step-security/harden-runner
1
0
Fork 0
mirror of synced 2026-06-05 16:28:19 +00:00
Code Issues Projects Releases Packages Wiki Activity

Code refactor

Browse source 
Bump version, agent version
This commit is contained in:
Varun Sharma 2022-02-12 15:40:44 -08:00
commit 7d98ec0a89
10 changed files with 132 additions and 125 deletions
Download patch file Download diff file Expand all files Collapse all files

30
action.yml
View file

@ -1,26 +1,26 @@
name: 'Harden Runner' name: "Harden Runner"
description: 'GitHub Actions Runtime Security' description: "GitHub Actions Runtime Security"
inputs: inputs:
allowed-endpoints: allowed-endpoints:
description: 'Only these endpoints will be allowed if egress-policy is set to block' description: "Only these endpoints will be allowed if egress-policy is set to block"
required: false required: false
default: '' default: ""
egress-policy: egress-policy:
description: 'Policy for outbound traffic, can be either audit or block' description: "Policy for outbound traffic, can be either audit or block"
required: false required: false
default: 'block' default: "block"
token: token:
description: 'Used to avoid github rate limiting' description: "Used to avoid github rate limiting"
default: ${{ github.token }} default: ${{ github.token }}
disable-telemetry: disable-telemetry:
description: 'Disable sending insights to StepSecurity API, can be set to true or false' description: "Disable sending telemetry to StepSecurity API, can be set to true or false. This can only be set to true when egress-policy is set to block"
required: false required: false
default: 'false' default: "false"
branding: branding:
icon: 'check-square' icon: "check-square"
color: 'green' color: "green"
runs: runs:
using: 'node16' using: "node16"
pre: 'dist/pre/index.js' pre: "dist/pre/index.js"
main: 'dist/index.js' main: "dist/index.js"
post: 'dist/post/index.js' post: "dist/post/index.js"

5
dist/index.js vendored
View file

@ -1716,8 +1716,9 @@ var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argume
console.log("Only runs on linux"); console.log("Only runs on linux");
return; return;
} }
if (core.getBooleanInput("disable-telemetry") === true && core.getInput("egress-policy") === "block") { if (core.getBooleanInput("disable-telemetry") &&
core.warning("Insights will not be sent to StepSecurity API as disable-telemetry is set to true"); core.getInput("egress-policy") === "block") {
console.log("Telemetry will not be sent to StepSecurity API as disable-telemetry is set to true");
} }
else { else {
var web_url = "https://app.stepsecurity.io"; var web_url = "https://app.stepsecurity.io";

2
dist/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

2
dist/pre/agent.service vendored
View file

@ -12,4 +12,4 @@ SyslogIdentifier=agentservice
AmbientCapabilities=CAP_NET_BIND_SERVICE, CAP_NET_ADMIN AmbientCapabilities=CAP_NET_BIND_SERVICE, CAP_NET_ADMIN
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

