step-security/harden-runner
1
0
Fork 0
mirror of synced 2026-06-05 14:15:14 +00:00
Code Issues Projects Releases Packages Wiki Activity

refactor: simplified cleanup and added checksum verification

Browse source
This commit is contained in:
Jatin 2026-01-29 17:27:45 +05:30
commit 4dd31d13de
No known key found for this signature in database
GPG key ID: 0C17698EE30CA603
7 changed files with 297 additions and 282 deletions
Download patch file Download diff file Expand all files Collapse all files

225
dist/post/index.js vendored
View file

@ -34666,115 +34666,11 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
}
switch (platform) {
case "darwin":
{
external_fs_.writeFileSync("/opt/step-security/post_event.json", JSON.stringify({ event: "post" }));
let macDone = "/opt/step-security/done.json";
let counter = 0;
while (true) {
if (!external_fs_.existsSync(macDone)) {
counter++;
if (counter > 10) {
console.log("timed out");
break;
}
yield sleep(1000);
} // The file *does* exist
else {
break;
}
}
let macAgenLog = "/opt/step-security/agent.log";
if (external_fs_.existsSync(macAgenLog)) {
console.log("macAgenLog:");
var content = external_fs_.readFileSync(macAgenLog, "utf-8");
console.log(content);
}
else {
console.log("😭 macos agent.log file not found");
}
// Capture system log stream for harden-runner subsystem
try {
console.log("\nSystem log stream for io.stepsecurity.harden-runner:");
const logStreamOutput = external_child_process_.execSync("log show --predicate 'subsystem == \"io.stepsecurity.harden-runner\"' --info --last 10m", {
encoding: "utf8",
maxBuffer: 1024 * 1024 * 10,
timeout: 10000, // 30 second timeout
});
console.log(logStreamOutput);
}
catch (error) {
console.log("Warning: Could not fetch system log stream:", error.message);
}
}
yield handleDarwinCleanup();
break;
case "linux":
if (process.env.STATE_selfHosted === "true") {
return;
}
if (process.env.STATE_customVMImage === "true") {
return;
}
if (process.env.STATE_isTLS === "false" && process.arch === "arm64") {
return;
}
if (String(process.env.STATE_monitorStatusCode) ===
STATUS_HARDEN_RUNNER_UNAVAILABLE) {
console.log(HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
return;
}
if (isGithubHosted() && external_fs_.existsSync("/home/agent/post_event.json")) {
console.log("Post step already executed, skipping");
return;
}
external_fs_.writeFileSync("/home/agent/post_event.json", JSON.stringify({ event: "post" }));
const doneFile = "/home/agent/done.json";
let counter = 0;
while (true) {
if (!external_fs_.existsSync(doneFile)) {
counter++;
if (counter > 10) {
console.log("timed out");
break;
}
yield sleep(1000);
} // The file *does* exist
else {
break;
}
}
const log = "/home/agent/agent.log";
if (external_fs_.existsSync(log)) {
console.log("log:");
var content = external_fs_.readFileSync(log, "utf-8");
console.log(content);
}
const daemonLog = "/home/agent/daemon.log";
if (external_fs_.existsSync(daemonLog)) {
console.log("daemonLog:");
var content = external_fs_.readFileSync(daemonLog, "utf-8");
console.log(content);
}
var status = "/home/agent/agent.status";
if (external_fs_.existsSync(status)) {
console.log("status:");
var content = external_fs_.readFileSync(status, "utf-8");
console.log(content);
}
var disable_sudo = process.env.STATE_disableSudo;
var disable_sudo_and_containers = process.env.STATE_disableSudoAndContainers;
if (disable_sudo !== "true" && disable_sudo_and_containers !== "true") {
try {
var journalLog = external_child_process_.execSync("sudo journalctl -u agent.service --lines=1000", {
encoding: "utf8",
maxBuffer: 1024 * 1024 * 10, // 10MB buffer
});
console.log("agent.service log:");
