step-security/harden-runner
1
0
Fork 0
mirror of https://github.com/step-security/harden-runner.git synced 2026-06-05 21:17:06 +00:00
Code Issues Projects Releases Packages Wiki Activity

Add windows installation changes

Browse source
This commit is contained in:
sailikhith-stepsecurity 2026-01-19 10:00:09 +05:30
commit 276bb94451
No known key found for this signature in database
GPG key ID: D6A10CFA24ED74A7
12 changed files with 608 additions and 141 deletions
Download patch file Download diff file Expand all files Collapse all files

5
dist/index.js vendored
View file

@ -31979,6 +31979,7 @@ function addSummary() {
const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
const CONTAINER_MESSAGE = "This job is running in a container. Such jobs can be monitored by installing Harden Runner in a custom VM image for GitHub-hosted runners.";
const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
const UNSUPPORTED_PLATFORM_MESSAGE = "This job is not running on a supported platform. Harden Runner supports Linux (Ubuntu) and Windows runners. This job will not be monitored.";
const SELF_HOSTED_RUNNER_MESSAGE = "This job is running on a self-hosted runner.";
const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner.";
@ -32091,8 +32092,8 @@ var src_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argu
console.log("Skipping harden-runner: custom property 'skip-harden-runner' is set to 'true'");
return;
}
if (process.platform !== "linux") {
console.log(UBUNTU_MESSAGE);
if (process.platform !== "linux" && process.platform !== "win32") {
console.log(UNSUPPORTED_PLATFORM_MESSAGE);
return;
}
if (isGithubHosted() && isDocker()) {