37
dist/pre/index.js vendored
View file

@ -6269,8 +6269,10 @@ var external_crypto_ = __nccwpck_require__(6417);
function verifyChecksum(downloadPath) { function verifyChecksum(downloadPath) {
const fileBuffer = external_fs_.readFileSync(downloadPath); const fileBuffer = external_fs_.readFileSync(downloadPath);
const checksum = external_crypto_.createHash("sha256").update(fileBuffer).digest('hex'); // checksum of downloaded file const checksum = external_crypto_.createHash("sha256")
const expectedChecksum = "a5f466fc5c8a9b809afd421e0f32903da98908feab5a245c734d3775e2e10032"; // default checksum .update(fileBuffer)
.digest("hex"); // checksum of downloaded file
const expectedChecksum = "28427e325c00f49e391af0899f49fe34e73b36b113a9f095660b73da88c43280"; // checksum for v0.9.0
if (checksum !== expectedChecksum) { if (checksum !== expectedChecksum) {
core.setFailed(`Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`); core.setFailed(`Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`);
} }
@ -6306,16 +6308,6 @@ var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argume
var env = "agent"; var env = "agent";
var api_url = `https://${env}.api.stepsecurity.io/v1`; var api_url = `https://${env}.api.stepsecurity.io/v1`;
var web_url = "https://app.stepsecurity.io"; var web_url = "https://app.stepsecurity.io";
let token = core.getInput('token');
let auth = `token ${token}`;
let _http = new http_client.HttpClient();
_http.requestOptions = { socketTimeout: 3 * 1000 };
try {
yield _http.get(`${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`);
}
catch (e) {
console.log(`error in connecting to ${api_url}: ${e}`);
}
const confg = { const confg = {
repo: process.env["GITHUB_REPOSITORY"], repo: process.env["GITHUB_REPOSITORY"],
run_id: process.env["GITHUB_RUN_ID"], run_id: process.env["GITHUB_RUN_ID"],
@ -6335,22 +6327,29 @@ var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argume
if (confg.disable_telemetry !== true && confg.disable_telemetry !== false) { if (confg.disable_telemetry !== true && confg.disable_telemetry !== false) {
core.setFailed("disable-telemetry must be a boolean value"); core.setFailed("disable-telemetry must be a boolean value");
} }
if (!confg.disable_telemetry) {
let _http = new http_client.HttpClient();
_http.requestOptions = { socketTimeout: 3 * 1000 };
try {
yield _http.get(`${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`);
}
catch (e) {
console.log(`error in connecting to ${api_url}: ${e}`);
}
}
const confgStr = JSON.stringify(confg); const confgStr = JSON.stringify(confg);
external_child_process_.execSync("sudo mkdir -p /home/agent"); external_child_process_.execSync("sudo mkdir -p /home/agent");
external_child_process_.execSync("sudo chown -R $USER /home/agent"); external_child_process_.execSync("sudo chown -R $USER /home/agent");
// Note: to avoid github rate limiting // Note: to avoid github rate limiting
const downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.8.6/agent_0.8.6_linux_amd64.tar.gz", undefined, auth); let token = core.getInput("token");
let auth = `token ${token}`;
const downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.9.0/agent_0.9.0_linux_amd64.tar.gz", undefined, auth);
verifyChecksum(downloadPath); // NOTE: verifying agent's checksum, before extracting verifyChecksum(downloadPath); // NOTE: verifying agent's checksum, before extracting
const extractPath = yield tool_cache.extractTar(downloadPath); const extractPath = yield tool_cache.extractTar(downloadPath);
console.log(`Step Security Job Correlation ID: ${correlation_id}`); console.log(`Step Security Job Correlation ID: ${correlation_id}`);
if (confg.disable_telemetry === false) { if (!confg.disable_telemetry || confg.egress_policy === "audit") {
printInfo(web_url); printInfo(web_url);
} }
else {
if (confg.egress_policy === "audit") {
printInfo(web_url);
}
}
let cmd = "cp", args = [external_path_.join(extractPath, "agent"), "/home/agent/agent"]; let cmd = "cp", args = [external_path_.join(extractPath, "agent"), "/home/agent/agent"];
external_child_process_.execFileSync(cmd, args); external_child_process_.execFileSync(cmd, args);
external_child_process_.execSync("chmod +x /home/agent/agent"); external_child_process_.execSync("chmod +x /home/agent/agent");