console.log(journalLog);
}
catch (error) {
console.log("Warning: Could not fetch service logs:", error.message);
}
}
yield handleLinuxCleanup();
break;
}
try {
yield addSummary();
@ -34783,6 +34679,121 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
console.log(exception);
}
}))();
function handleDarwinCleanup() {
return cleanup_awaiter(this, void 0, void 0, function* () {
external_fs_.writeFileSync("/opt/step-security/post_event.json", JSON.stringify({ event: "post" }));
let macDone = "/opt/step-security/done.json";
let counter = 0;
while (true) {
if (!external_fs_.existsSync(macDone)) {
counter++;
if (counter > 10) {
console.log("timed out");
break;
}
yield sleep(1000);
}
else {
// The file *does* exist
break;
}
}
let macAgenLog = "/opt/step-security/agent.log";
if (external_fs_.existsSync(macAgenLog)) {
console.log("macAgenLog:");
var content = external_fs_.readFileSync(macAgenLog, "utf-8");
console.log(content);
}
else {
console.log("😭 macos agent.log file not found");
}
// Capture system log stream for harden-runner subsystem
try {
console.log("\nSystem log stream for io.stepsecurity.harden-runner:");
const logStreamOutput = external_child_process_.execSync("log show --predicate 'subsystem == \"io.stepsecurity.harden-runner\"' --info --last 10m", {
encoding: "utf8",
maxBuffer: 1024 * 1024 * 10,
timeout: 10000, // 30 second timeout
});
console.log(logStreamOutput);
}
catch (error) {
console.log("Warning: Could not fetch system log stream:", error.message);
}
});
}
function handleLinuxCleanup() {
return cleanup_awaiter(this, void 0, void 0, function* () {
if (process.env.STATE_selfHosted === "true") {
return;
}
if (process.env.STATE_customVMImage === "true") {
return;
}
if (process.env.STATE_isTLS === "false" && process.arch === "arm64") {
return;
}
if (String(process.env.STATE_monitorStatusCode) ===
STATUS_HARDEN_RUNNER_UNAVAILABLE) {
console.log(HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
return;
}
if (isGithubHosted() && external_fs_.existsSync("/home/agent/post_event.json")) {
console.log("Post step already executed, skipping");
return;
}
external_fs_.writeFileSync("/home/agent/post_event.json", JSON.stringify({ event: "post" }));
const doneFile = "/home/agent/done.json";
let counter = 0;
while (true) {
if (!external_fs_.existsSync(doneFile)) {
counter++;
if (counter > 10) {
console.log("timed out");
break;
}
yield sleep(1000);
}
else {
// The file *does* exist
break;
}
}
const log = "/home/agent/agent.log";
if (external_fs_.existsSync(log)) {
console.log("log:");
var content = external_fs_.readFileSync(log, "utf-8");
console.log(content);
}
const daemonLog = "/home/agent/daemon.log";
if (external_fs_.existsSync(daemonLog)) {
console.log("daemonLog:");
var content = external_fs_.readFileSync(daemonLog, "utf-8");
console.log(content);
}
var status = "/home/agent/agent.status";
if (external_fs_.existsSync(status)) {
console.log("status:");
var content = external_fs_.readFileSync(status, "utf-8");
console.log(content);
}
var disable_sudo = process.env.STATE_disableSudo;
var disable_sudo_and_containers = process.env.STATE_disableSudoAndContainers;
if (disable_sudo !== "true" && disable_sudo_and_containers !== "true") {
try {
var journalLog = external_child_process_.execSync("sudo journalctl -u agent.service --lines=1000", {
encoding: "utf8",
maxBuffer: 1024 * 1024 * 10, // 10MB buffer
});
console.log("agent.service log:");
console.log(journalLog);
}
catch (error) {
console.log("Warning: Could not fetch service logs:", error.message);
}
}
});
}
function sleep(ms) {
return new Promise((resolve) => {
setTimeout(resolve, ms);