2
dist/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

180
dist/post/index.js vendored
View file

@ -31878,6 +31878,8 @@ var __webpack_exports__ = {};
var external_fs_ = __nccwpck_require__(9896);
// EXTERNAL MODULE: external "child_process"
var external_child_process_ = __nccwpck_require__(5317);
// EXTERNAL MODULE: external "path"
var external_path_ = __nccwpck_require__(6928);
// EXTERNAL MODULE: ./node_modules/@actions/core/lib/core.js
var lib_core = __nccwpck_require__(7484);
;// CONCATENATED MODULE: ./src/configs.ts
@ -31986,6 +31988,7 @@ function addSummary() {
const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
const CONTAINER_MESSAGE = "This job is running in a container. Such jobs can be monitored by installing Harden Runner in a custom VM image for GitHub-hosted runners.";
const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
const UNSUPPORTED_PLATFORM_MESSAGE = "This job is not running on a supported platform. Harden Runner supports Linux (Ubuntu) and Windows runners. This job will not be monitored.";
const SELF_HOSTED_RUNNER_MESSAGE = "This job is running on a self-hosted runner.";
const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner.";
@ -32132,6 +32135,7 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
(() => cleanup_awaiter(void 0, void 0, void 0, function* () {
var _a, _b;
console.log("[harden-runner] post-step");
@ -32140,8 +32144,8 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
console.log("Skipping harden-runner: custom property 'skip-harden-runner' is set to 'true'");
return;
}
if (process.platform !== "linux") {
console.log(UBUNTU_MESSAGE);
if (process.platform !== "linux" && process.platform !== "win32") {
console.log(UNSUPPORTED_PLATFORM_MESSAGE);
return;
}
if (isGithubHosted() && isDocker()) {
@ -32158,7 +32162,10 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
if (process.env.STATE_customVMImage === "true") {
return;
}
if (process.env.STATE_isTLS === "false" && process.arch === "arm64") {
if (process.platform === "linux" && process.env.STATE_isTLS === "false" && process.arch === "arm64") {
return;
}
else if (process.platform === "win32" && process.arch === "arm64") {
return;
}
if (String(process.env.STATE_monitorStatusCode) ===
@ -32166,57 +32173,136 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
console.log(HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
return;
}
if (isGithubHosted() && external_fs_.existsSync("/home/agent/post_event.json")) {
console.log("Post step already executed, skipping");
return;
}
external_fs_.writeFileSync("/home/agent/post_event.json", JSON.stringify({ event: "post" }));
const doneFile = "/home/agent/done.json";
let counter = 0;
while (true) {
if (!external_fs_.existsSync(doneFile)) {
counter++;
if (counter > 10) {
console.log("timed out");
if (process.platform === "linux") {
if (isGithubHosted() && external_fs_.existsSync("/home/agent/post_event.json")) {
console.log("Post step already executed, skipping");
return;
}
external_fs_.writeFileSync("/home/agent/post_event.json", JSON.stringify({ event: "post" }));
const doneFile = "/home/agent/done.json";
let counter = 0;
while (true) {
if (!external_fs_.existsSync(doneFile)) {
counter++;
if (counter > 10) {
console.log("timed out");
break;
}
yield sleep(1000);
} // The file *does* exist
else {
break;
}
yield sleep(1000);
} // The file *does* exist
else {
break;
}
const log = "/home/agent/agent.log";
if (external_fs_.existsSync(log)) {
console.log("log:");
var content = external_fs_.readFileSync(log, "utf-8");
console.log(content);
}
const daemonLog = "/home/agent/daemon.log";
if (external_fs_.existsSync(daemonLog)) {
console.log("daemonLog:");
var content = external_fs_.readFileSync(daemonLog, "utf-8");
console.log(content);
}
var status = "/home/agent/agent.status";
if (external_fs_.existsSync(status)) {
console.log("status:");
var content = external_fs_.readFileSync(status, "utf-8");
