Add code for GH action

.gitignore

@@ -80,7 +80,7 @@ typings/
 
 # Nuxt.js build / generate output
 .nuxt
-dist
+#dist
 
 # Gatsby files
 .cache/
@@ -101,4 +101,4 @@ dist
 .dynamodb/
 
 # TernJS port file
-.tern-port
+.tern-port

README.md

@@ -1,2 +1,4 @@
 # audit-workflow
 GitHub Actions Runtime Security
+
+Work in progress...

action.yml

@@ -0,0 +1,7 @@
+name: 'Step Security Audit Workflow'
+description: 'GitHub Actions Runtime Security'
+runs:
+  using: 'node12'
+  pre: 'dist/pre/index.js'
+  main: 'dist/index.js'
+  post: 'dist/post/index.js'

dist/index.js

@@ -0,0 +1,43 @@
+require('./sourcemap-register.js');/******/ (() => { // webpackBootstrap
+/******/ 	var __webpack_modules__ = ({
+
+/***/ 144:
+/***/ (function() {
+
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+(() => __awaiter(this, void 0, void 0, function* () {
+    if (process.platform !== "linux") {
+        console.log("Only runs on linux");
+        return;
+    }
+}))();
+
+
+/***/ })
+
+/******/ 	});
+/************************************************************************/
+/******/ 	/* webpack/runtime/compat */
+/******/ 	
+/******/ 	if (typeof __nccwpck_require__ !== 'undefined') __nccwpck_require__.ab = __dirname + "/";
+/******/ 	
+/************************************************************************/
+/******/ 	
+/******/ 	// startup
+/******/ 	// Load entry module and return exports
+/******/ 	// This entry module is referenced by other modules so it can't be inlined
+/******/ 	var __webpack_exports__ = {};
+/******/ 	__webpack_modules__[144]();
+/******/ 	module.exports = __webpack_exports__;
+/******/ 	
+/******/ })()
+;
+//# sourceMappingURL=index.js.map

dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sources":["../webpack://step-security-audit-workflow/./src/index.ts","../webpack://step-security-audit-workflow/webpack/runtime/compat","../webpack://step-security-audit-workflow/webpack/startup"],"sourcesContent":["(async () => {\n  if (process.platform !== \"linux\") {\n    console.log(\"Only runs on linux\");\n    return;\n  }\n})();\n","\nif (typeof __webpack_require__ !== 'undefined') __webpack_require__.ab = __dirname + \"/\";","// startup\n// Load entry module and return exports\n// This entry module is referenced by other modules so it can't be inlined\nvar __webpack_exports__ = {};\n__webpack_modules__[144]();\n"],"mappings":";;;;;;;;;;;;;;;AAAA;AACA;AACA;AACA;AACA;AACA;;;A;;;;;ACLA;AACA;;;;ACDA;AACA;AACA;AACA;AACA;;;;A","sourceRoot":""}

dist/post/index.js

@@ -0,0 +1,81 @@
+require('./sourcemap-register.js');/******/ (() => { // webpackBootstrap
+/******/ 	"use strict";
+/******/ 	// The require scope
+/******/ 	var __nccwpck_require__ = {};
+/******/ 	
+/************************************************************************/
+/******/ 	/* webpack/runtime/make namespace object */
+/******/ 	(() => {
+/******/ 		// define __esModule on exports
+/******/ 		__nccwpck_require__.r = (exports) => {
+/******/ 			if(typeof Symbol !== 'undefined' && Symbol.toStringTag) {
+/******/ 				Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+/******/ 			}
+/******/ 			Object.defineProperty(exports, '__esModule', { value: true });
+/******/ 		};
+/******/ 	})();
+/******/ 	
+/******/ 	/* webpack/runtime/compat */
+/******/ 	
+/******/ 	if (typeof __nccwpck_require__ !== 'undefined') __nccwpck_require__.ab = __dirname + "/";
+/******/ 	
+/************************************************************************/
+var __webpack_exports__ = {};
+// ESM COMPAT FLAG
+__nccwpck_require__.r(__webpack_exports__);
+
+;// CONCATENATED MODULE: external "fs"
+const external_fs_namespaceObject = require("fs");
+;// CONCATENATED MODULE: ./src/cleanup.ts
+var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+
+(() => __awaiter(void 0, void 0, void 0, function* () {
+    if (process.platform !== "linux") {
+        console.log("Only runs on linux");
+        return;
+    }
+    external_fs_namespaceObject.writeFileSync("/home/agent/post_event.json", JSON.stringify({ event: "post" }));
+    var doneFile = "/home/agent/done.json";
+    var counter = 0;
+    while (true) {
+        if (!external_fs_namespaceObject.existsSync(doneFile)) {
+            counter++;
+            if (counter > 30) {
+                console.log("timed out");
+                break;
+            }
+            yield sleep(1000);
+        } // The file *does* exist
+        else {
+            break;
+        }
+    }
+    var log = "/home/agent/agent.log";
+    console.log("log:");
+    var content = external_fs_namespaceObject.readFileSync(log, "utf-8");
+    console.log(content);
+    var status = "/home/agent/agent.status";
+    if (external_fs_namespaceObject.existsSync(status)) {
+        console.log("status:");
+        var content = external_fs_namespaceObject.readFileSync(status, "utf-8");
+        console.log(content);
+    }
+}))();
+function sleep(ms) {
+    return new Promise((resolve) => {
+        setTimeout(resolve, ms);
+    });
+}
+
+module.exports = __webpack_exports__;
+/******/ })()
+;
+//# sourceMappingURL=index.js.map