2
dist/post/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

40
dist/pre/index.js vendored
View file

@ -87997,30 +87997,31 @@ const CHECKSUMS = {
non_tls: {
amd64: "336093af8ebe969567b66fd035af3bd4f7e1c723ce680d6b4b5b2a1f79bc329e", // v0.14.2
},
darwin: "caaacc24bbf6a39ba7560e5e4701353c537883cb3ab9553359bd5caf5097246f", // v0.0.1
};
function verifyChecksum(downloadPath, isTLS, variant) {
function verifyChecksum(downloadPath, isTLS, variant, platform) {
const fileBuffer = external_fs_.readFileSync(downloadPath);
const checksum = external_crypto_.createHash("sha256")
.update(fileBuffer)
.digest("hex"); // checksum of downloaded file
let expectedChecksum = "";
if (isTLS) {
expectedChecksum = CHECKSUMS["tls"][variant];
}
else {
expectedChecksum = CHECKSUMS["non_tls"][variant];
switch (platform) {
case "linux":
expectedChecksum = isTLS
? CHECKSUMS["tls"][variant]
: CHECKSUMS["non_tls"][variant];
break;
case "darwin":
expectedChecksum = CHECKSUMS["darwin"][variant];
break;
default:
throw new Error(`Unsupported platform: ${platform}`);
}
if (checksum !== expectedChecksum) {
lib_core.setFailed(`Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`);
lib_core.setFailed(`❌ Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`);
return;
}
lib_core.debug("Checksum verification passed.");
}
function calculateSha256(filePath) {
const fileBuffer = external_fs_.readFileSync(filePath);
const checksum = external_crypto_.createHash("sha256")
.update(fileBuffer)
.digest("hex");
return checksum;
lib_core.info(`✅ Checksum verification passed. checksum=${checksum}`);
}
;// CONCATENATED MODULE: ./src/install-agent.ts
@ -88061,7 +88062,7 @@ function installAgent(isTLS, configStr) {
}
downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.14.2/agent_0.14.2_linux_amd64.tar.gz", undefined, auth);
}
verifyChecksum(downloadPath, isTLS, variant);
verifyChecksum(downloadPath, isTLS, variant, process.platform);
const extractPath = yield tool_cache.extractTar(downloadPath);
let cmd = "cp", args = [external_path_.join(extractPath, "agent"), "/home/agent/agent"];
external_child_process_.execFileSync(cmd, args);
@ -88098,10 +88099,9 @@ function installMacosAgent(confgStr) {
lib_core.info(`Downloading macOS installer.. : ${downloadUrl}`);
const downloadPath = yield tool_cache.downloadTool(downloadUrl);
lib_core.info(`✓ Successfully downloaded installer to: ${downloadPath}`);
// Calculate and print SHA256 checksum
lib_core.info("Calculating SHA256 checksum of downloaded tar file...");
const sha256sum = calculateSha256(downloadPath);
lib_core.info(`SHA256: ${sha256sum}`);
// Verify SHA256 checksum
lib_core.info("Verifying SHA256 checksum of downloaded tar file...");
verifyChecksum(downloadPath, false, "", "darwin");
// Extract installer package
lib_core.info("Extracting installer...");
const extractPath = yield tool_cache.extractTar(downloadPath);

2
dist/pre/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

33
src/checksum.ts
View file

@ -10,12 +10,14 @@ const CHECKSUMS = {
non_tls: {
amd64: "336093af8ebe969567b66fd035af3bd4f7e1c723ce680d6b4b5b2a1f79bc329e", // v0.14.2
},
darwin: "caaacc24bbf6a39ba7560e5e4701353c537883cb3ab9553359bd5caf5097246f", // v0.0.1
};
export function verifyChecksum(
downloadPath: string,
isTLS: boolean,
variant: string
variant: string,
platform: string
) {
const fileBuffer: Buffer = fs.readFileSync(downloadPath);
const checksum: string = crypto
@ -25,26 +27,25 @@ export function verifyChecksum(
let expectedChecksum: string = "";
if (isTLS) {
expectedChecksum = CHECKSUMS["tls"][variant];
} else {
expectedChecksum = CHECKSUMS["non_tls"][variant];
switch (platform) {
case "linux":
expectedChecksum = isTLS
? CHECKSUMS["tls"][variant]
: CHECKSUMS["non_tls"][variant];
break;
case "darwin":
expectedChecksum = CHECKSUMS["darwin"][variant];
break;
default:
throw new Error(`Unsupported platform: ${platform}`);
}
if (checksum !== expectedChecksum) {
core.setFailed(
`Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`
`Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`
);
return;
}
core.debug("Checksum verification passed.");
}
export function calculateSha256(filePath: string): string {
const fileBuffer: Buffer = fs.readFileSync(filePath);
const checksum: string = crypto
.createHash("sha256")
.update(fileBuffer)
.digest("hex");
return checksum;
core.info(`✅ Checksum verification passed. checksum=${checksum}`);
}