console.log(content);
}
var disable_sudo = process.env.STATE_disableSudo;
var disable_sudo_and_containers = process.env.STATE_disableSudoAndContainers;
if (disable_sudo !== "true" && disable_sudo_and_containers !== "true") {
try {
var journalLog = external_child_process_.execSync("sudo journalctl -u agent.service --lines=1000", {
encoding: "utf8",
maxBuffer: 1024 * 1024 * 10, // 10MB buffer
});
console.log("agent.service log:");
console.log(journalLog);
}
catch (error) {
console.log("Warning: Could not fetch service logs:", error.message);
}
}
}
const log = "/home/agent/agent.log";
if (external_fs_.existsSync(log)) {
console.log("log:");
var content = external_fs_.readFileSync(log, "utf-8");
console.log(content);
}
const daemonLog = "/home/agent/daemon.log";
if (external_fs_.existsSync(daemonLog)) {
console.log("daemonLog:");
var content = external_fs_.readFileSync(daemonLog, "utf-8");
console.log(content);
}
var status = "/home/agent/agent.status";
if (external_fs_.existsSync(status)) {
console.log("status:");
var content = external_fs_.readFileSync(status, "utf-8");
console.log(content);
}
var disable_sudo = process.env.STATE_disableSudo;
var disable_sudo_and_containers = process.env.STATE_disableSudoAndContainers;
if (disable_sudo !== "true" && disable_sudo_and_containers !== "true") {
else if (process.platform === "win32") {
// windows cleanup
const agentDir = process.env.STATE_agentDir || "C:\\agent";
const postEventFile = external_path_.join(agentDir, "post_event.json");
if (isGithubHosted() && external_fs_.existsSync(postEventFile)) {
console.log("windows post step already executed, skipping");
return;
}
const p = external_child_process_.spawn("powershell.exe", ["-NoProfile", "-NonInteractive", "-Command", "query user; exit $LASTEXITCODE"], { stdio: ["ignore", "pipe", "pipe"], shell: false, windowsHide: true });
p.unref();
external_fs_.writeFileSync(postEventFile, JSON.stringify({ event: "post" }));
const doneFile = external_path_.join(agentDir, "done.json");
let counter = 0;
while (true) {
if (!external_fs_.existsSync(doneFile)) {
counter++;
if (counter > 10) {
console.log("timed out");
break;
}
yield sleep(1000);
}
else {
break;
}
}
console.log("stopping windows agent process...");
const pidFile = external_path_.join(agentDir, "agent.pid");
try {
var journalLog = external_child_process_.execSync("sudo journalctl -u agent.service --lines=1000", {
encoding: "utf8",
maxBuffer: 1024 * 1024 * 10, // 10MB buffer
});
console.log("agent.service log:");
console.log(journalLog);
if (!external_fs_.existsSync(pidFile)) {
console.log("PID file not found. Agent may not be running.");
return;
}
const pid = parseInt(external_fs_.readFileSync(pidFile, "utf8").trim());
console.log(`agent PID from file: ${pid}`);
try {
process.kill(pid, 0); // signal 0 just checks if process exists
}
catch (_c) {
console.log("agent process not running.");
external_fs_.unlinkSync(pidFile);
return;
}
console.log(`stopping agent process (PID: ${pid})...`);
process.kill(pid, 'SIGINT');
let gracefulShutdown = false;
for (let i = 0; i < 10; i++) {
yield sleep(1000);
try {
process.kill(pid, 0); // check if still exists
}
catch (_d) {
gracefulShutdown = true;
console.log("agent process stopped gracefully");
break;
}
}
if (!gracefulShutdown) {
console.log("graceful shutdown timeout (10s), forcing termination...");
process.kill(pid, 'SIGKILL');
console.log("agent process terminated forcefully");
}
if (external_fs_.existsSync(pidFile)) {
external_fs_.unlinkSync(pidFile);
console.log("PID file cleaned up");
}
}
catch (error) {
console.log("Warning: Could not fetch service logs:", error.message);
console.log("warning: error stopping agent process:", error.message);
}
const log = external_path_.join(agentDir, "agent.log");
if (external_fs_.existsSync(log)) {
console.log("agent log:");
var content = external_fs_.readFileSync(log, "utf-8");
console.log(content);
}
}
try {

