^1.0.11"
-      },
-      "dependencies": {
-        "@actions/http-client": {
-          "version": "1.0.11",
-          "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.11.tgz",
-          "integrity": "sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg==",
-          "requires": {
-            "tunnel": "0.0.6"
-          }
-        }
+        "@actions/http-client": "^2.0.1",
+        "uuid": "^8.3.2"
      }
    },
    "@actions/exec": {
@ -6122,24 +6100,14 @@
      }
    },
    "@actions/github": {
-      "version": "5.0.1",
-      "resolved": "https://registry.npmjs.org/@actions/github/-/github-5.0.1.tgz",
-      "integrity": "sha512-JZGyPM9ektb8NVTTI/2gfJ9DL7Rk98tQ7OVyTlgTuaQroariRBsOnzjy0I2EarX4xUZpK88YyO503fhmjFdyAg==",
+      "version": "5.1.1",
+      "resolved": "https://registry.npmjs.org/@actions/github/-/github-5.1.1.tgz",
+      "integrity": "sha512-Nk59rMDoJaV+mHCOJPXuvB1zIbomlKS0dmSIqPGxd0enAXBnOfn4VWF+CGtRCwXZG9Epa54tZA7VIRlJDS8A6g==",
      "requires": {
-        "@actions/http-client": "^1.0.11",
+        "@actions/http-client": "^2.0.1",
        "@octokit/core": "^3.6.0",
        "@octokit/plugin-paginate-rest": "^2.17.0",
        "@octokit/plugin-rest-endpoint-methods": "^5.13.0"
-      },
-      "dependencies": {
-        "@actions/http-client": {
-          "version": "1.0.11",
-          "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.11.tgz",
-          "integrity": "sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg==",
-          "requires": {
-            "tunnel": "0.0.6"
-          }
-        }
      }
    },
    "@actions/glob": {
@ -9724,9 +9692,9 @@
      "integrity": "sha512-/jKZoMpw0F8GRwl4/eLROPA3cfcXtLApP0QzLmUT/HuPCZWyB7IY9ZrMeKw2O/nFIqPQB3PVM9aYm0F312AXDQ=="
    },
    "node-fetch": {
-      "version": "3.2.3",
-      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-3.2.3.tgz",
-      "integrity": "sha512-AXP18u4pidSZ1xYXRDPY/8jdv3RAozIt/WLNR/MBGZAz+xjtlr90RvCnsvHQRiXyWliZF/CpytExp32UU67/SA==",
+      "version": "3.2.10",
+      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-3.2.10.tgz",
+      "integrity": "sha512-MhuzNwdURnZ1Cp4XTazr69K0BTizsBroX7Zx3UgDSVcZYKF/6p0CBe4EUb/hLqmzVhl0UpYfgRljQ4yxE+iCxA==",
      "requires": {
        "data-uri-to-buffer": "^4.0.0",
        "fetch-blob": "^3.1.4",
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "step-security-harden-runner",
-  "version": "1.5.0",
+  "version": "1.6.0",
  "description": "Security agent for GitHub-hosted runner to monitor the build process",
  "main": "index.js",
  "scripts": {
--- a/src/checksum.ts
+++ b/src/checksum.ts
@ -10,7 +10,7 @@ export function verifyChecksum(downloadPath: string) {
    .digest("hex"); // checksum of downloaded file

  const expectedChecksum: string =
-    "7027c15a988395f3dde5e77d9a58889669adbda52fbd527ae8216e6d81dd8b1a"; // checksum for v0.11.0
+    "79f397360470d6e42c73d6c9c5cf485ac9982e56e3e3fdd07f66c59cda4388c8"; // checksum for v0.12.1

  if (checksum !== expectedChecksum) {
    core.setFailed(
--- a/src/cleanup.ts
+++ b/src/cleanup.ts
@ -62,12 +62,14 @@ import path from "path";
    });
  }

-  // Always log the service log
-  var journalLog = cp.execSync("sudo journalctl -u agent.service", {
-    encoding: "utf8",
-  });
-  console.log("Service log:");
-  console.log(journalLog);
+  var disable_sudo = core.getBooleanInput("disable-sudo");
+  if (!disable_sudo) {
+    var journalLog = cp.execSync("sudo journalctl -u agent.service", {
+      encoding: "utf8",
+    });
+    console.log("Service log:");
+    console.log(journalLog);
+  }

  if (isValidEvent()) {
    try {
--- a/src/setup.ts
+++ b/src/setup.ts
@ -8,6 +8,7 @@ import * as common from "./common";
 import * as tc from "@actions/tool-cache";
 import { verifyChecksum } from "./checksum";
 import isDocker from "is-docker";
+import { context } from "@actions/github";
 import {
  cacheFile,
  cacheKey,
@ -43,6 +44,9 @@ import {
      allowed_endpoints: core.getInput("allowed-endpoints"),
      egress_policy: core.getInput("egress-policy"),
      disable_telemetry: core.getBooleanInput("disable-telemetry"),
+      disable_sudo: core.getBooleanInput("disable-sudo"),
+      disable_file_monitoring: core.getBooleanInput("disable-file-monitoring"),
+      private: context.payload.repository.private,
    };

    if (isValidEvent()) {
@ -98,7 +102,7 @@ import {
    let auth = `token ${token}`;

    const downloadPath: string = await tc.downloadTool(
-      "https://github.com/step-security/agent/releases/download/v0.11.0/agent_0.11.0_linux_amd64.tar.gz",
+      "https://github.com/step-security/agent/releases/download/v0.12.1/agent_0.12.1_linux_amd64.tar.gz",
      undefined,
      auth
    );