Merge pull request #440 from step-security/rc-11

v2.9.1
2026-06-05 21:17:06 +00:00 · 2024-08-05 15:25:32 -07:00 · 2024-08-05 15:25:32 -07:00 · 5c7944e73c
commit 5c7944e73c
parent f0db2aa8a5 c79be451ee
11 changed files with 47 additions and 16 deletions
--- a/dist/index.js
+++ b/dist/index.js
@ -2866,8 +2866,13 @@ const processLogLine = (line, tableEntries) => {
        const matches = line.match(/ip address:port ([\d.:]+), domain: ([\w.-]+), pid: (\d+), process: (\w+)/);
        if (matches) {
            const [ipAddress, domain, pid, process] = matches.slice(1);
-            // Check if all values are non-empty
-            if (pid && process && domain && ipAddress) {
+            // Check if all values are non-empty and domain does not end with specified patterns
+            if (pid &&
+                process &&
+                domain &&
+                ipAddress &&
+                !domain.endsWith(".actions.githubusercontent.com.") &&
+                !domain.endsWith(".blob.core.windows.net.")) {
                const status = ipAddress.startsWith("54.185.253.63")
                    ? "❌ Blocked"
                    : "✅ Allowed";
@ -3023,6 +3028,7 @@ var src_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argu


 (() => src_awaiter(void 0, void 0, void 0, function* () {
+    console.log("[harden-runner] main-step");
    if (process.platform !== "linux") {
        console.log(UBUNTU_MESSAGE);
        return;
--- a/dist/index.js.map
+++ b/dist/index.js.map
--- a/dist/post/index.js
+++ b/dist/post/index.js
@ -2868,8 +2868,13 @@ const processLogLine = (line, tableEntries) => {
        const matches = line.match(/ip address:port ([\d.:]+), domain: ([\w.-]+), pid: (\d+), process: (\w+)/);
        if (matches) {
            const [ipAddress, domain, pid, process] = matches.slice(1);
-            // Check if all values are non-empty
-            if (pid && process && domain && ipAddress) {
+            // Check if all values are non-empty and domain does not end with specified patterns
+            if (pid &&
+                process &&
+                domain &&
+                ipAddress &&
+                !domain.endsWith(".actions.githubusercontent.com.") &&
+                !domain.endsWith(".blob.core.windows.net.")) {
                const status = ipAddress.startsWith("54.185.253.63")
                    ? "❌ Blocked"
                    : "✅ Allowed";
@ -3071,6 +3076,7 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _


 (() => cleanup_awaiter(void 0, void 0, void 0, function* () {
+    console.log("[harden-runner] post-step");
    if (process.platform !== "linux") {
        console.log(UBUNTU_MESSAGE);
        return;
--- a/dist/post/index.js.map
+++ b/dist/post/index.js.map
--- a/dist/pre/index.js
+++ b/dist/pre/index.js
@ -71276,8 +71276,13 @@ const processLogLine = (line, tableEntries) => {
        const matches = line.match(/ip address:port ([\d.:]+), domain: ([\w.-]+), pid: (\d+), process: (\w+)/);
        if (matches) {
            const [ipAddress, domain, pid, process] = matches.slice(1);
-            // Check if all values are non-empty
-            if (pid && process && domain && ipAddress) {
+            // Check if all values are non-empty and domain does not end with specified patterns
+            if (pid &&
+                process &&
+                domain &&
+                ipAddress &&
+                !domain.endsWith(".actions.githubusercontent.com.") &&
+                !domain.endsWith(".blob.core.windows.net.")) {
                const status = ipAddress.startsWith("54.185.253.63")
                    ? "❌ Blocked"
                    : "✅ Allowed";
@ -71401,7 +71406,7 @@ function verifyChecksum(downloadPath, is_tls) {
    let expectedChecksum = "a9f1842e3d7f3d38c143dbe8ffe1948e6c8173cd04da072d9f9d128bb400844a"; // checksum for v0.13.7
    if (is_tls) {
        expectedChecksum =
-            "e45b85e29216eb1d217aad368bdb056bbd868a308925e7b2cf9133b06ab435d0"; // checksum for tls_agent
+            "fa9defcf9e125a62cb29747574d6a07aee4f04153e7bce4a3c7ce29681469e92"; // checksum for tls_agent
    }
    if (checksum !== expectedChecksum) {
        lib_core.setFailed(`Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`);
@ -71657,6 +71662,7 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
 (() => setup_awaiter(void 0, void 0, void 0, function* () {
    var _a, _b;
    try {
+        console.log("[harden-runner] pre-step");
        if (process.platform !== "linux") {
            console.log(UBUNTU_MESSAGE);
            return;
@ -71814,7 +71820,7 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
        let auth = `token ${token}`;
        let downloadPath;
        if (yield isTLSEnabled(github.context.repo.owner)) {
-            downloadPath = yield tool_cache.downloadTool("https://packages.stepsecurity.io/github-hosted/harden-runner_1.2.2_linux_amd64.tar.gz");
+            downloadPath = yield tool_cache.downloadTool("https://packages.stepsecurity.io/github-hosted/harden-runner_1.2.3_linux_amd64.tar.gz");
            verifyChecksum(downloadPath, true); // NOTE: verifying tls_agent's checksum, before extracting
        }
        else {
--- a/dist/pre/index.js.map
+++ b/dist/pre/index.js.map
--- a/src/checksum.ts
+++ b/src/checksum.ts
@ -14,7 +14,7 @@ export function verifyChecksum(downloadPath: string, is_tls: boolean) {