2
dist/post/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

155
dist/pre/index.js vendored
View file

@ -85250,6 +85250,7 @@ function addSummary() {
const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
const CONTAINER_MESSAGE = "This job is running in a container. Such jobs can be monitored by installing Harden Runner in a custom VM image for GitHub-hosted runners.";
const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
const UNSUPPORTED_PLATFORM_MESSAGE = "This job is not running on a supported platform. Harden Runner supports Linux (Ubuntu) and Windows runners. This job will not be monitored.";
const SELF_HOSTED_RUNNER_MESSAGE = "This job is running on a self-hosted runner.";
const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner.";
@ -85501,18 +85502,25 @@ const CHECKSUMS = {
non_tls: {
amd64: "336093af8ebe969567b66fd035af3bd4f7e1c723ce680d6b4b5b2a1f79bc329e", // v0.14.2
},
windows: {
amd64: "", // v0.0.1
},
};
function verifyChecksum(downloadPath, isTLS, variant) {
function verifyChecksum(downloadPath, isTLS, variant, platform) {
const fileBuffer = external_fs_.readFileSync(downloadPath);
const checksum = external_crypto_.createHash("sha256")
.update(fileBuffer)
.digest("hex"); // checksum of downloaded file
let expectedChecksum = "";
if (isTLS) {
expectedChecksum = CHECKSUMS["tls"][variant];
}
else {
expectedChecksum = CHECKSUMS["non_tls"][variant];
switch (platform) {
case "linux":
expectedChecksum = isTLS
? CHECKSUMS["tls"][variant]
: CHECKSUMS["non_tls"][variant];
break;
case "win32":
expectedChecksum = CHECKSUMS["windows"][variant];
break;
}
if (checksum !== expectedChecksum) {
lib_core.setFailed(`Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`);
@ -85558,7 +85566,7 @@ function installAgent(isTLS, configStr) {
}
downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.14.2/agent_0.14.2_linux_amd64.tar.gz", undefined, auth);
}
verifyChecksum(downloadPath, isTLS, variant);
verifyChecksum(downloadPath, isTLS, variant, process.platform);
const extractPath = yield tool_cache.extractTar(downloadPath);
let cmd = "cp", args = [external_path_.join(extractPath, "agent"), "/home/agent/agent"];
external_child_process_.execFileSync(cmd, args);
@ -85576,6 +85584,108 @@ function installAgent(isTLS, configStr) {
return true;
});
}
function installWindowsAgent(configStr) {
return install_agent_awaiter(this, void 0, void 0, function* () {
const token = lib_core.getInput("token", { required: true });
const auth = `token ${token}`;
const variant = process.arch === "x64" ? "amd64" : "arm64";
if (variant === "arm64") {
console.log(ARM64_RUNNER_MESSAGE);
return false;
}
// set up agent directory at C:\agent
const agentDir = "C:\\agent";
lib_core.info(`Creating agent directory: ${agentDir}`);
if (!external_fs_.existsSync(agentDir)) {
external_fs_.mkdirSync(agentDir, { recursive: true });
}
external_fs_.appendFileSync(process.env.GITHUB_STATE, `agentDir=${agentDir}${external_os_.EOL}`, {
encoding: "utf8",
});
const agentExePath = external_path_.join(agentDir, "agent.exe");
// uncomment to download agent from github
// const downloadPath = await tc.downloadTool(
// `https://github.com/step-security/agent-releases/releases/download/v0.0.1/agent_0.0.1_windows_amd64.tar.gz`,
// undefined,
// auth
// );
// verifyChecksum(downloadPath, false, variant, process.platform);
// const extractPath = await tc.extractTar(downloadPath);
// let cmd = "cp",
// args = [path.join(extractPath, "agent.exe"), agentExePath];
// cp.execFileSync(cmd, args);
// Download Windows agent from S3 - TODO: remove this later once github releases are available
// Get S3 URL from environment variable or GitHub Actions input
const s3Url = process.env.AGENT_S3_URL || lib_core.getInput("agent-s3-url");
if (!s3Url) {
lib_core.setFailed("S3 URL not configured. Please set AGENT_S3_URL environment variable or provide 'agent-s3-url' input.");
return false;
}
const tarGzPath = external_path_.join(agentDir, "agent_windows_amd64.tar.gz");
lib_core.info(`Downloading Windows agent from S3...`);
try {
