step-security/harden-runner
1
0
Fork 0
mirror of synced 2026-06-05 12:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity

Release v2.5.1 (#332)

Browse source
This commit is contained in:
Varun Sharma 2023-08-09 09:09:14 -07:00 committed by GitHub
commit 8ca2b8b2ec
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 9 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.github/workflows/canary.yml vendored
View file

@ -24,6 +24,7 @@ jobs:
steps:
- uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v1
with:
egress-policy: audit
allowed-endpoints:
api.github.com:443
github.com:443

1
.github/workflows/release.yml vendored
View file

@ -27,6 +27,7 @@ jobs:
steps:
- uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604
with:
egress-policy: audit
allowed-endpoints:
api.github.com:443
github.com:443

2
.github/workflows/test.yml vendored
View file

@ -19,7 +19,7 @@ jobs:
uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
with:
disable-sudo: true
egress-policy: block
egress-policy: audit
allowed-endpoints: >
api.github.com:443
codecov.io:443

4
dist/pre/index.js vendored
View file

@ -69152,7 +69152,7 @@ function verifyChecksum(downloadPath) {
const checksum = external_crypto_.createHash("sha256")
.update(fileBuffer)
.digest("hex"); // checksum of downloaded file
const expectedChecksum = "79cc2df62f6eba9ab4ceadbbdfca4d20ef5b14e1439a98eaa559142b8dd61aac"; // checksum for v0.13.4
const expectedChecksum = "ceb925c78e5c79af4f344f08f59bbdcf3376d20d15930a315f9b24b6c4d0328a"; // checksum for v0.13.5
if (checksum !== expectedChecksum) {
lib_core.setFailed(`Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`);
}
@ -69460,7 +69460,7 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
// Note: to avoid github rate limiting
let token = lib_core.getInput("token");
let auth = `token ${token}`;
const downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.13.4/agent_0.13.4_linux_amd64.tar.gz", undefined, auth);
const downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.13.5/agent_0.13.5_linux_amd64.tar.gz", undefined, auth);
verifyChecksum(downloadPath); // NOTE: verifying agent's checksum, before extracting
const extractPath = yield tool_cache.extractTar(downloadPath);
let cmd = "cp", args = [external_path_.join(extractPath, "agent"), "/home/agent/agent"];

2
dist/pre/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

2
package.json
View file

@ -1,6 +1,6 @@
{
"name": "step-security-harden-runner",
"version": "2.4.1",
"version": "2.5.1",
"description": "Security agent for GitHub-hosted runner: block egress traffic & detect code overwrite to prevent breaches",
"main": "index.js",
"scripts": {

2
src/checksum.ts
View file

@ -10,7 +10,7 @@ export function verifyChecksum(downloadPath: string) {
.digest("hex"); // checksum of downloaded file
const expectedChecksum: string =
"79cc2df62f6eba9ab4ceadbbdfca4d20ef5b14e1439a98eaa559142b8dd61aac"; // checksum for v0.13.4
"ceb925c78e5c79af4f344f08f59bbdcf3376d20d15930a315f9b24b6c4d0328a"; // checksum for v0.13.5
if (checksum !== expectedChecksum) {
core.setFailed(

2
src/setup.ts
View file

@ -168,7 +168,7 @@ import { isArcRunner, sendAllowedEndpoints } from "./arc-runner";
let auth = `token ${token}`;
const downloadPath: string = await tc.downloadTool(
"https://github.com/step-security/agent/releases/download/v0.13.4/agent_0.13.4_linux_amd64.tar.gz",
"https://github.com/step-security/agent/releases/download/v0.13.5/agent_0.13.5_linux_amd64.tar.gz",
undefined,
auth
);