284
src/cleanup.ts
View file

@ -8,9 +8,12 @@ import { context } from "@actions/github";
(async () => {
console.log("[harden-runner] post-step");
const customProperties = context?.payload?.repository?.custom_properties || {};
const customProperties =
context?.payload?.repository?.custom_properties || {};
if (customProperties["skip-harden-runner"] === "true") {
console.log("Skipping harden-runner: custom property 'skip-harden-runner' is set to 'true'");
console.log(
"Skipping harden-runner: custom property 'skip-harden-runner' is set to 'true'"
);
return;
}
@ -35,147 +38,12 @@ import { context } from "@actions/github";
switch (platform) {
case "darwin":
{
fs.writeFileSync(
"/opt/step-security/post_event.json",
JSON.stringify({ event: "post" })
);
let macDone = "/opt/step-security/done.json";
let counter = 0;
while (true) {
if (!fs.existsSync(macDone)) {
counter++;
if (counter > 10) {
console.log("timed out");
break;
}
await sleep(1000);
} // The file *does* exist
else {
break;
}
}
let macAgenLog = "/opt/step-security/agent.log";
if (fs.existsSync(macAgenLog)) {
console.log("macAgenLog:");
var content = fs.readFileSync(macAgenLog, "utf-8");
console.log(content);
} else {
console.log("😭 macos agent.log file not found");
}
// Capture system log stream for harden-runner subsystem
try {
console.log("\nSystem log stream for io.stepsecurity.harden-runner:");
const logStreamOutput = cp.execSync(
"log show --predicate 'subsystem == \"io.stepsecurity.harden-runner\"' --info --last 10m",
{
encoding: "utf8",
maxBuffer: 1024 * 1024 * 10, // 10MB buffer
timeout: 10000, // 30 second timeout
}
);
console.log(logStreamOutput);
} catch (error) {
console.log(
"Warning: Could not fetch system log stream:",
error.message
);
}
}
await handleDarwinCleanup();
break;
case "linux":
if (process.env.STATE_selfHosted === "true") {
return;
}
if (process.env.STATE_customVMImage === "true") {
return;
}
if (process.env.STATE_isTLS === "false" && process.arch === "arm64") {
return;
}
if (
String(process.env.STATE_monitorStatusCode) ===
common.STATUS_HARDEN_RUNNER_UNAVAILABLE
) {
console.log(common.HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
return;
}
if (isGithubHosted() && fs.existsSync("/home/agent/post_event.json")) {
console.log("Post step already executed, skipping");
return;
}
fs.writeFileSync(
"/home/agent/post_event.json",
JSON.stringify({ event: "post" })
);
const doneFile = "/home/agent/done.json";
let counter = 0;
while (true) {
if (!fs.existsSync(doneFile)) {
counter++;
if (counter > 10) {
console.log("timed out");
break;
}
await sleep(1000);
} // The file *does* exist
else {
break;
}
}
const log = "/home/agent/agent.log";
if (fs.existsSync(log)) {
console.log("log:");
var content = fs.readFileSync(log, "utf-8");
console.log(content);
}
const daemonLog = "/home/agent/daemon.log";
if (fs.existsSync(daemonLog)) {
console.log("daemonLog:");
var content = fs.readFileSync(daemonLog, "utf-8");
console.log(content);
}
var status = "/home/agent/agent.status";
if (fs.existsSync(status)) {
console.log("status:");
var content = fs.readFileSync(status, "utf-8");
console.log(content);
}
var disable_sudo = process.env.STATE_disableSudo;
var disable_sudo_and_containers =
process.env.STATE_disableSudoAndContainers;
if (disable_sudo !== "true" && disable_sudo_and_containers !== "true") {
try {
var journalLog = cp.execSync(
"sudo journalctl -u agent.service --lines=1000",
{
encoding: "utf8",
maxBuffer: 1024 * 1024 * 10, // 10MB buffer
}
);
console.log("agent.service log:");
console.log(journalLog);
} catch (error) {
console.log("Warning: Could not fetch service logs:", error.message);
}
}
await handleLinuxCleanup();
break;
}
try {
@ -185,6 +53,142 @@ import { context } from "@actions/github";
}
})();
async function handleDarwinCleanup() {
fs.writeFileSync(
"/opt/step-security/post_event.json",
JSON.stringify({ event: "post" })
);
let macDone = "/opt/step-security/done.json";
let counter = 0;
while (true) {
if (!fs.existsSync(macDone)) {
counter++;
if (counter > 10) {
console.log("timed out");
break;
}
await sleep(1000);
} else {
// The file *does* exist
break;
}
}
let macAgenLog = "/opt/step-security/agent.log";
if (fs.existsSync(macAgenLog)) {
console.log("macAgenLog:");
var content = fs.readFileSync(macAgenLog, "utf-8");
console.log(content);
} else {
console.log("😭 macos agent.log file not found");
}
// Capture system log stream for harden-runner subsystem
try {
console.log("\nSystem log stream for io.stepsecurity.harden-runner:");
const logStreamOutput = cp.execSync(
"log show --predicate 'subsystem == \"io.stepsecurity.harden-runner\"' --info --last 10m",
{
encoding: "utf8",
maxBuffer: 1024 * 1024 * 10, // 10MB buffer
timeout: 10000, // 30 second timeout
}
);
console.log(logStreamOutput);
} catch (error) {
console.log("Warning: Could not fetch system log stream:", error.message);
}
}
async function handleLinuxCleanup() {
if (process.env.STATE_selfHosted === "true") {
return;
}
if (process.env.STATE_customVMImage === "true") {
return;
}
if (process.env.STATE_isTLS === "false" && process.arch === "arm64") {
return;
}
if (
String(process.env.STATE_monitorStatusCode) ===
common.STATUS_HARDEN_RUNNER_UNAVAILABLE
) {
console.log(common.HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
return;
}
if (isGithubHosted() && fs.existsSync("/home/agent/post_event.json")) {
console.log("Post step already executed, skipping");
return;
}
fs.writeFileSync(
"/home/agent/post_event.json",
JSON.stringify({ event: "post" })
);
const doneFile = "/home/agent/done.json";
let counter = 0;
while (true) {
if (!fs.existsSync(doneFile)) {
counter++;
if (counter > 10) {
console.log("timed out");
break;
}
await sleep(1000);
} else {
// The file *does* exist
break;
}
}
const log = "/home/agent/agent.log";
if (fs.existsSync(log)) {
console.log("log:");
var content = fs.readFileSync(log, "utf-8");
console.log(content);
}
const daemonLog = "/home/agent/daemon.log";
if (fs.existsSync(daemonLog)) {
console.log("daemonLog:");
var content = fs.readFileSync(daemonLog, "utf-8");
console.log(content);
}
var status = "/home/agent/agent.status";
if (fs.existsSync(status)) {
console.log("status:");
var content = fs.readFileSync(status, "utf-8");
console.log(content);
}
var disable_sudo = process.env.STATE_disableSudo;
var disable_sudo_and_containers = process.env.STATE_disableSudoAndContainers;
if (disable_sudo !== "true" && disable_sudo_and_containers !== "true") {
try {
var journalLog = cp.execSync(
"sudo journalctl -u agent.service --lines=1000",
{
encoding: "utf8",
maxBuffer: 1024 * 1024 * 10, // 10MB buffer
}
);
console.log("agent.service log:");
console.log(journalLog);
} catch (error) {
console.log("Warning: Could not fetch service logs:", error.message);
}
}
}
function sleep(ms) {
return new Promise((resolve) => {
setTimeout(resolve, ms);