// Download tar.gz from S3 using curl
lib_core.info(`Downloading from: ${s3Url}`);
external_child_process_.execSync(`curl -L -o "${tarGzPath}" "${s3Url}"`, { stdio: "inherit" });
if (!external_fs_.existsSync(tarGzPath)) {
lib_core.setFailed("Failed to download agent.tar.gz from S3");
return false;
}
lib_core.info(`Downloaded tar.gz to: ${tarGzPath}`);
// Extract tar.gz
lib_core.info("Extracting tar.gz...");
external_child_process_.execSync(`tar -xzf "${tarGzPath}" -C "${agentDir}"`, { stdio: "inherit" });
// Verify agent.exe exists after extraction
if (external_fs_.existsSync(agentExePath)) {
lib_core.info(`Agent extracted to: ${agentExePath}`);
// Clean up tar.gz
external_fs_.unlinkSync(tarGzPath);
}
else {
lib_core.setFailed("agent.exe not found after extraction");
return false;
}
}
catch (error) {
lib_core.setFailed(`Failed to download Windows agent: ${error.message}`);
return false;
}
// Write config.json
const configPath = external_path_.join(agentDir, "config.json");
external_fs_.writeFileSync(configPath, configStr);
lib_core.info(`Created config file: ${configPath}`);
lib_core.info("Starting Windows Agent...");
try {
// start the agent process in the background
lib_core.info(`Executing: ${agentExePath}`);
// set up log file for agent output
const logPath = external_path_.join(agentDir, "agent.log");
const logStream = external_fs_.openSync(logPath, 'a');
lib_core.info(`Agent logs will be written to: ${logPath}`);
const { spawn } = __nccwpck_require__(5317);
const agentProcess = spawn(agentExePath, [], {
cwd: agentDir,
detached: true,
stdio: ['ignore', logStream, logStream],
windowsHide: false,
shell: false
});
// save the PID to a file for later termination
const pidFile = external_path_.join(agentDir, "agent.pid");
external_fs_.writeFileSync(pidFile, agentProcess.pid.toString());
lib_core.info(`Agent process started with PID: ${agentProcess.pid}`);
lib_core.info(`PID saved to: ${pidFile}`);
// unref the process so it can continue running independently
agentProcess.unref();
lib_core.info("Windows Agent process started successfully");
return true;
}
catch (error) {
lib_core.setFailed(`Failed to start Windows agent process: ${error.message}`);
return false;
}
});
}
;// CONCATENATED MODULE: ./src/setup.ts
var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
@ -85617,8 +85727,8 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
console.log("Skipping harden-runner: custom property 'skip-harden-runner' is set to 'true'");
return;
}
if (process.platform !== "linux") {
console.log(UBUNTU_MESSAGE);
if (process.platform !== "linux" && process.platform !== "win32") {
console.log(UNSUPPORTED_PLATFORM_MESSAGE);
return;
}
if (isGithubHosted() && isDocker()) {
@ -85820,14 +85930,29 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
return;
}
const confgStr = JSON.stringify(confg);
external_child_process_.execSync("sudo mkdir -p /home/agent");
chownForFolder(process.env.USER, "/home/agent");
let isTLS = yield isTLSEnabled(github.context.repo.owner);
const agentInstalled = yield installAgent(isTLS, confgStr);
// install agent based on platform
let agentInstalled = false;
let statusFile;
let logFile;
if (process.platform === "win32") {
// Windows installation
lib_core.info("Installing Windows Agent...");
agentInstalled = yield installWindowsAgent(confgStr);
const agentDir = process.env.STATE_agentDir || "C:\\agent";
statusFile = external_path_.join(agentDir, "agent.status");
logFile = external_path_.join(agentDir, "agent.log");
}
else {
// Linux installation
external_child_process_.execSync("sudo mkdir -p /home/agent");
chownForFolder(process.env.USER, "/home/agent");
let isTLS = yield isTLSEnabled(github.context.repo.owner);
agentInstalled = yield installAgent(isTLS, confgStr);
statusFile = "/home/agent/agent.status";
logFile = "/home/agent/agent.log";
}
if (agentInstalled) {
// Check that the file exists locally
var statusFile = "/home/agent/agent.status";
var logFile = "/home/agent/agent.log";
var counter = 0;
while (true) {
if (!external_fs_.existsSync(statusFile)) {

