step-security/harden-runner
1
0
Fork 0
mirror of synced 2026-06-05 09:25:13 +00:00
Code Issues Projects Releases Packages Wiki Activity

bump agent versions: linux v1.8.2, non-tls v0.16.0, windows v1.0.2

Browse source 
Also export CHECKSUMS from checksum.ts and read expected values from it
in checksum.test.ts so tests don't need updating on every version bump.
Mocks the computed hash via crypto.createHash; expected hash comes from
the module itself. Tests now validate branching/platform dispatch
instead of hardcoded hex values. Added darwin and win32 coverage cases.
This commit is contained in:
Varun Sharma 2026-04-19 09:55:27 -07:00
commit 1b9c34e9f9
No known key found for this signature in database
5 changed files with 46 additions and 35 deletions
Download patch file Download diff file Expand all files Collapse all files

20
dist/pre/index.js vendored
View file

@ -85455,19 +85455,19 @@ var external_crypto_ = __nccwpck_require__(6982);
const CHECKSUMS = {
tls: {
amd64: "6105000c6c61f4a3ca27ed3a2796baa206bdb1eb83f0463adb0ec7e565af6e1c",
arm64: "0992da262be06580335725263ba6ee5c009dfd0448a948b7768ec077fdb9d3d8",
amd64: "713c91e921292027dacf446db44bafbc8e36a3f7f51dff664ba681c6e4398a05",
arm64: "2c1eb365d6d9ae4cd4b6632a5f833bcdb7e75d0d9604de3391ff22e4e28e8d42",
},
non_tls: {
amd64: "4aaaeebbe10e619d8ce13e8cc4a1acbafc8f891e8cdd319984480b9ec08407b8", // v0.15.0
amd64: "e38de61e1afd98dd339bb9acce4996183875d482be1638fb198ab02b3e25bbef", // v0.16.0
},
bravo: {
amd64: "2eeaa1b3cfb05adea0a4e2a36e342ccaf95b41aeb82a6a6e217d2971c15f5553",
arm64: "8d7035ffbda165ad86de8bd00bf861c038e4a9e6d501adadc53a265945882533",
amd64: "8d002af0c1c4bb73eaef0f2b641f7aa353cc3f4da36a4e418b69895a2baa922c",
arm64: "1ce74a30d704c2e994246fc809d65af83e3f354aae7b9080b2c2eaee715cf005",
},
darwin: "fe26a1f6af4afe9f1a854d8633832f5d18ab542827003cae445b3a64021d612c",
windows: {
amd64: "e98f8b9cf9ecf6566f1e16a470fbe4aef01610a644fd8203a1bab3ff142186c8", // v1.0.0
amd64: "93f1e5d87c6647e6eca7963d5f4b4bd73107029430f8e6945ffece93007a89f5", // v1.0.2
},
};
// verifyChecksum returns true if checksum is valid
@ -85536,14 +85536,14 @@ function installAgent(isTLS, configStr) {
encoding: "utf8",
});
if (isTLS) {
downloadPath = yield tool_cache.downloadTool(`https://github.com/step-security/agent-ebpf/releases/download/v1.8.1/harden-runner_1.8.1_linux_${variant}.tar.gz`, undefined, auth);
downloadPath = yield tool_cache.downloadTool(`https://github.com/step-security/agent-ebpf/releases/download/v1.8.2/harden-runner_1.8.2_linux_${variant}.tar.gz`, undefined, auth);
}
else {
if (variant === "arm64") {
console.log(ARM64_RUNNER_MESSAGE);
return false;
}
downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.15.0/agent_0.15.0_linux_amd64.tar.gz", undefined, auth);
downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.16.0/agent_0.16.0_linux_amd64.tar.gz", undefined, auth);
}
if (!verifyChecksum(downloadPath, isTLS, variant, "linux")) {
return false;
@ -85571,7 +85571,7 @@ function installAgentBravo(configStr) {
const token = lib_core.getInput("token", { required: true });
const auth = `token ${token}`;
const variant = process.arch === "x64" ? "amd64" : "arm64";
const downloadPath = yield tool_cache.downloadTool(`https://github.com/step-security/agent-ebpf/releases/download/v1.8.1/harden-runner-bravo_1.8.1_linux_${variant}.tar.gz`, undefined, auth);
const downloadPath = yield tool_cache.downloadTool(`https://github.com/step-security/agent-ebpf/releases/download/v1.8.2/harden-runner-bravo_1.8.2_linux_${variant}.tar.gz`, undefined, auth);
if (!verifyChecksum(downloadPath, true, variant, "linux", "bravo")) {
return false;
}
@ -85690,7 +85690,7 @@ function installWindowsAgent(configStr) {
encoding: "utf8",
});
const agentExePath = external_path_.join(agentDir, "agent.exe");
const downloadPath = yield tool_cache.downloadTool(`https://github.com/step-security/agent-releases/releases/download/v1.0.0-win/harden-runner-agent-windows_1.0.0_windows_amd64.tar.gz`, undefined, auth);
const downloadPath = yield tool_cache.downloadTool(`https://github.com/step-security/agent-releases/releases/download/v1.0.2-win/harden-runner-agent-windows_1.0.2_windows_amd64.tar.gz`, undefined, auth);
// validate the checksum
if (!verifyChecksum(downloadPath, false, variant, process.platform)) {
return false;

