step-security/harden-runner
1
0
Fork 0
mirror of synced 2026-06-05 17:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity

Add code for GH action

Browse source
This commit is contained in:
Varun Sharma 2021-10-28 10:16:48 -07:00
commit 3dafee179b
19 changed files with 16350 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.gitignore vendored
View file

@ -80,7 +80,7 @@ typings/
# Nuxt.js build / generate output # Nuxt.js build / generate output
.nuxt .nuxt
dist #dist
# Gatsby files # Gatsby files
.cache/ .cache/
@ -101,4 +101,4 @@ dist
.dynamodb/ .dynamodb/
# TernJS port file # TernJS port file
.tern-port .tern-port

2
README.md
View file

@ -1,2 +1,4 @@
# audit-workflow # audit-workflow
GitHub Actions Runtime Security GitHub Actions Runtime Security
Work in progress...

7
action.yml Normal file
View file

@ -0,0 +1,7 @@
name: 'Step Security Audit Workflow'
description: 'GitHub Actions Runtime Security'
runs:
using: 'node12'
pre: 'dist/pre/index.js'
main: 'dist/index.js'
post: 'dist/post/index.js'

43
dist/index.js vendored Normal file
View file

@ -0,0 +1,43 @@
require('./sourcemap-register.js');/******/ (() => { // webpackBootstrap
/******/ var __webpack_modules__ = ({
/***/ 144:
/***/ (function() {
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
(() => __awaiter(this, void 0, void 0, function* () {
if (process.platform !== "linux") {
console.log("Only runs on linux");
return;
}
}))();
/***/ })
/******/ });
/************************************************************************/
/******/ /* webpack/runtime/compat */
/******/
/******/ if (typeof __nccwpck_require__ !== 'undefined') __nccwpck_require__.ab = __dirname + "/";
/******/
/************************************************************************/
/******/
/******/ // startup
/******/ // Load entry module and return exports
/******/ // This entry module is referenced by other modules so it can't be inlined
/******/ var __webpack_exports__ = {};
/******/ __webpack_modules__[144]();
/******/ module.exports = __webpack_exports__;
/******/
/******/ })()
;
//# sourceMappingURL=index.js.map

1
dist/index.js.map vendored Normal file
View file

@ -0,0 +1 @@
{"version":3,"file":"index.js","sources":["../webpack://step-security-audit-workflow/./src/index.ts","../webpack://step-security-audit-workflow/webpack/runtime/compat","../webpack://step-security-audit-workflow/webpack/startup"],"sourcesContent":["(async () => {\n if (process.platform !== \"linux\") {\n console.log(\"Only runs on linux\");\n return;\n }\n})();\n","\nif (typeof __webpack_require__ !== 'undefined') __webpack_require__.ab = __dirname + \"/\";","// startup\n// Load entry module and return exports\n// This entry module is referenced by other modules so it can't be inlined\nvar __webpack_exports__ = {};\n__webpack_modules__[144]();\n"],"mappings":";;;;;;;;;;;;;;;AAAA;AACA;AACA;AACA;AACA;AACA;;;A;;;;;ACLA;AACA;;;;ACDA;AACA;AACA;AACA;AACA;;;;A","sourceRoot":""}

81
dist/post/index.js vendored Normal file
View file

@ -0,0 +1,81 @@
require('./sourcemap-register.js');/******/ (() => { // webpackBootstrap
/******/ "use strict";
/******/ // The require scope
/******/ var __nccwpck_require__ = {};
/******/
/************************************************************************/
/******/ /* webpack/runtime/make namespace object */
/******/ (() => {
/******/ // define __esModule on exports
/******/ __nccwpck_require__.r = (exports) => {
/******/ if(typeof Symbol !== 'undefined' && Symbol.toStringTag) {
/******/ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
/******/ }
/******/ Object.defineProperty(exports, '__esModule', { value: true });
/******/ };
/******/ })();
/******/
/******/ /* webpack/runtime/compat */
/******/
/******/ if (typeof __nccwpck_require__ !== 'undefined') __nccwpck_require__.ab = __dirname + "/";
/******/
/************************************************************************/
var __webpack_exports__ = {};
// ESM COMPAT FLAG
__nccwpck_require__.r(__webpack_exports__);
;// CONCATENATED MODULE: external "fs"
const external_fs_namespaceObject = require("fs");
;// CONCATENATED MODULE: ./src/cleanup.ts
var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
(() => __awaiter(void 0, void 0, void 0, function* () {
if (process.platform !== "linux") {
console.log("Only runs on linux");
return;
}
external_fs_namespaceObject.writeFileSync("/home/agent/post_event.json", JSON.stringify({ event: "post" }));
var doneFile = "/home/agent/done.json";
var counter = 0;
while (true) {
if (!external_fs_namespaceObject.existsSync(doneFile)) {
counter++;
if (counter > 30) {
console.log("timed out");
break;
}
yield sleep(1000);
} // The file *does* exist
else {
break;
}
}
var log = "/home/agent/agent.log";
console.log("log:");
var content = external_fs_namespaceObject.readFileSync(log, "utf-8");
console.log(content);
var status = "/home/agent/agent.status";
if (external_fs_namespaceObject.existsSync(status)) {
console.log("status:");
var content = external_fs_namespaceObject.readFileSync(status, "utf-8");
console.log(content);
}
}))();
function sleep(ms) {
return new Promise((resolve) => {
setTimeout(resolve, ms);
});
}
module.exports = __webpack_exports__;
/******/ })()
;
//# sourceMappingURL=index.js.map

