Update for isdocker

2026-06-05 19:05:14 +00:00 · 2024-10-17 20:48:25 -07:00 · 2024-10-17 20:48:25 -07:00 · 40401cf618
commit 40401cf618
parent 806ab1cccb
6 changed files with 108 additions and 20 deletions
--- a/dist/index.js
+++ b/dist/index.js
@ -2838,7 +2838,7 @@ var lib_core = __nccwpck_require__(186);
 var external_fs_ = __nccwpck_require__(747);
 ;// CONCATENATED MODULE: ./src/configs.ts
 const STEPSECURITY_ENV = "agent"; // agent or int
-const STEPSECURITY_API_URL = `https://${STEPSECURITY_ENV}.api.stepsecurity.io/v1`;
+const configs_STEPSECURITY_API_URL = `https://${STEPSECURITY_ENV}.api.stepsecurity.io/v1`;
 const configs_STEPSECURITY_WEB_URL = "https://app.stepsecurity.io";

 ;// CONCATENATED MODULE: ./src/common.ts
@ -3014,6 +3014,49 @@ function isDocker() {
 	return isDockerCached;
 }

+// EXTERNAL MODULE: ./node_modules/@actions/http-client/lib/index.js
+var lib = __nccwpck_require__(255);
+;// CONCATENATED MODULE: ./src/tls-inspect.ts
+var tls_inspect_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+
+
+
+function isTLSEnabled(owner) {
+    return tls_inspect_awaiter(this, void 0, void 0, function* () {
+        let tlsStatusEndpoint = `${STEPSECURITY_API_URL}/github/${owner}/actions/tls-inspection-status`;
+        let httpClient = new HttpClient();
+        httpClient.requestOptions = { socketTimeout: 3 * 1000 };
+        core.info(`[!] Checking TLS_STATUS: ${owner}`);
+        let isEnabled = false;
+        try {
+            let resp = yield httpClient.get(tlsStatusEndpoint);
+            if (resp.message.statusCode === 200) {
+                isEnabled = true;
+                core.info(`[!] TLS_ENABLED: ${owner}`);
+            }
+            else {
+                core.info(`[!] TLS_NOT_ENABLED: ${owner}`);
+            }
+        }
+        catch (e) {
+            core.info(`[!] Unable to check TLS_STATUS`);
+        }
+        return isEnabled;
+    });
+}
+function isGithubHosted() {
+    const runnerEnvironment = process.env.RUNNER_ENVIRONMENT || "";
+    return runnerEnvironment === "github-hosted";
+}
+
 ;// CONCATENATED MODULE: ./src/index.ts
 var src_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
@ -3028,13 +3071,14 @@ var src_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argu



+
 (() => src_awaiter(void 0, void 0, void 0, function* () {
    console.log("[harden-runner] main-step");
    if (process.platform !== "linux") {
        console.log(UBUNTU_MESSAGE);
        return;
    }
-    if (isDocker()) {
+    if (isGithubHosted() && isDocker()) {
        console.log(CONTAINER_MESSAGE);
        return;
    }
--- a/dist/index.js.map
+++ b/dist/index.js.map
--- a/dist/post/index.js
+++ b/dist/post/index.js
@ -139,7 +139,7 @@ const command_1 = __nccwpck_require__(351);
 const file_command_1 = __nccwpck_require__(717);
 const utils_1 = __nccwpck_require__(278);
 const os = __importStar(__nccwpck_require__(87));
-const path = __importStar(__nccwpck_require__(277));
+const path = __importStar(__nccwpck_require__(622));
 const oidc_utils_1 = __nccwpck_require__(41);
 /**
 * The code to exit an action
@ -618,7 +618,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", ({ value: true }));
 exports.toPlatformPath = exports.toWin32Path = exports.toPosixPath = void 0;
-const path = __importStar(__nccwpck_require__(277));
+const path = __importStar(__nccwpck_require__(622));
 /**
 * toPosixPath converts the given path to the posix form. On Windows, \\ will be
 * replaced with /.
@ -2752,7 +2752,7 @@ module.exports = require("os");

 /***/ }),

-/***/ 277:
+/***/ 622:
 /***/ ((module) => {

 "use strict";
@ -2837,10 +2837,10 @@ var external_fs_ = __nccwpck_require__(747);
 ;// CONCATENATED MODULE: external "child_process"
 const external_child_process_namespaceObject = require("child_process");
 // EXTERNAL MODULE: ./node_modules/@actions/core/lib/core.js
-var core = __nccwpck_require__(186);
+var lib_core = __nccwpck_require__(186);
 ;// CONCATENATED MODULE: ./src/configs.ts
 const STEPSECURITY_ENV = "agent"; // agent or int
-const STEPSECURITY_API_URL = `https://${STEPSECURITY_ENV}.api.stepsecurity.io/v1`;
+const configs_STEPSECURITY_API_URL = `https://${STEPSECURITY_ENV}.api.stepsecurity.io/v1`;
 const STEPSECURITY_WEB_URL = "https://app.stepsecurity.io";