2
dist/pre/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

37
src/checksum.test.ts
View file

@ -1,7 +1,7 @@
import * as fs from "fs";
import * as crypto from "crypto";
import * as core from "@actions/core";
import { verifyChecksum } from "./checksum";
import { verifyChecksum, CHECKSUMS } from "./checksum";
jest.mock("fs", () => ({
...jest.requireActual("fs"),
@ -24,10 +24,7 @@ function stubHash(hash: string) {
} as unknown as crypto.Hash);
}
const BRAVO_AMD64 = "2eeaa1b3cfb05adea0a4e2a36e342ccaf95b41aeb82a6a6e217d2971c15f5553";
const BRAVO_ARM64 = "8d7035ffbda165ad86de8bd00bf861c038e4a9e6d501adadc53a265945882533";
const TLS_AMD64 = "6105000c6c61f4a3ca27ed3a2796baa206bdb1eb83f0463adb0ec7e565af6e1c";
const NON_TLS_AMD64 = "4aaaeebbe10e619d8ce13e8cc4a1acbafc8f891e8cdd319984480b9ec08407b8";
const WRONG_HASH = "0".repeat(64);
describe("verifyChecksum", () => {
beforeEach(() => {
@ -37,23 +34,23 @@ describe("verifyChecksum", () => {
describe("agentType=bravo", () => {
test("passes with matching bravo amd64 checksum", () => {
stubHash(BRAVO_AMD64);
stubHash(CHECKSUMS.bravo.amd64);
expect(verifyChecksum("/tmp/f", true, "amd64", "linux", "bravo")).toBe(true);
expect(mockSetFailed).not.toHaveBeenCalled();
});
test("passes with matching bravo arm64 checksum", () => {
stubHash(BRAVO_ARM64);
stubHash(CHECKSUMS.bravo.arm64);
expect(verifyChecksum("/tmp/f", true, "arm64", "linux", "bravo")).toBe(true);
});
test("uses bravo checksum even when isTLS=false", () => {
stubHash(BRAVO_AMD64);
stubHash(CHECKSUMS.bravo.amd64);
expect(verifyChecksum("/tmp/f", false, "amd64", "linux", "bravo")).toBe(true);
});
test("fails on mismatched bravo checksum", () => {
stubHash("0".repeat(64));
stubHash(WRONG_HASH);
expect(verifyChecksum("/tmp/f", true, "amd64", "linux", "bravo")).toBe(false);
expect(mockSetFailed).toHaveBeenCalled();
});
@ -61,25 +58,39 @@ describe("verifyChecksum", () => {
describe("agentType default (omitted)", () => {
test("uses TLS checksum when isTLS=true", () => {
stubHash(TLS_AMD64);
stubHash(CHECKSUMS.tls.amd64);
expect(verifyChecksum("/tmp/f", true, "amd64", "linux")).toBe(true);
});
test("uses non_tls checksum when isTLS=false", () => {
stubHash(NON_TLS_AMD64);
stubHash(CHECKSUMS.non_tls.amd64);
expect(verifyChecksum("/tmp/f", false, "amd64", "linux")).toBe(true);
});
test("TLS mismatch fails", () => {
stubHash(BRAVO_AMD64);
stubHash(CHECKSUMS.bravo.amd64);
expect(verifyChecksum("/tmp/f", true, "amd64", "linux")).toBe(false);
expect(mockSetFailed).toHaveBeenCalled();
});
});
describe("darwin", () => {
test("passes with matching darwin checksum", () => {
stubHash(CHECKSUMS.darwin);
expect(verifyChecksum("/tmp/f", false, "", "darwin")).toBe(true);
});
});
describe("win32", () => {
test("passes with matching windows amd64 checksum", () => {
stubHash(CHECKSUMS.windows.amd64);
expect(verifyChecksum("/tmp/f", false, "amd64", "win32")).toBe(true);
});
});
describe("unsupported platform", () => {
test("returns false without calling setFailed", () => {
stubHash(BRAVO_AMD64);
stubHash(CHECKSUMS.bravo.amd64);
expect(verifyChecksum("/tmp/f", true, "amd64", "freebsd")).toBe(false);
expect(mockSetFailed).not.toHaveBeenCalled();
});