2
dist/pre/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

21
src/checksum.ts
View file

@ -10,12 +10,16 @@ const CHECKSUMS = {
non_tls: {
amd64: "336093af8ebe969567b66fd035af3bd4f7e1c723ce680d6b4b5b2a1f79bc329e", // v0.14.2
},
windows: {
amd64: "", // v0.0.1
},
};
export function verifyChecksum(
downloadPath: string,
isTLS: boolean,
variant: string
variant: string,
platform: string
) {
const fileBuffer: Buffer = fs.readFileSync(downloadPath);
const checksum: string = crypto
@ -25,11 +29,16 @@ export function verifyChecksum(
let expectedChecksum: string = "";
if (isTLS) {
expectedChecksum = CHECKSUMS["tls"][variant];
} else {
expectedChecksum = CHECKSUMS["non_tls"][variant];
}
switch (platform) {
case "linux":
expectedChecksum = isTLS
? CHECKSUMS["tls"][variant]
: CHECKSUMS["non_tls"][variant];
break;
case "win32":
expectedChecksum = CHECKSUMS["windows"][variant];
break;
}
if (checksum !== expectedChecksum) {
core.setFailed(

205
src/cleanup.ts
View file

@ -1,5 +1,6 @@
import * as fs from "fs";
import * as cp from "child_process";
import * as path from "path";
import * as common from "./common";
import isDocker from "is-docker";
import { isARCRunner } from "./arc-runner";
@ -14,8 +15,8 @@ import { context } from "@actions/github";
return;
}
if (process.platform !== "linux") {
console.log(common.UBUNTU_MESSAGE);
if (process.platform !== "linux" && process.platform !== "win32") {
console.log(common.UNSUPPORTED_PLATFORM_MESSAGE);
return;
}
if (isGithubHosted() && isDocker()) {
@ -36,7 +37,9 @@ import { context } from "@actions/github";
return;
}
if (process.env.STATE_isTLS === "false" && process.arch === "arm64") {
if (process.platform === "linux" && process.env.STATE_isTLS === "false" && process.arch === "arm64") {
return;
} else if (process.platform === "win32" && process.arch === "arm64") {
return;
}
@ -47,71 +50,163 @@ import { context } from "@actions/github";
console.log(common.HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
return;
}
if (process.platform === "linux") {
if (isGithubHosted() && fs.existsSync("/home/agent/post_event.json")) {
console.log("Post step already executed, skipping");
return;
}
if (isGithubHosted() && fs.existsSync("/home/agent/post_event.json")) {
console.log("Post step already executed, skipping");
return;
}
fs.writeFileSync(
"/home/agent/post_event.json",
JSON.stringify({ event: "post" })
);
fs.writeFileSync(
"/home/agent/post_event.json",
JSON.stringify({ event: "post" })
);
const doneFile = "/home/agent/done.json";
let counter = 0;
while (true) {
if (!fs.existsSync(doneFile)) {
counter++;
if (counter > 10) {
console.log("timed out");
const doneFile = "/home/agent/done.json";
let counter = 0;
while (true) {
if (!fs.existsSync(doneFile)) {
counter++;
if (counter > 10) {
console.log("timed out");
break;
}
await sleep(1000);
} // The file *does* exist
else {
break;
}
await sleep(1000);
} // The file *does* exist
else {
break;
}
}
const log = "/home/agent/agent.log";
if (fs.existsSync(log)) {
console.log("log:");
var content = fs.readFileSync(log, "utf-8");
console.log(content);
}
const log = "/home/agent/agent.log";
if (fs.existsSync(log)) {
console.log("log:");
var content = fs.readFileSync(log, "utf-8");
console.log(content);
}
const daemonLog = "/home/agent/daemon.log";
if (fs.existsSync(daemonLog)) {
console.log("daemonLog:");
var content = fs.readFileSync(daemonLog, "utf-8");
console.log(content);
}
const daemonLog = "/home/agent/daemon.log";
if (fs.existsSync(daemonLog)) {
console.log("daemonLog:");
var content = fs.readFileSync(daemonLog, "utf-8");
console.log(content);
}
var status = "/home/agent/agent.status";
if (fs.existsSync(status)) {
console.log("status:");
var content = fs.readFileSync(status, "utf-8");
console.log(content);
}
var status = "/home/agent/agent.status";
if (fs.existsSync(status)) {
console.log("status:");
var content = fs.readFileSync(status, "utf-8");
console.log(content);
}
var disable_sudo = process.env.STATE_disableSudo;
var disable_sudo_and_containers = process.env.STATE_disableSudoAndContainers;
var disable_sudo = process.env.STATE_disableSudo;
var disable_sudo_and_containers = process.env.STATE_disableSudoAndContainers;
if (disable_sudo !== "true" && disable_sudo_and_containers !== "true") {
try {
var journalLog = cp.execSync(
"sudo journalctl -u agent.service --lines=1000",
{
encoding: "utf8",
maxBuffer: 1024 * 1024 * 10, // 10MB buffer
if (disable_sudo !== "true" && disable_sudo_and_containers !== "true") {
try {
var journalLog = cp.execSync(
"sudo journalctl -u agent.service --lines=1000",
{
encoding: "utf8",
maxBuffer: 1024 * 1024 * 10, // 10MB buffer
}
);
console.log("agent.service log:");
console.log(journalLog);
} catch (error) {
console.log("Warning: Could not fetch service logs:", error.message);
}
}
} else if (process.platform === "win32") {
// windows cleanup
const agentDir = process.env.STATE_agentDir || "C:\\agent";
const postEventFile = path.join(agentDir, "post_event.json");
if (isGithubHosted() && fs.existsSync(postEventFile)) {
console.log("windows post step already executed, skipping");
return;
}
const p = cp.spawn(
"powershell.exe",
["-NoProfile", "-NonInteractive", "-Command", "query user; exit $LASTEXITCODE"],
{ stdio: ["ignore", "pipe", "pipe"], shell: false, windowsHide: true }
);
p.unref();
fs.writeFileSync(postEventFile, JSON.stringify({ event: "post" }));
const doneFile = path.join(agentDir, "done.json");
let counter = 0;
while (true) {
if (!fs.existsSync(doneFile)) {
counter++;
if (counter > 10) {
console.log("timed out");
break;
}
);
console.log("agent.service log:");
console.log(journalLog);
await sleep(1000);
} else {
break;
}
}
console.log("stopping windows agent process...");
const pidFile = path.join(agentDir, "agent.pid");
try {
if (!fs.existsSync(pidFile)) {
console.log("PID file not found. Agent may not be running.");
return;
}
const pid = parseInt(fs.readFileSync(pidFile, "utf8").trim());
console.log(`agent PID from file: ${pid}`);
try {
process.kill(pid, 0); // signal 0 just checks if process exists
} catch {
console.log("agent process not running.");
fs.unlinkSync(pidFile);
return;
}
console.log(`stopping agent process (PID: ${pid})...`);
process.kill(pid, 'SIGINT');
let gracefulShutdown = false;
for (let i = 0; i < 10; i++) {
await sleep(1000);
try {
process.kill(pid, 0); // check if still exists
} catch {
gracefulShutdown = true;
console.log("agent process stopped gracefully");
break;
}
}
if (!gracefulShutdown) {
console.log("graceful shutdown timeout (10s), forcing termination...");
process.kill(pid, 'SIGKILL');
console.log("agent process terminated forcefully");
}
if (fs.existsSync(pidFile)) {
fs.unlinkSync(pidFile);
console.log("PID file cleaned up");
}
} catch (error) {
console.log("Warning: Could not fetch service logs:", error.message);
console.log("warning: error stopping agent process:", error.message);
}
const log = path.join(agentDir, "agent.log");
if (fs.existsSync(log)) {
console.log("agent log:");
var content = fs.readFileSync(log, "utf-8");
console.log(content);
}
}