 ;// CONCATENATED MODULE: ./src/common.ts
@ -2905,9 +2905,9 @@ function addSummary() {
            //console.error(err);
        }
        if (needsSubscription) {
-            yield core.summary.addSeparator()
+            yield lib_core.summary.addSeparator()
                .addRaw(`<h2>⚠️ Your GitHub Actions Runtime Security is currently disabled!</h2>`);
-            yield core.summary.addRaw(`
+            yield lib_core.summary.addRaw(`
 <p>It appears that you're using the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a> by StepSecurity within a private repository. However, runtime security is not enabled as your organization hasn't signed up for a free trial or a paid subscription yet.</p>
 <p>To enable runtime security, start a free trial today by installing the <a href="https://github.com/apps/stepsecurity-actions-security">StepSecurity Actions Security GitHub App</a>. For more information or assistance, feel free to reach out to us through our <a href="https://www.stepsecurity.io/contact">contact form</a>.</p>
 `)
@ -2925,7 +2925,7 @@ function addSummary() {
            return;
        }
        const insightsRow = `<p><b><a href="${insights_url}">📄 View Full Report</a></b></p>`;
-        yield core.summary.addSeparator().addRaw(`<h2>🛡 StepSecurity Report</h2>`);
+        yield lib_core.summary.addSeparator().addRaw(`<h2>🛡 StepSecurity Report</h2>`);
        tableEntries.sort((a, b) => {
            if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") {
                return -1;
@ -2938,7 +2938,7 @@ function addSummary() {
            }
        });
        tableEntries = tableEntries.slice(0, 3);
-        yield core.summary.addRaw(`
+        yield lib_core.summary.addRaw(`
  <blockquote>
  <p>Preview of the outbound network calls during this workflow run.</p></blockquote>
  <h3>Network Calls</h3>
@ -2967,7 +2967,7 @@ function addSummary() {
  </table>
  ${insightsRow}
 `);
-        yield core.summary.addRaw(`<p><i>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a>.</i></p>`)
+        yield lib_core.summary.addRaw(`<p><i>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a>.</i></p>`)
            .addSeparator()
            .write();
    });
@ -3014,7 +3014,7 @@ function isDocker() {
 }

 // EXTERNAL MODULE: external "path"
-var external_path_ = __nccwpck_require__(277);
+var external_path_ = __nccwpck_require__(622);
 ;// CONCATENATED MODULE: ./src/arc-runner.ts


@ -3063,6 +3063,49 @@ function echo(content) {
    cp.execFileSync("echo", [content]);
 }

+// EXTERNAL MODULE: ./node_modules/@actions/http-client/lib/index.js
+var lib = __nccwpck_require__(255);
+;// CONCATENATED MODULE: ./src/tls-inspect.ts
+var tls_inspect_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+
+
+
+function isTLSEnabled(owner) {
+    return tls_inspect_awaiter(this, void 0, void 0, function* () {
+        let tlsStatusEndpoint = `${STEPSECURITY_API_URL}/github/${owner}/actions/tls-inspection-status`;
+        let httpClient = new HttpClient();
+        httpClient.requestOptions = { socketTimeout: 3 * 1000 };
+        core.info(`[!] Checking TLS_STATUS: ${owner}`);
+        let isEnabled = false;
+        try {
+            let resp = yield httpClient.get(tlsStatusEndpoint);
+            if (resp.message.statusCode === 200) {
+                isEnabled = true;
+                core.info(`[!] TLS_ENABLED: ${owner}`);
+            }
+            else {
+                core.info(`[!] TLS_NOT_ENABLED: ${owner}`);
+            }
+        }
+        catch (e) {
+            core.info(`[!] Unable to check TLS_STATUS`);
+        }
+        return isEnabled;
+    });
+}
+function isGithubHosted() {
+    const runnerEnvironment = process.env.RUNNER_ENVIRONMENT || "";
+    return runnerEnvironment === "github-hosted";
+}
+
 ;// CONCATENATED MODULE: ./src/cleanup.ts
 var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
@ -3078,13 +3121,14 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _



+
 (() => cleanup_awaiter(void 0, void 0, void 0, function* () {
    console.log("[harden-runner] post-step");
    if (process.platform !== "linux") {
        console.log(UBUNTU_MESSAGE);
        return;
    }
-    if (isDocker()) {
+    if (isGithubHosted() && isDocker()) {
        console.log(CONTAINER_MESSAGE);
        return;
    }
--- a/dist/post/index.js.map
+++ b/dist/post/index.js.map
--- a/src/cleanup.ts
+++ b/src/cleanup.ts
@ -3,7 +3,7 @@ import * as cp from "child_process";
 import * as common from "./common";
 import isDocker from "is-docker";
 import { isArcRunner } from "./arc-runner";
-
+import { isGithubHosted } from "./tls-inspect";
 (async () => {
  console.log("[harden-runner] post-step");

@ -11,7 +11,7 @@ import { isArcRunner } from "./arc-runner";
    console.log(common.UBUNTU_MESSAGE);
    return;
  }
-  if (isDocker()) {
+  if (isGithubHosted() && isDocker()) {
    console.log(common.CONTAINER_MESSAGE);
    return;
  }
--- a/src/index.ts
+++ b/src/index.ts
@ -2,7 +2,7 @@ import * as common from "./common";
 import * as core from "@actions/core";
 import isDocker from "is-docker";
 import { STEPSECURITY_WEB_URL } from "./configs";
-
+import { isGithubHosted } from "./tls-inspect";
 (async () => {
  console.log("[harden-runner] main-step");

@ -10,7 +10,7 @@ import { STEPSECURITY_WEB_URL } from "./configs";
    console.log(common.UBUNTU_MESSAGE);
    return;
  }
-  if (isDocker()) {
+  if (isGithubHosted() && isDocker()) {
    console.log(common.CONTAINER_MESSAGE);
    return;
  }