step-security/harden-runner
1
0
Fork 0
mirror of synced 2026-06-05 15:08:19 +00:00
Code Issues Projects Releases Packages Wiki Activity

reverted formatting

Browse source
This commit is contained in:
Jatin 2026-01-29 19:59:25 +05:30
commit 6ddaf38701
No known key found for this signature in database
GPG key ID: 0C17698EE30CA603
7 changed files with 17 additions and 39 deletions
Download patch file Download diff file Expand all files Collapse all files

2
dist/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

2
dist/post/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

8
dist/pre/index.js vendored
View file

@ -88225,14 +88225,13 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
catch (err) {
lib_core.info(`[!] ${err}`);
// Only fail the job if ID token is not available
if (err.message &&
err.message.includes("Unable to get ACTIONS_ID_TOKEN_REQUEST")) {
if (err.message && err.message.includes('Unable to get ACTIONS_ID_TOKEN_REQUEST')) {
lib_core.setFailed('Policy store requires id-token write permission as it uses OIDC to fetch the policy from StepSecurity API. Please add "id-token: write" to your job permissions.');
}
else {
// Handle different HTTP status codes
if (err.statusCode >= 400 && err.statusCode < 500) {
lib_core.error("Policy not found");
lib_core.error('Policy not found');
}
else {
lib_core.error(`Unexpected error occurred: ${err}. Falling back to egress policy audit`);
@ -88339,8 +88338,7 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
}
return;
}
if (isGithubHosted() &&
process.env.STEP_SECURITY_HARDEN_RUNNER === "true") {
if (isGithubHosted() && process.env.STEP_SECURITY_HARDEN_RUNNER === "true") {
external_fs_.appendFileSync(process.env.GITHUB_STATE, `customVMImage=true${external_os_.EOL}`, {
encoding: "utf8",
});

2
dist/pre/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

7
src/cleanup.ts
View file

@ -8,12 +8,9 @@ import { context } from "@actions/github";
(async () => {
console.log("[harden-runner] post-step");
const customProperties =
context?.payload?.repository?.custom_properties || {};
const customProperties = context?.payload?.repository?.custom_properties || {};
if (customProperties["skip-harden-runner"] === "true") {
console.log(
"Skipping harden-runner: custom property 'skip-harden-runner' is set to 'true'"
);
console.log("Skipping harden-runner: custom property 'skip-harden-runner' is set to 'true'");
return;
}

6
src/common.ts
View file

@ -97,20 +97,16 @@ export async function addSummary() {
// Extract owner and repo from GITHUB_REPOSITORY (format: owner/repo)
const [owner, repo] = process.env["GITHUB_REPOSITORY"]?.split("/") || [];
const run_id = process.env["GITHUB_RUN_ID"];
if (!owner || !repo || !run_id || !correlation_id) {
return;
}
// Fetch job summary from API
const apiUrl = `${STEPSECURITY_API_URL}/github/${owner}/${repo}/actions/runs/${run_id}/correlation/${correlation_id}/job-markdown-summary`;
try {
const response = await fetch(apiUrl);
if (!response.ok) {
console.error(
`Failed to fetch job summary: ${response.status} ${response.statusText}`
);
console.error(`Failed to fetch job summary: ${response.status} ${response.statusText}`);
return;
}

27
src/setup.ts
View file

@ -39,12 +39,9 @@ interface MonitorResponse {
try {
console.log("[harden-runner] pre-step");
const customProperties =
context?.payload?.repository?.custom_properties || {};
const customProperties = context?.payload?.repository?.custom_properties || {};
if (customProperties["skip-harden-runner"] === "true") {
console.log(
"Skipping harden-runner: custom property 'skip-harden-runner' is set to 'true'"
);
console.log("Skipping harden-runner: custom property 'skip-harden-runner' is set to 'true'");
return;
}
@ -101,17 +98,12 @@ interface MonitorResponse {
} catch (err) {
core.info(`[!] ${err}`);
// Only fail the job if ID token is not available
if (
err.message &&
err.message.includes("Unable to get ACTIONS_ID_TOKEN_REQUEST")
) {
core.setFailed(
'Policy store requires id-token write permission as it uses OIDC to fetch the policy from StepSecurity API. Please add "id-token: write" to your job permissions.'
);
if (err.message && err.message.includes('Unable to get ACTIONS_ID_TOKEN_REQUEST')) {
core.setFailed('Policy store requires id-token write permission as it uses OIDC to fetch the policy from StepSecurity API. Please add "id-token: write" to your job permissions.');
} else {
// Handle different HTTP status codes
if (err.statusCode >= 400 && err.statusCode < 500) {
core.error("Policy not found");
core.error('Policy not found');
} else {
core.error(
`Unexpected error occurred: ${err}. Falling back to egress policy audit`
@ -265,17 +257,12 @@ interface MonitorResponse {
return;
}
if (
isGithubHosted() &&
process.env.STEP_SECURITY_HARDEN_RUNNER === "true"
) {
if (isGithubHosted() && process.env.STEP_SECURITY_HARDEN_RUNNER === "true") {
fs.appendFileSync(process.env.GITHUB_STATE, `customVMImage=true${EOL}`, {
encoding: "utf8",
});
core.info(
"This job is running on a custom VM image with Harden Runner installed."
);
core.info("This job is running on a custom VM image with Harden Runner installed.");
if (confg.egress_policy === "block") {
sendAllowedEndpoints(confg.allowed_endpoints);