dist/post/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sources":["../webpack://step-security-audit-workflow/webpack/bootstrap","../webpack://step-security-audit-workflow/webpack/runtime/make namespace object","../webpack://step-security-audit-workflow/webpack/runtime/compat","../webpack://step-security-audit-workflow/external \"fs\"","../webpack://step-security-audit-workflow/./src/cleanup.ts"],"sourcesContent":["// The require scope\nvar __webpack_require__ = {};\n\n","// define __esModule on exports\n__webpack_require__.r = (exports) => {\n\tif(typeof Symbol !== 'undefined' && Symbol.toStringTag) {\n\t\tObject.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });\n\t}\n\tObject.defineProperty(exports, '__esModule', { value: true });\n};","\nif (typeof __webpack_require__ !== 'undefined') __webpack_require__.ab = __dirname + \"/\";","const __WEBPACK_NAMESPACE_OBJECT__ = require(\"fs\");","import * as fs from \"fs\";\n\n(async () => {\n  if (process.platform !== \"linux\") {\n    console.log(\"Only runs on linux\");\n    return;\n  }\n\n  fs.writeFileSync(\n    \"/home/agent/post_event.json\",\n    JSON.stringify({ event: \"post\" })\n  );\n\n  var doneFile = \"/home/agent/done.json\";\n  var counter = 0;\n  while (true) {\n    if (!fs.existsSync(doneFile)) {\n      counter++;\n      if (counter > 30) {\n        console.log(\"timed out\");\n\n        break;\n      }\n      await sleep(1000);\n    } // The file *does* exist\n    else {\n      break;\n    }\n  }\n\n  var log = \"/home/agent/agent.log\";\n  console.log(\"log:\");\n  var content = fs.readFileSync(log, \"utf-8\");\n  console.log(content);\n  var status = \"/home/agent/agent.status\";\n  if (fs.existsSync(status)) {\n    console.log(\"status:\");\n    var content = fs.readFileSync(status, \"utf-8\");\n    console.log(content);\n  }\n})();\n\nfunction sleep(ms) {\n  return new Promise((resolve) => {\n    setTimeout(resolve, ms);\n  });\n}\n"],"mappings":";;AAAA;AACA;AACA;;;;ACFA;AACA;AACA;AACA;AACA;AACA;AACA;;;;ACNA;AACA;;;;;;;;ACDA;;;;;;;;;;;ACAA;AAEA;AACA;AACA;AACA;AACA;AAEA;AAKA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;;;;A","sourceRoot":""}

dist/pre/agent.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Agent
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/home/agent/agent
+WorkingDirectory=/home/agent
+StandardOutput=syslog
+StandardError=syslog
+SyslogIdentifier=agentservice
+AmbientCapabilities=CAP_NET_BIND_SERVICE, CAP_NET_ADMIN
+
+[Install]
+WantedBy=multi-user.target

package.json

@@ -0,0 +1,44 @@
+{
+    "name": "step-security-audit-workflow",
+    "version": "0.0.1",
+    "description": "GitHub Actions Runtime Security",
+    "main": "index.js",
+    "scripts": {
+        "build": "npm run main && npm run pre && npm run post",
+        "main": "ncc build src/index.ts --source-map",
+        "pre": "ncc build src/setup.ts --source-map -o dist/pre",
+        "post": "ncc build src/cleanup.ts --source-map -o dist/post",
+        "lint": "eslint src/**/*.ts"
+    },
+    "repository": {
+        "type": "git",
+        "url": "git+https://github.com/step-security/audit-workflow.git"
+    },
+    "keywords": [],
+    "author": "Varun Sharma",
+    "license": "Apache License 2.0",
+    "bugs": {
+        "url": "https://github.com/step-security/audit-workflow/issues"
+    },
+    "homepage": "https://github.com/step-security/audit-workflow#readme",
+    "dependencies": {
+        "@actions/core": "^1.5.0",
+        "@actions/exec": "^1.1.0",
+        "@actions/github": "^5.0.0",
+        "node-fetch": "^2.6.1",
+        "uuid": "^8.3.2"
+    },
+    "devDependencies": {
+        "@types/jest": "^27.0.1",
+        "@types/node": "^16.9.0",
+        "@typescript-eslint/eslint-plugin": "^4.29.2",
+        "@typescript-eslint/parser": "^4.29.2",
+        "@vercel/ncc": "^0.30.0",
+        "eslint": "^7.32.0",
+        "eslint-config-google": "^0.14.0",
+        "jest": "^26.6.3",
+        "jest-junit": "^12.2.0",
+        "ts-jest": "^26.5.6",
+        "typescript": "^4.3.5"
+    }
+}

