Code refactor

Bump version, agent version

action.yml

@@ -1,26 +1,26 @@
-name: 'Harden Runner'
-description: 'GitHub Actions Runtime Security'
+name: "Harden Runner"
+description: "GitHub Actions Runtime Security"
 inputs:
   allowed-endpoints:
-    description: 'Only these endpoints will be allowed if egress-policy is set to block'
+    description: "Only these endpoints will be allowed if egress-policy is set to block"
     required: false
-    default: ''
+    default: ""
   egress-policy:
-    description: 'Policy for outbound traffic, can be either audit or block'
+    description: "Policy for outbound traffic, can be either audit or block"
     required: false
-    default: 'block'
+    default: "block"
   token:
-    description: 'Used to avoid github rate limiting'
+    description: "Used to avoid github rate limiting"
     default: ${{ github.token }}
   disable-telemetry:
-    description: 'Disable sending insights to StepSecurity API, can be set to true or false'
+    description: "Disable sending telemetry to StepSecurity API, can be set to true or false. This can only be set to true when egress-policy is set to block"
     required: false
-    default: 'false'
+    default: "false"
 branding:
-  icon: 'check-square'  
-  color: 'green'
+  icon: "check-square"
+  color: "green"
 runs:
-  using: 'node16'
-  pre: 'dist/pre/index.js'
-  main: 'dist/index.js'
-  post: 'dist/post/index.js'
+  using: "node16"
+  pre: "dist/pre/index.js"
+  main: "dist/index.js"
+  post: "dist/post/index.js"

dist/index.js

@@ -1716,8 +1716,9 @@ var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argume
         console.log("Only runs on linux");
         return;
     }
-    if (core.getBooleanInput("disable-telemetry") === true && core.getInput("egress-policy") === "block") {
-        core.warning("Insights will not be sent to StepSecurity API as disable-telemetry is set to true");
+    if (core.getBooleanInput("disable-telemetry") &&
+        core.getInput("egress-policy") === "block") {
+        console.log("Telemetry will not be sent to StepSecurity API as disable-telemetry is set to true");
     }
     else {
         var web_url = "https://app.stepsecurity.io";

dist/pre/agent.service

@@ -12,4 +12,4 @@ SyslogIdentifier=agentservice
 AmbientCapabilities=CAP_NET_BIND_SERVICE, CAP_NET_ADMIN
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target

dist/pre/index.js

@@ -6269,8 +6269,10 @@ var external_crypto_ = __nccwpck_require__(6417);
 
 function verifyChecksum(downloadPath) {
     const fileBuffer = external_fs_.readFileSync(downloadPath);
-    const checksum = external_crypto_.createHash("sha256").update(fileBuffer).digest('hex'); // checksum of downloaded file
-    const expectedChecksum = "a5f466fc5c8a9b809afd421e0f32903da98908feab5a245c734d3775e2e10032"; // default checksum
+    const checksum = external_crypto_.createHash("sha256")
+        .update(fileBuffer)
+        .digest("hex"); // checksum of downloaded file
+    const expectedChecksum = "28427e325c00f49e391af0899f49fe34e73b36b113a9f095660b73da88c43280"; // checksum for v0.9.0
     if (checksum !== expectedChecksum) {
         core.setFailed(`Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`);
     }
@@ -6306,16 +6308,6 @@ var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argume
         var env = "agent";
         var api_url = `https://${env}.api.stepsecurity.io/v1`;
         var web_url = "https://app.stepsecurity.io";
-        let token = core.getInput('token');
-        let auth = `token ${token}`;
-        let _http = new http_client.HttpClient();
-        _http.requestOptions = { socketTimeout: 3 * 1000 };
-        try {
-            yield _http.get(`${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`);
-        }
-        catch (e) {
-            console.log(`error in connecting to ${api_url}: ${e}`);
-        }
         const confg = {
             repo: process.env["GITHUB_REPOSITORY"],
             run_id: process.env["GITHUB_RUN_ID"],
@@ -6335,22 +6327,29 @@ var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argume
         if (confg.disable_telemetry !== true && confg.disable_telemetry !== false) {
             core.setFailed("disable-telemetry must be a boolean value");
         }
+        if (!confg.disable_telemetry) {
+            let _http = new http_client.HttpClient();
+            _http.requestOptions = { socketTimeout: 3 * 1000 };
+            try {
+                yield _http.get(`${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`);
+            }
+            catch (e) {
+                console.log(`error in connecting to ${api_url}: ${e}`);
+            }
+        }
         const confgStr = JSON.stringify(confg);
         external_child_process_.execSync("sudo mkdir -p /home/agent");
         external_child_process_.execSync("sudo chown -R $USER /home/agent");
         // Note: to avoid github rate limiting
-        const downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.8.6/agent_0.8.6_linux_amd64.tar.gz", undefined, auth);
+        let token = core.getInput("token");
+        let auth = `token ${token}`;
+        const downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.9.0/agent_0.9.0_linux_amd64.tar.gz", undefined, auth);
         verifyChecksum(downloadPath); // NOTE: verifying agent's checksum, before extracting
         const extractPath = yield tool_cache.extractTar(downloadPath);
         console.log(`Step Security Job Correlation ID: ${correlation_id}`);
-        if (confg.disable_telemetry === false) {
+        if (!confg.disable_telemetry || confg.egress_policy === "audit") {
             printInfo(web_url);
         }
-        else {
-            if (confg.egress_policy === "audit") {
-                printInfo(web_url);
-            }
-        }
         let cmd = "cp", args = [external_path_.join(extractPath, "agent"), "/home/agent/agent"];
         external_child_process_.execFileSync(cmd, args);
         external_child_process_.execSync("chmod +x /home/agent/agent");