14
src/checksum.ts
View file

@ -2,21 +2,21 @@ import * as core from "@actions/core";
import * as crypto from "crypto";
import * as fs from "fs";
const CHECKSUMS = {
export const CHECKSUMS = {
tls: {
amd64: "6105000c6c61f4a3ca27ed3a2796baa206bdb1eb83f0463adb0ec7e565af6e1c", // v1.8.1
arm64: "0992da262be06580335725263ba6ee5c009dfd0448a948b7768ec077fdb9d3d8",
amd64: "713c91e921292027dacf446db44bafbc8e36a3f7f51dff664ba681c6e4398a05", // v1.8.2
arm64: "2c1eb365d6d9ae4cd4b6632a5f833bcdb7e75d0d9604de3391ff22e4e28e8d42",
},
non_tls: {
amd64: "4aaaeebbe10e619d8ce13e8cc4a1acbafc8f891e8cdd319984480b9ec08407b8", // v0.15.0
amd64: "e38de61e1afd98dd339bb9acce4996183875d482be1638fb198ab02b3e25bbef", // v0.16.0
},
bravo: {
amd64: "2eeaa1b3cfb05adea0a4e2a36e342ccaf95b41aeb82a6a6e217d2971c15f5553", // v1.8.1
arm64: "8d7035ffbda165ad86de8bd00bf861c038e4a9e6d501adadc53a265945882533",
amd64: "8d002af0c1c4bb73eaef0f2b641f7aa353cc3f4da36a4e418b69895a2baa922c", // v1.8.2
arm64: "1ce74a30d704c2e994246fc809d65af83e3f354aae7b9080b2c2eaee715cf005",
},
darwin: "fe26a1f6af4afe9f1a854d8633832f5d18ab542827003cae445b3a64021d612c", // v0.0.5
windows: {
amd64: "e98f8b9cf9ecf6566f1e16a470fbe4aef01610a644fd8203a1bab3ff142186c8", // v1.0.0
amd64: "93f1e5d87c6647e6eca7963d5f4b4bd73107029430f8e6945ffece93007a89f5", // v1.0.2
},
};

8
src/install-agent.ts
View file

@ -26,7 +26,7 @@ export async function installAgent(
if (isTLS) {
downloadPath = await tc.downloadTool(
`https://github.com/step-security/agent-ebpf/releases/download/v1.8.1/harden-runner_1.8.1_linux_${variant}.tar.gz`,
`https://github.com/step-security/agent-ebpf/releases/download/v1.8.2/harden-runner_1.8.2_linux_${variant}.tar.gz`,
undefined,
auth
);
@ -36,7 +36,7 @@ export async function installAgent(
return false;
}
downloadPath = await tc.downloadTool(
"https://github.com/step-security/agent/releases/download/v0.15.0/agent_0.15.0_linux_amd64.tar.gz",
"https://github.com/step-security/agent/releases/download/v0.16.0/agent_0.16.0_linux_amd64.tar.gz",
undefined,
auth
);
@ -76,7 +76,7 @@ export async function installAgentBravo(configStr: string): Promise<boolean> {
const variant = process.arch === "x64" ? "amd64" : "arm64";
const downloadPath = await tc.downloadTool(
`https://github.com/step-security/agent-ebpf/releases/download/v1.8.1/harden-runner-bravo_1.8.1_linux_${variant}.tar.gz`,
`https://github.com/step-security/agent-ebpf/releases/download/v1.8.2/harden-runner-bravo_1.8.2_linux_${variant}.tar.gz`,
undefined,
auth
);
@ -226,7 +226,7 @@ export async function installWindowsAgent(configStr: string): Promise<boolean> {
const agentExePath = path.join(agentDir, "agent.exe");
const downloadPath = await tc.downloadTool(
`https://github.com/step-security/agent-releases/releases/download/v1.0.0-win/harden-runner-agent-windows_1.0.0_windows_amd64.tar.gz`,
`https://github.com/step-security/agent-releases/releases/download/v1.0.2-win/harden-runner-agent-windows_1.0.2_windows_amd64.tar.gz`,
undefined,
auth
);