3
src/common.ts
View file

@ -131,6 +131,9 @@ export const CONTAINER_MESSAGE =
export const UBUNTU_MESSAGE =
"This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
export const UNSUPPORTED_PLATFORM_MESSAGE =
"This job is not running on a supported platform. Harden Runner supports Linux (Ubuntu) and Windows runners. This job will not be monitored.";
export const SELF_HOSTED_RUNNER_MESSAGE =
"This job is running on a self-hosted runner.";

4
src/index.ts
View file

@ -13,8 +13,8 @@ import { context } from "@actions/github";
return;
}
if (process.platform !== "linux") {
console.log(common.UBUNTU_MESSAGE);
if (process.platform !== "linux" && process.platform !== "win32") {
console.log(common.UNSUPPORTED_PLATFORM_MESSAGE);
return;
}
if (isGithubHosted() && isDocker()) {

133
src/install-agent.ts
View file

@ -41,7 +41,7 @@ export async function installAgent(
);
}
verifyChecksum(downloadPath, isTLS, variant);
verifyChecksum(downloadPath, isTLS, variant, process.platform);
const extractPath = await tc.extractTar(downloadPath);
@ -65,3 +65,134 @@ export async function installAgent(
cp.execSync("sudo service agent start", { timeout: 15000 });
return true;
}
export async function installWindowsAgent(
configStr: string
): Promise<boolean> {
const token = core.getInput("token", { required: true });
const auth = `token ${token}`;
const variant = process.arch === "x64" ? "amd64" : "arm64";
if (variant === "arm64") {
console.log(ARM64_RUNNER_MESSAGE);
return false;
}
// set up agent directory at C:\agent
const agentDir = "C:\\agent";
core.info(`Creating agent directory: ${agentDir}`);
if (!fs.existsSync(agentDir)) {
fs.mkdirSync(agentDir, { recursive: true });
}
fs.appendFileSync(
process.env.GITHUB_STATE,
`agentDir=${agentDir}${EOL}`,
{
encoding: "utf8",
}
);
const agentExePath = path.join(agentDir, "agent.exe");
// uncomment to download agent from github
// const downloadPath = await tc.downloadTool(
// `https://github.com/step-security/agent-releases/releases/download/v0.0.1/agent_0.0.1_windows_amd64.tar.gz`,
// undefined,
// auth
// );
// verifyChecksum(downloadPath, false, variant, process.platform);
// const extractPath = await tc.extractTar(downloadPath);
// let cmd = "cp",
// args = [path.join(extractPath, "agent.exe"), agentExePath];
// cp.execFileSync(cmd, args);
// Download Windows agent from S3 - TODO: remove this later once github releases are available
// Get S3 URL from environment variable or GitHub Actions input
const s3Url = process.env.AGENT_S3_URL || core.getInput("agent-s3-url");
if (!s3Url) {
core.setFailed(
"S3 URL not configured. Please set AGENT_S3_URL environment variable or provide 'agent-s3-url' input."
);
return false;
}
const tarGzPath = path.join(agentDir, "agent_windows_amd64.tar.gz");
core.info(`Downloading Windows agent from S3...`);
try {
// Download tar.gz from S3 using curl
core.info(`Downloading from: ${s3Url}`);
cp.execSync(`curl -L -o "${tarGzPath}" "${s3Url}"`, { stdio: "inherit" });
if (!fs.existsSync(tarGzPath)) {
core.setFailed("Failed to download agent.tar.gz from S3");
return false;
}
core.info(`Downloaded tar.gz to: ${tarGzPath}`);
// Extract tar.gz
core.info("Extracting tar.gz...");
cp.execSync(`tar -xzf "${tarGzPath}" -C "${agentDir}"`, { stdio: "inherit" });
// Verify agent.exe exists after extraction
if (fs.existsSync(agentExePath)) {
core.info(`Agent extracted to: ${agentExePath}`);
// Clean up tar.gz
fs.unlinkSync(tarGzPath);
} else {
core.setFailed("agent.exe not found after extraction");
return false;
}
} catch (error) {
core.setFailed(`Failed to download Windows agent: ${error.message}`);
return false;
}
// Write config.json
const configPath = path.join(agentDir, "config.json");
fs.writeFileSync(configPath, configStr);
core.info(`Created config file: ${configPath}`);
core.info("Starting Windows Agent...");
try {
// start the agent process in the background
core.info(`Executing: ${agentExePath}`);
// set up log file for agent output
const logPath = path.join(agentDir, "agent.log");
const logStream = fs.openSync(logPath, 'a');
core.info(`Agent logs will be written to: ${logPath}`);
const { spawn } = require('child_process');
const agentProcess = spawn(agentExePath, [], {
cwd: agentDir,
detached: true,
stdio: ['ignore', logStream, logStream],
windowsHide: false,
shell: false
});
// save the PID to a file for later termination
const pidFile = path.join(agentDir, "agent.pid");
fs.writeFileSync(pidFile, agentProcess.pid.toString());
core.info(`Agent process started with PID: ${agentProcess.pid}`);
core.info(`PID saved to: ${pidFile}`);
// unref the process so it can continue running independently
agentProcess.unref();
core.info("Windows Agent process started successfully");
return true;
} catch (error) {
core.setFailed(
`Failed to start Windows agent process: ${error.message}`
);
return false;
}
}

