add monitor call for bravo to populate one_time_key

The bravo agent authenticates to the backend using a per-job one_time_key issued by the /monitor endpoint and stored in DynamoDB keyed by correlation_id. Without it the presigned-URL request (and all telemetry endpoints via sendApiRequest) get rejected, so detection events never upload and insights never appear. For third-party runners, override correlation_id to RUNNER_NAME before the monitor call so the key stored in DDB matches the one the bravo agent will use when requesting presigned URLs. Drop the random api_key and customer field — when OneTimeKey is present the agent uses x-one-time-key header, not vm-api-key.
2026-06-05 12:55:14 +00:00 · 2026-04-19 07:10:45 -07:00 · 2026-04-19 07:10:45 -07:00 · 2f199dceb1
commit 2f199dceb1
parent fd9b4982b0
3 changed files with 50 additions and 8 deletions
--- a/dist/pre/index.js
+++ b/dist/pre/index.js
@ -85967,6 +85967,8 @@ var __rest = (undefined && undefined.__rest) || function (s, e) {
            const thirdPartyProvider = detectThirdPartyRunnerProvider();
            if (thirdPartyProvider) {
                lib_core.info(`Detected ${thirdPartyProvider} runner environment. Installing agent-bravo.`);
+                confg.correlation_id = runnerName || confg.correlation_id;
+                yield callMonitorEndpoint(api_url, confg);
                yield installAgentForBravo(github.context.repo.owner, confg);
                return;
            }
@ -86115,6 +86117,26 @@ function setup_sleep(ms) {
        setTimeout(resolve, ms);
    });
 }
+function callMonitorEndpoint(api_url, confg) {
+    return setup_awaiter(this, void 0, void 0, function* () {
+        const _http = new lib.HttpClient();
+        _http.requestOptions = { socketTimeout: 3 * 1000 };
+        try {
+            const monitorRequestData = {
+                correlation_id: confg.correlation_id,
+                job: process.env["GITHUB_JOB"],
+            };
+            const resp = yield _http.postJson(`${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`, monitorRequestData);
+            if (resp.statusCode === 200 && resp.result) {
+                console.log(`Runner IP Address: ${resp.result.runner_ip_address}`);
+                confg.one_time_key = resp.result.one_time_key;
+            }
+        }
+        catch (e) {
+            console.log(`error in connecting to ${api_url}: ${e}`);
+        }
+    });
+}
 function installAgentForSelfHosted(owner, confg) {
    return setup_awaiter(this, void 0, void 0, function* () {
        try {
@ -86172,7 +86194,6 @@ function installAgentForSelfHosted(owner, confg) {
    });
 }
 function installAgentForBravo(owner, confg) {
-    var _a;
    return setup_awaiter(this, void 0, void 0, function* () {
        try {
            console.log("Installing Harden Runner bravo agent for third-party runner");
@ -86182,13 +86203,12 @@ function installAgentForBravo(owner, confg) {
                return;
            }
            const bravoConfig = {
-                customer: owner,
                repo: confg.repo,
                run_id: confg.run_id,
-                correlation_id: (_a = process.env["RUNNER_NAME"]) !== null && _a !== void 0 ? _a : v4(),
+                correlation_id: confg.correlation_id,
                working_directory: confg.working_directory,
                api_url: confg.api_url,
-                api_key: v4(),
+                one_time_key: confg.one_time_key,
                allowed_endpoints: confg.allowed_endpoints,
                egress_policy: confg.egress_policy,
                disable_telemetry: confg.disable_telemetry,
--- a/dist/pre/index.js.map
+++ b/dist/pre/index.js.map
--- a/src/setup.ts
+++ b/src/setup.ts
@ -293,6 +293,8 @@ interface MonitorResponse {
      const thirdPartyProvider = detectThirdPartyRunnerProvider();
      if (thirdPartyProvider) {
        core.info(`Detected ${thirdPartyProvider} runner environment. Installing agent-bravo.`);
+        confg.correlation_id = runnerName || confg.correlation_id;
+        await callMonitorEndpoint(api_url, confg);
        await installAgentForBravo(context.repo.owner, confg);
        return;
      }
@ -478,6 +480,27 @@ export function sleep(ms: number) {
  });
 }

+async function callMonitorEndpoint(api_url: string, confg: Configuration) {
+  const _http = new httpm.HttpClient();
+  _http.requestOptions = { socketTimeout: 3 * 1000 };
+  try {
+    const monitorRequestData = {
+      correlation_id: confg.correlation_id,
+      job: process.env["GITHUB_JOB"],
+    };
+    const resp = await _http.postJson<MonitorResponse>(
+      `${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`,
+      monitorRequestData
+    );
+    if (resp.statusCode === 200 && resp.result) {
+      console.log(`Runner IP Address: ${resp.result.runner_ip_address}`);
+      confg.one_time_key = resp.result.one_time_key;
+    }
+  } catch (e) {
+    console.log(`error in connecting to ${api_url}: ${e}`);
+  }
+}
+
 export async function installAgentForSelfHosted(owner: string, confg: Configuration) {
  try {
    console.log("Installing Harden Runner agent for self-hosted runner");
@ -549,13 +572,12 @@ export async function installAgentForBravo(owner: string, confg: Configuration)
    }

    const bravoConfig = {
-      customer: owner,
      repo: confg.repo,
      run_id: confg.run_id,
-      correlation_id: process.env["RUNNER_NAME"] ?? uuidv4(),
+      correlation_id: confg.correlation_id,
      working_directory: confg.working_directory,
      api_url: confg.api_url,
-      api_key: uuidv4(),
+      one_time_key: confg.one_time_key,
      allowed_endpoints: confg.allowed_endpoints,
      egress_policy: confg.egress_policy,
      disable_telemetry: confg.disable_telemetry,