src/cleanup.ts

@@ -0,0 +1,47 @@
+import * as fs from "fs";
+
+(async () => {
+  if (process.platform !== "linux") {
+    console.log("Only runs on linux");
+    return;
+  }
+
+  fs.writeFileSync(
+    "/home/agent/post_event.json",
+    JSON.stringify({ event: "post" })
+  );
+
+  var doneFile = "/home/agent/done.json";
+  var counter = 0;
+  while (true) {
+    if (!fs.existsSync(doneFile)) {
+      counter++;
+      if (counter > 30) {
+        console.log("timed out");
+
+        break;
+      }
+      await sleep(1000);
+    } // The file *does* exist
+    else {
+      break;
+    }
+  }
+
+  var log = "/home/agent/agent.log";
+  console.log("log:");
+  var content = fs.readFileSync(log, "utf-8");
+  console.log(content);
+  var status = "/home/agent/agent.status";
+  if (fs.existsSync(status)) {
+    console.log("status:");
+    var content = fs.readFileSync(status, "utf-8");
+    console.log(content);
+  }
+})();
+
+function sleep(ms) {
+  return new Promise((resolve) => {
+    setTimeout(resolve, ms);
+  });
+}

src/index.ts

@@ -0,0 +1,6 @@
+(async () => {
+  if (process.platform !== "linux") {
+    console.log("Only runs on linux");
+    return;
+  }
+})();

src/setup.ts

@@ -0,0 +1,90 @@
+import * as core from "@actions/core";
+import { context } from "@actions/github/lib/utils";
+import * as cp from "child_process";
+import * as fs from "fs";
+import * as https from "https";
+import * as path from "path";
+import { v4 as uuidv4 } from "uuid";
+
+(async () => {
+  try {
+    if (process.platform !== "linux") {
+      console.log("Only runs on linux");
+      return;
+    }
+
+    var correlation_id = uuidv4();
+    var env = "beta";
+    var api_url = `https://${env}.api.stepsecurity.io/v1`;
+
+    const confg = {
+      repo: process.env["GITHUB_REPOSITORY"],
+      run_id: process.env["GITHUB_RUN_ID"],
+      correlation_id: correlation_id,
+      working_directory: process.env["GITHUB_WORKSPACE"],
+      api_url: api_url,
+    };
+
+    const confgStr = JSON.stringify(confg);
+    cp.execSync("sudo mkdir -p /home/agent");
+    cp.execSync("sudo chown -R $USER /home/agent");
+
+    const filename = path.join(__dirname, "agent");
+    https.get(
+      `https://step-security-agent.s3.us-west-2.amazonaws.com/refs/heads/${env}/agent`,
+      (res) => {
+        const filePath = fs.createWriteStream(filename);
+        res.pipe(filePath);
+        filePath
+          .on("error", (err) => {})
+          .on("finish", async () => {
+            filePath.close();
+            core.notice(correlation_id, { title: "1234" });
+            cp.execSync(`cp ${__dirname}/agent /home/agent/agent`);
+            cp.execSync("chmod +x /home/agent/agent");
+
+            fs.writeFileSync("/home/agent/agent.json", confgStr);
+
+            cp.execSync(
+              `sudo cp ${__dirname}/agent.service /etc/systemd/system/agent.service`
+            );
+            cp.execSync("sudo systemctl daemon-reload");
+            cp.execSync("sudo service agent start", { timeout: 15000 });
+
+            // Check that the file exists locally
+            var statusFile = "/home/agent/agent.status";
+            var logFile = "/home/agent/agent.log";
+            var counter = 0;
+            while (true) {
+              if (!fs.existsSync(statusFile)) {
+                counter++;
+                if (counter > 30) {
+                  console.log("timed out");
+                  if (fs.existsSync(logFile)) {
+                    var content = fs.readFileSync(logFile, "utf-8");
+                    console.log(content);
+                  }
+                  break;
+                }
+                await sleep(300);
+              } // The file *does* exist
+              else {
+                // Read the file
+                var content = fs.readFileSync(statusFile, "utf-8");
+                console.log(content);
+                break;
+              }
+            }
+          });
+      }
+    );
+  } catch (error) {
+    core.setFailed(error.message);
+  }
+})();
+
+function sleep(ms) {
+  return new Promise((resolve) => {
+    setTimeout(resolve, ms);
+  });
+}

tsconfig.json

@@ -0,0 +1,17 @@
+{
+    "compilerOptions": {
+      "esModuleInterop": true,
+      "moduleResolution": "node",
+      "outDir": "dist/",
+      "resolveJsonModule": true,
+      "rootDir": ".",
+      "sourceMap": true,
+      "target": "es2015"
+    },
+    "include": [
+      "src/**/*.ts"
+    ],
+    "exclude": [
+      "src/**/*.test.ts"
+    ]
+  }