1
dist/post/index.js.map vendored Normal file
View file

@ -0,0 +1 @@
{"version":3,"file":"index.js","sources":["../webpack://step-security-audit-workflow/webpack/bootstrap","../webpack://step-security-audit-workflow/webpack/runtime/make namespace object","../webpack://step-security-audit-workflow/webpack/runtime/compat","../webpack://step-security-audit-workflow/external \"fs\"","../webpack://step-security-audit-workflow/./src/cleanup.ts"],"sourcesContent":["// The require scope\nvar __webpack_require__ = {};\n\n","// define __esModule on exports\n__webpack_require__.r = (exports) => {\n\tif(typeof Symbol !== 'undefined' && Symbol.toStringTag) {\n\t\tObject.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });\n\t}\n\tObject.defineProperty(exports, '__esModule', { value: true });\n};","\nif (typeof __webpack_require__ !== 'undefined') __webpack_require__.ab = __dirname + \"/\";","const __WEBPACK_NAMESPACE_OBJECT__ = require(\"fs\");","import * as fs from \"fs\";\n\n(async () => {\n if (process.platform !== \"linux\") {\n console.log(\"Only runs on linux\");\n return;\n }\n\n fs.writeFileSync(\n \"/home/agent/post_event.json\",\n JSON.stringify({ event: \"post\" })\n );\n\n var doneFile = \"/home/agent/done.json\";\n var counter = 0;\n while (true) {\n if (!fs.existsSync(doneFile)) {\n counter++;\n if (counter > 30) {\n console.log(\"timed out\");\n\n break;\n }\n await sleep(1000);\n } // The file *does* exist\n else {\n break;\n }\n }\n\n var log = \"/home/agent/agent.log\";\n console.log(\"log:\");\n var content = fs.readFileSync(log, \"utf-8\");\n console.log(content);\n var status = \"/home/agent/agent.status\";\n if (fs.existsSync(status)) {\n console.log(\"status:\");\n var content = fs.readFileSync(status, \"utf-8\");\n console.log(content);\n }\n})();\n\nfunction sleep(ms) {\n return new Promise((resolve) => {\n setTimeout(resolve, ms);\n });\n}\n"],"mappings":";;AAAA;AACA;AACA;;;;ACFA;AACA;AACA;AACA;AACA;AACA;AACA;;;;ACNA;AACA;;;;;;;;ACDA;;;;;;;;;;;ACAA;AAEA;AACA;AACA;AACA;AACA;AAEA;AAKA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;;;;A","sourceRoot":""}

1
dist/post/sourcemap-register.js vendored Normal file
View file

File diff suppressed because one or more lines are too long

15
dist/pre/agent.service vendored Normal file
View file

@ -0,0 +1,15 @@
[Unit]
Description=Agent
After=network.target
[Service]
Type=simple
ExecStart=/home/agent/agent
WorkingDirectory=/home/agent
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=agentservice
AmbientCapabilities=CAP_NET_BIND_SERVICE, CAP_NET_ADMIN
[Install]
WantedBy=multi-user.target