2
dist/pre/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

90
package.json
View file

@ -1,47 +1,47 @@
{ {
"name": "step-security-harden-runner", "name": "step-security-harden-runner",
"version": "1.1.0", "version": "1.4.0",
"description": "GitHub Actions Runtime Security", "description": "GitHub Actions Runtime Security",
"main": "index.js", "main": "index.js",
"scripts": { "scripts": {
"build": "npm run main && npm run pre && npm run post", "build": "npm run main && npm run pre && npm run post",
"main": "ncc build src/index.ts --source-map", "main": "ncc build src/index.ts --source-map",
"pre": "ncc build src/setup.ts --source-map -o dist/pre", "pre": "ncc build src/setup.ts --source-map -o dist/pre",
"post": "ncc build src/cleanup.ts --source-map -o dist/post", "post": "ncc build src/cleanup.ts --source-map -o dist/post",
"lint": "eslint src/**/*.ts" "lint": "eslint src/**/*.ts"
}, },
"repository": { "repository": {
"type": "git", "type": "git",
"url": "git+https://github.com/step-security/harden-runner.git" "url": "git+https://github.com/step-security/harden-runner.git"
}, },
"keywords": [], "keywords": [],
"author": "Varun Sharma", "author": "Varun Sharma",
"license": "Apache License 2.0", "license": "Apache License 2.0",
"bugs": { "bugs": {
"url": "https://github.com/step-security/harden-runner/issues" "url": "https://github.com/step-security/harden-runner/issues"
}, },
"homepage": "https://github.com/step-security/harden-runner#readme", "homepage": "https://github.com/step-security/harden-runner#readme",
"dependencies": { "dependencies": {
"@actions/core": "^1.5.0", "@actions/core": "^1.5.0",
"@actions/exec": "^1.1.0", "@actions/exec": "^1.1.0",
"@actions/github": "^5.0.0", "@actions/github": "^5.0.0",
"@actions/http-client": "^1.0.11", "@actions/http-client": "^1.0.11",
"@actions/tool-cache": "^1.7.1", "@actions/tool-cache": "^1.7.1",
"node-fetch": ">=3.2.0", "node-fetch": ">=3.2.0",
"uuid": "^8.3.2", "uuid": "^8.3.2",
"ansi-regex": ">=5.0.1" "ansi-regex": ">=5.0.1"
}, },
"devDependencies": { "devDependencies": {
"@types/jest": "^27.0.1", "@types/jest": "^27.0.1",
"@types/node": "^16.9.0", "@types/node": "^16.9.0",
"@typescript-eslint/eslint-plugin": "^4.29.2", "@typescript-eslint/eslint-plugin": "^4.29.2",
"@typescript-eslint/parser": "^4.29.2", "@typescript-eslint/parser": "^4.29.2",
"@vercel/ncc": "^0.30.0", "@vercel/ncc": "^0.30.0",
"eslint": "^7.32.0", "eslint": "^7.32.0",
"eslint-config-google": "^0.14.0", "eslint-config-google": "^0.14.0",
"jest": ">=27.4.7", "jest": ">=27.4.7",
"jest-junit": ">=13.0.0", "jest-junit": ">=13.0.0",
"ts-jest": ">=27.1.3", "ts-jest": ">=27.1.3",
"typescript": "^4.3.5" "typescript": "^4.3.5"
} }
} }

31
src/checksum.ts
View file

@ -1,19 +1,22 @@
import * as core from "@actions/core"; import * as core from "@actions/core";
import * as crypto from "crypto" import * as crypto from "crypto";
import * as fs from "fs" import * as fs from "fs";
export function verifyChecksum(downloadPath: string){ export function verifyChecksum(downloadPath: string) {
const fileBuffer: Buffer = fs.readFileSync(downloadPath);
const checksum: string = crypto
.createHash("sha256")
.update(fileBuffer)
.digest("hex"); // checksum of downloaded file
const expectedChecksum: string =
"28427e325c00f49e391af0899f49fe34e73b36b113a9f095660b73da88c43280"; // checksum for v0.9.0
const fileBuffer:Buffer = fs.readFileSync(downloadPath) if (checksum !== expectedChecksum) {
const checksum: string = crypto.createHash("sha256").update(fileBuffer).digest('hex'); // checksum of downloaded file core.setFailed(
`Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`
);
}
const expectedChecksum: string = "a5f466fc5c8a9b809afd421e0f32903da98908feab5a245c734d3775e2e10032" // default checksum core.debug("Checksum verification passed.");
}
if(checksum !== expectedChecksum){
core.setFailed(`Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`)
}
core.debug("Checksum verification passed.")
}