35
src/setup.ts
View file

@ -27,7 +27,7 @@ import * as utils from "@actions/cache/lib/internal/cacheUtils";
import { isARCRunner, sendAllowedEndpoints } from "./arc-runner";
import { STEPSECURITY_API_URL, STEPSECURITY_WEB_URL } from "./configs";
import { isGithubHosted, isTLSEnabled } from "./tls-inspect";
import { installAgent } from "./install-agent";
import { installAgent, installWindowsAgent } from "./install-agent";
interface MonitorResponse {
runner_ip_address?: string;
@ -45,8 +45,8 @@ interface MonitorResponse {
return;
}
if (process.platform !== "linux") {
console.log(common.UBUNTU_MESSAGE);
if (process.platform !== "linux" && process.platform !== "win32") {
console.log(common.UNSUPPORTED_PLATFORM_MESSAGE);
return;
}
if (isGithubHosted() && isDocker()) {
@ -322,17 +322,34 @@ interface MonitorResponse {
}
const confgStr = JSON.stringify(confg);
cp.execSync("sudo mkdir -p /home/agent");
chownForFolder(process.env.USER, "/home/agent");
// install agent based on platform
let agentInstalled = false;
let statusFile: string;
let logFile: string;
let isTLS = await isTLSEnabled(context.repo.owner);
if (process.platform === "win32") {
// Windows installation
core.info("Installing Windows Agent...");
agentInstalled = await installWindowsAgent(confgStr);
const agentInstalled = await installAgent(isTLS, confgStr);
const agentDir = process.env.STATE_agentDir || "C:\\agent";
statusFile = path.join(agentDir, "agent.status");
logFile = path.join(agentDir, "agent.log");
} else {
// Linux installation
cp.execSync("sudo mkdir -p /home/agent");
chownForFolder(process.env.USER, "/home/agent");
let isTLS = await isTLSEnabled(context.repo.owner);
agentInstalled = await installAgent(isTLS, confgStr);
statusFile = "/home/agent/agent.status";
logFile = "/home/agent/agent.log";
}
if (agentInstalled) {
// Check that the file exists locally
var statusFile = "/home/agent/agent.status";
var logFile = "/home/agent/agent.log";
var counter = 0;
while (true) {
if (!fs.existsSync(statusFile)) {