package.json

@@ -1,47 +1,47 @@
 {
-    "name": "step-security-harden-runner",
-    "version": "1.1.0",
-    "description": "GitHub Actions Runtime Security",
-    "main": "index.js",
-    "scripts": {
-        "build": "npm run main && npm run pre && npm run post",
-        "main": "ncc build src/index.ts --source-map",
-        "pre": "ncc build src/setup.ts --source-map -o dist/pre",
-        "post": "ncc build src/cleanup.ts --source-map -o dist/post",
-        "lint": "eslint src/**/*.ts"
-    },
-    "repository": {
-        "type": "git",
-        "url": "git+https://github.com/step-security/harden-runner.git"
-    },
-    "keywords": [],
-    "author": "Varun Sharma",
-    "license": "Apache License 2.0",
-    "bugs": {
-        "url": "https://github.com/step-security/harden-runner/issues"
-    },
-    "homepage": "https://github.com/step-security/harden-runner#readme",
-    "dependencies": {
-        "@actions/core": "^1.5.0",
-        "@actions/exec": "^1.1.0",
-        "@actions/github": "^5.0.0",
-        "@actions/http-client": "^1.0.11",
-        "@actions/tool-cache": "^1.7.1",
-        "node-fetch": ">=3.2.0",
-        "uuid": "^8.3.2",
-        "ansi-regex": ">=5.0.1"
-    },
-    "devDependencies": {
-        "@types/jest": "^27.0.1",
-        "@types/node": "^16.9.0",
-        "@typescript-eslint/eslint-plugin": "^4.29.2",
-        "@typescript-eslint/parser": "^4.29.2",
-        "@vercel/ncc": "^0.30.0",
-        "eslint": "^7.32.0",
-        "eslint-config-google": "^0.14.0",
-        "jest": ">=27.4.7",
-        "jest-junit": ">=13.0.0",
-        "ts-jest": ">=27.1.3",
-        "typescript": "^4.3.5"
-    }
+  "name": "step-security-harden-runner",
+  "version": "1.4.0",
+  "description": "GitHub Actions Runtime Security",
+  "main": "index.js",
+  "scripts": {
+    "build": "npm run main && npm run pre && npm run post",
+    "main": "ncc build src/index.ts --source-map",
+    "pre": "ncc build src/setup.ts --source-map -o dist/pre",
+    "post": "ncc build src/cleanup.ts --source-map -o dist/post",
+    "lint": "eslint src/**/*.ts"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/step-security/harden-runner.git"
+  },
+  "keywords": [],
+  "author": "Varun Sharma",
+  "license": "Apache License 2.0",
+  "bugs": {
+    "url": "https://github.com/step-security/harden-runner/issues"
+  },
+  "homepage": "https://github.com/step-security/harden-runner#readme",
+  "dependencies": {
+    "@actions/core": "^1.5.0",
+    "@actions/exec": "^1.1.0",
+    "@actions/github": "^5.0.0",
+    "@actions/http-client": "^1.0.11",
+    "@actions/tool-cache": "^1.7.1",
+    "node-fetch": ">=3.2.0",
+    "uuid": "^8.3.2",
+    "ansi-regex": ">=5.0.1"
+  },
+  "devDependencies": {
+    "@types/jest": "^27.0.1",
+    "@types/node": "^16.9.0",
+    "@typescript-eslint/eslint-plugin": "^4.29.2",
+    "@typescript-eslint/parser": "^4.29.2",
+    "@vercel/ncc": "^0.30.0",
+    "eslint": "^7.32.0",
+    "eslint-config-google": "^0.14.0",
+    "jest": ">=27.4.7",
+    "jest-junit": ">=13.0.0",
+    "ts-jest": ">=27.1.3",
+    "typescript": "^4.3.5"
+  }
 }

src/checksum.ts

@@ -1,19 +1,22 @@
 import * as core from "@actions/core";
-import * as crypto from "crypto"
-import * as fs from "fs"
+import * as crypto from "crypto";
+import * as fs from "fs";
 