12
src/index.ts
View file

@ -7,10 +7,14 @@ import * as core from "@actions/core";
return; return;
} }
if (core.getBooleanInput("disable-telemetry") === true && core.getInput("egress-policy") === "block"){ if (
core.warning("Insights will not be sent to StepSecurity API as disable-telemetry is set to true"); core.getBooleanInput("disable-telemetry") &&
} core.getInput("egress-policy") === "block"
else{ ) {
console.log(
"Telemetry will not be sent to StepSecurity API as disable-telemetry is set to true"
);
} else {
var web_url = "https://app.stepsecurity.io"; var web_url = "https://app.stepsecurity.io";
printInfo(web_url); printInfo(web_url);
} }

46
src/setup.ts
View file

@ -6,7 +6,7 @@ import * as path from "path";
import { v4 as uuidv4 } from "uuid"; import { v4 as uuidv4 } from "uuid";
import { printInfo } from "./common"; import { printInfo } from "./common";
import * as tc from "@actions/tool-cache"; import * as tc from "@actions/tool-cache";
import {verifyChecksum} from "./checksum" import { verifyChecksum } from "./checksum";
(async () => { (async () => {
try { try {
if (process.platform !== "linux") { if (process.platform !== "linux") {
@ -19,18 +19,6 @@ import {verifyChecksum} from "./checksum"
var api_url = `https://${env}.api.stepsecurity.io/v1`; var api_url = `https://${env}.api.stepsecurity.io/v1`;
var web_url = "https://app.stepsecurity.io"; var web_url = "https://app.stepsecurity.io";
let token = core.getInput('token');
let auth = `token ${token}`;
let _http = new httpm.HttpClient();
_http.requestOptions = { socketTimeout: 3 * 1000 };
try {
await _http.get(
`${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`
);
} catch (e) {
console.log(`error in connecting to ${api_url}: ${e}`);
}
const confg = { const confg = {
repo: process.env["GITHUB_REPOSITORY"], repo: process.env["GITHUB_REPOSITORY"],
run_id: process.env["GITHUB_RUN_ID"], run_id: process.env["GITHUB_RUN_ID"],
@ -56,28 +44,40 @@ import {verifyChecksum} from "./checksum"
core.setFailed("disable-telemetry must be a boolean value"); core.setFailed("disable-telemetry must be a boolean value");
} }
if (!confg.disable_telemetry) {
let _http = new httpm.HttpClient();
_http.requestOptions = { socketTimeout: 3 * 1000 };
try {
await _http.get(
`${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`
);
} catch (e) {
console.log(`error in connecting to ${api_url}: ${e}`);
}
}
const confgStr = JSON.stringify(confg); const confgStr = JSON.stringify(confg);
cp.execSync("sudo mkdir -p /home/agent"); cp.execSync("sudo mkdir -p /home/agent");
cp.execSync("sudo chown -R $USER /home/agent"); cp.execSync("sudo chown -R $USER /home/agent");
// Note: to avoid github rate limiting // Note: to avoid github rate limiting
let token = core.getInput("token");
let auth = `token ${token}`;
const downloadPath: string = await tc.downloadTool( const downloadPath: string = await tc.downloadTool(
"https://github.com/step-security/agent/releases/download/v0.8.6/agent_0.8.6_linux_amd64.tar.gz", undefined, auth "https://github.com/step-security/agent/releases/download/v0.9.0/agent_0.9.0_linux_amd64.tar.gz",
undefined,
auth
); );
verifyChecksum(downloadPath) // NOTE: verifying agent's checksum, before extracting verifyChecksum(downloadPath); // NOTE: verifying agent's checksum, before extracting
const extractPath = await tc.extractTar(downloadPath); const extractPath = await tc.extractTar(downloadPath);
console.log(`Step Security Job Correlation ID: ${correlation_id}`); console.log(`Step Security Job Correlation ID: ${correlation_id}`);
if (confg.disable_telemetry === false){ if (!confg.disable_telemetry || confg.egress_policy === "audit") {
printInfo(web_url); printInfo(web_url);
} }
else{
if(confg.egress_policy === "audit"){
printInfo(web_url);
}
}
let cmd = "cp", let cmd = "cp",
args = [path.join(extractPath, "agent"), "/home/agent/agent"]; args = [path.join(extractPath, "agent"), "/home/agent/agent"];