11
src/install-agent.ts
View file

@ -3,7 +3,7 @@ import * as core from "@actions/core";
import * as cp from "child_process";
import * as path from "path";
import * as fs from "fs";
import { verifyChecksum, calculateSha256 } from "./checksum";
import { verifyChecksum } from "./checksum";
import { EOL } from "os";
import { ARM64_RUNNER_MESSAGE, chownForFolder } from "./common";
@ -41,7 +41,7 @@ export async function installAgent(
);
}
verifyChecksum(downloadPath, isTLS, variant);
verifyChecksum(downloadPath, isTLS, variant, process.platform);
const extractPath = await tc.extractTar(downloadPath);
@ -91,10 +91,9 @@ export async function installMacosAgent(confgStr: string): Promise<boolean> {
const downloadPath = await tc.downloadTool(downloadUrl);
core.info(`✓ Successfully downloaded installer to: ${downloadPath}`);
// Calculate and print SHA256 checksum
core.info("Calculating SHA256 checksum of downloaded tar file...");
const sha256sum = calculateSha256(downloadPath);
core.info(`SHA256: ${sha256sum}`);
// Verify SHA256 checksum
core.info("Verifying SHA256 checksum of downloaded tar file...");
verifyChecksum(downloadPath, false, "", "darwin");
// Extract installer package
core.info("Extracting installer...");