-export function verifyChecksum(downloadPath: string){
+export function verifyChecksum(downloadPath: string) {
+  const fileBuffer: Buffer = fs.readFileSync(downloadPath);
+  const checksum: string = crypto
+    .createHash("sha256")
+    .update(fileBuffer)
+    .digest("hex"); // checksum of downloaded file
 
+  const expectedChecksum: string =
+    "28427e325c00f49e391af0899f49fe34e73b36b113a9f095660b73da88c43280"; // checksum for v0.9.0
 
-    const fileBuffer:Buffer = fs.readFileSync(downloadPath)
-    const checksum: string = crypto.createHash("sha256").update(fileBuffer).digest('hex'); // checksum of downloaded file
+  if (checksum !== expectedChecksum) {
+    core.setFailed(
+      `Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`
+    );
+  }
 
-    const expectedChecksum: string = "a5f466fc5c8a9b809afd421e0f32903da98908feab5a245c734d3775e2e10032" // default checksum
-    
-    if(checksum !== expectedChecksum){
-        core.setFailed(`Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`)
-    }
-
-    core.debug("Checksum verification passed.")
-
-}
+  core.debug("Checksum verification passed.");
+}

src/index.ts

@@ -7,10 +7,14 @@ import * as core from "@actions/core";
     return;
   }
 
-  if (core.getBooleanInput("disable-telemetry") === true && core.getInput("egress-policy") === "block"){
-    core.warning("Insights will not be sent to StepSecurity API as disable-telemetry is set to true");
-  }
-  else{
+  if (
+    core.getBooleanInput("disable-telemetry") &&
+    core.getInput("egress-policy") === "block"
+  ) {
+    console.log(
+      "Telemetry will not be sent to StepSecurity API as disable-telemetry is set to true"
+    );
+  } else {
     var web_url = "https://app.stepsecurity.io";
     printInfo(web_url);
   }

src/setup.ts

@@ -6,7 +6,7 @@ import * as path from "path";
 import { v4 as uuidv4 } from "uuid";
 import { printInfo } from "./common";
 import * as tc from "@actions/tool-cache";
-import {verifyChecksum} from "./checksum"
+import { verifyChecksum } from "./checksum";
 (async () => {
   try {
     if (process.platform !== "linux") {
@@ -19,18 +19,6 @@ import {verifyChecksum} from "./checksum"
     var api_url = `https://${env}.api.stepsecurity.io/v1`;
     var web_url = "https://app.stepsecurity.io";
 
-    let token = core.getInput('token');
-    let auth = `token ${token}`;
-    let _http = new httpm.HttpClient();
-    _http.requestOptions = { socketTimeout: 3 * 1000 };
-    try {
-      await _http.get(
-        `${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`
-      );
-    } catch (e) {
-      console.log(`error in connecting to ${api_url}: ${e}`);
-    }
-
     const confg = {
       repo: process.env["GITHUB_REPOSITORY"],
       run_id: process.env["GITHUB_RUN_ID"],
@@ -56,28 +44,40 @@ import {verifyChecksum} from "./checksum"
       core.setFailed("disable-telemetry must be a boolean value");
     }
 
+    if (!confg.disable_telemetry) {
+      let _http = new httpm.HttpClient();
+      _http.requestOptions = { socketTimeout: 3 * 1000 };
+      try {
+        await _http.get(
+          `${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`
+        );
+      } catch (e) {
+        console.log(`error in connecting to ${api_url}: ${e}`);
+      }
+    }
+
     const confgStr = JSON.stringify(confg);
     cp.execSync("sudo mkdir -p /home/agent");
     cp.execSync("sudo chown -R $USER /home/agent");
 
     // Note: to avoid github rate limiting
+    let token = core.getInput("token");
+    let auth = `token ${token}`;
+
     const downloadPath: string = await tc.downloadTool(
-      "https://github.com/step-security/agent/releases/download/v0.8.6/agent_0.8.6_linux_amd64.tar.gz", undefined, auth
+      "https://github.com/step-security/agent/releases/download/v0.9.0/agent_0.9.0_linux_amd64.tar.gz",
+      undefined,
+      auth
     );
-    
-    verifyChecksum(downloadPath) // NOTE: verifying agent's checksum, before extracting
+
+    verifyChecksum(downloadPath); // NOTE: verifying agent's checksum, before extracting
     const extractPath = await tc.extractTar(downloadPath);
 
     console.log(`Step Security Job Correlation ID: ${correlation_id}`);
-    
-    if (confg.disable_telemetry === false){
+
+    if (!confg.disable_telemetry || confg.egress_policy === "audit") {
       printInfo(web_url);
     }
-    else{
-      if(confg.egress_policy === "audit"){
-        printInfo(web_url);
-      }
-    }
 
     let cmd = "cp",
       args = [path.join(extractPath, "agent"), "/home/agent/agent"];