  if (is_tls) {
    expectedChecksum =
-      "e45b85e29216eb1d217aad368bdb056bbd868a308925e7b2cf9133b06ab435d0"; // checksum for tls_agent
+      "fa9defcf9e125a62cb29747574d6a07aee4f04153e7bce4a3c7ce29681469e92"; // checksum for tls_agent
  }

  if (checksum !== expectedChecksum) {
--- a/src/cleanup.ts
+++ b/src/cleanup.ts
@ -5,6 +5,8 @@ import isDocker from "is-docker";
 import { arcCleanUp, isArcRunner, removeStepPolicyFiles } from "./arc-runner";

 (async () => {
+  console.log("[harden-runner] post-step");
+
  if (process.platform !== "linux") {
    console.log(common.UBUNTU_MESSAGE);
    return;
--- a/src/common.ts
+++ b/src/common.ts
@ -35,8 +35,15 @@ export const processLogLine = (
    if (matches) {
      const [ipAddress, domain, pid, process] = matches.slice(1);

-      // Check if all values are non-empty
-      if (pid && process && domain && ipAddress) {
+      // Check if all values are non-empty and domain does not end with specified patterns
+      if (
+        pid &&
+        process &&
+        domain &&
+        ipAddress &&
+        !domain.endsWith(".actions.githubusercontent.com.") &&
+        !domain.endsWith(".blob.core.windows.net.")
+      ) {
        const status = ipAddress.startsWith("54.185.253.63")
          ? "❌ Blocked"
          : "✅ Allowed";
@ -173,4 +180,4 @@ export const HARDEN_RUNNER_UNAVAILABLE_MESSAGE =
  "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";

 export const ARC_RUNNER_MESSAGE =
-  "Workflow is currently being executed in ARC based runner";
+  "Workflow is currently being executed in ARC based runner";
--- a/src/index.ts
+++ b/src/index.ts
@ -4,6 +4,8 @@ import isDocker from "is-docker";
 import { STEPSECURITY_WEB_URL } from "./configs";

 (async () => {
+  console.log("[harden-runner] main-step");
+
  if (process.platform !== "linux") {
    console.log(common.UBUNTU_MESSAGE);
    return;
--- a/src/setup.ts
+++ b/src/setup.ts
@ -34,6 +34,8 @@ interface MonitorResponse {

 (async () => {
  try {
+    console.log("[harden-runner] pre-step");
+
    if (process.platform !== "linux") {
      console.log(common.UBUNTU_MESSAGE);
      return;
@ -234,7 +236,7 @@ interface MonitorResponse {

    if (await isTLSEnabled(context.repo.owner)) {
      downloadPath = await tc.downloadTool(
-        "https://packages.stepsecurity.io/github-hosted/harden-runner_1.2.2_linux_amd64.tar.gz"
+        "https://packages.stepsecurity.io/github-hosted/harden-runner_1.2.3_linux_amd64.tar.gz"
      );
      verifyChecksum(downloadPath, true); // NOTE: verifying tls_agent's checksum, before extracting
    } else {