2465
dist/pre/index.js vendored Normal file
View file

File diff suppressed because it is too large Load diff

1
dist/pre/index.js.map vendored Normal file
View file

File diff suppressed because one or more lines are too long

1
dist/pre/sourcemap-register.js vendored Normal file
View file

File diff suppressed because one or more lines are too long

1
dist/sourcemap-register.js vendored Normal file
View file

File diff suppressed because one or more lines are too long

13525
package-lock.json generated Normal file
View file

File diff suppressed because it is too large Load diff

44
package.json Normal file
View file

@ -0,0 +1,44 @@
{
"name": "step-security-audit-workflow",
"version": "0.0.1",
"description": "GitHub Actions Runtime Security",
"main": "index.js",
"scripts": {
"build": "npm run main && npm run pre && npm run post",
"main": "ncc build src/index.ts --source-map",
"pre": "ncc build src/setup.ts --source-map -o dist/pre",
"post": "ncc build src/cleanup.ts --source-map -o dist/post",
"lint": "eslint src/**/*.ts"
},
"repository": {
"type": "git",
"url": "git+https://github.com/step-security/audit-workflow.git"
},
"keywords": [],
"author": "Varun Sharma",
"license": "Apache License 2.0",
"bugs": {
"url": "https://github.com/step-security/audit-workflow/issues"
},
"homepage": "https://github.com/step-security/audit-workflow#readme",
"dependencies": {
"@actions/core": "^1.5.0",
"@actions/exec": "^1.1.0",
"@actions/github": "^5.0.0",
"node-fetch": "^2.6.1",
"uuid": "^8.3.2"
},
"devDependencies": {
"@types/jest": "^27.0.1",
"@types/node": "^16.9.0",
"@typescript-eslint/eslint-plugin": "^4.29.2",
"@typescript-eslint/parser": "^4.29.2",
"@vercel/ncc": "^0.30.0",
"eslint": "^7.32.0",
"eslint-config-google": "^0.14.0",
"jest": "^26.6.3",
"jest-junit": "^12.2.0",
"ts-jest": "^26.5.6",
"typescript": "^4.3.5"
}
}

47
src/cleanup.ts Normal file
View file

@ -0,0 +1,47 @@
import * as fs from "fs";
(async () => {
if (process.platform !== "linux") {
console.log("Only runs on linux");
return;
}
fs.writeFileSync(
"/home/agent/post_event.json",
JSON.stringify({ event: "post" })
);
var doneFile = "/home/agent/done.json";
var counter = 0;
while (true) {
if (!fs.existsSync(doneFile)) {
counter++;
if (counter > 30) {
console.log("timed out");
break;
}
await sleep(1000);
} // The file *does* exist
else {
break;
}
}
var log = "/home/agent/agent.log";
console.log("log:");
var content = fs.readFileSync(log, "utf-8");
console.log(content);
var status = "/home/agent/agent.status";
if (fs.existsSync(status)) {
console.log("status:");
var content = fs.readFileSync(status, "utf-8");
console.log(content);
}
})();
function sleep(ms) {
return new Promise((resolve) => {
setTimeout(resolve, ms);
});
}

6
src/index.ts Normal file
View file

@ -0,0 +1,6 @@
(async () => {
if (process.platform !== "linux") {
console.log("Only runs on linux");
return;
}
})();

90
src/setup.ts Normal file
View file

@ -0,0 +1,90 @@
import * as core from "@actions/core";
import { context } from "@actions/github/lib/utils";
import * as cp from "child_process";
import * as fs from "fs";
import * as https from "https";
import * as path from "path";
import { v4 as uuidv4 } from "uuid";
(async () => {
try {
if (process.platform !== "linux") {
console.log("Only runs on linux");
return;
}
var correlation_id = uuidv4();
var env = "beta";
var api_url = `https://${env}.api.stepsecurity.io/v1`;
const confg = {
repo: process.env["GITHUB_REPOSITORY"],
run_id: process.env["GITHUB_RUN_ID"],
correlation_id: correlation_id,
working_directory: process.env["GITHUB_WORKSPACE"],
api_url: api_url,
};
const confgStr = JSON.stringify(confg);
cp.execSync("sudo mkdir -p /home/agent");
cp.execSync("sudo chown -R $USER /home/agent");
const filename = path.join(__dirname, "agent");
https.get(
`https://step-security-agent.s3.us-west-2.amazonaws.com/refs/heads/${env}/agent`,
(res) => {
const filePath = fs.createWriteStream(filename);
res.pipe(filePath);
filePath
.on("error", (err) => {})
.on("finish", async () => {
filePath.close();
core.notice(correlation_id, { title: "1234" });
cp.execSync(`cp ${__dirname}/agent /home/agent/agent`);
cp.execSync("chmod +x /home/agent/agent");
fs.writeFileSync("/home/agent/agent.json", confgStr);
cp.execSync(
`sudo cp ${__dirname}/agent.service /etc/systemd/system/agent.service`
);
cp.execSync("sudo systemctl daemon-reload");
cp.execSync("sudo service agent start", { timeout: 15000 });
// Check that the file exists locally
var statusFile = "/home/agent/agent.status";
var logFile = "/home/agent/agent.log";
var counter = 0;
while (true) {
if (!fs.existsSync(statusFile)) {
counter++;
if (counter > 30) {
console.log("timed out");
if (fs.existsSync(logFile)) {
var content = fs.readFileSync(logFile, "utf-8");
console.log(content);
}
break;
}
await sleep(300);
} // The file *does* exist
else {
// Read the file
var content = fs.readFileSync(statusFile, "utf-8");
console.log(content);
break;
}
}
});
}
);
} catch (error) {
core.setFailed(error.message);
}
})();
function sleep(ms) {
return new Promise((resolve) => {
setTimeout(resolve, ms);
});
}

17
tsconfig.json Normal file
View file

@ -0,0 +1,17 @@
{
"compilerOptions": {
"esModuleInterop": true,
"moduleResolution": "node",
"outDir": "dist/",
"resolveJsonModule": true,
"rootDir": ".",
"sourceMap": true,
"target": "es2015"
},
"include": [
"src/**/*.ts"
],
"exclude": [
"src/**/*.test.ts"
]
}