step-security/harden-runner
1
0
Fork 0
mirror of https://github.com/step-security/harden-runner.git synced 2026-06-06 04:47:09 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #21 from step-security/feature-17

Browse source 
Pin agent to specific version
This commit is contained in:
Varun Sharma 2021-11-26 08:33:57 -08:00 committed by GitHub
commit 917f7d59f2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 4164 additions and 240 deletions
Download patch file Download diff file Expand all files Collapse all files

4151
dist/pre/index.js vendored
View file

File diff suppressed because it is too large Load diff

2
dist/pre/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

60
package-lock.json generated
View file

@ -1,17 +1,18 @@
{
"name": "step-security-harden-runner",
"version": "0.0.1",
"version": "0.1.0",
"lockfileVersion": 2,
"requires": true,
"packages": {
"": {
"name": "step-security-harden-runner",
"version": "0.0.1",
"version": "0.1.0",
"license": "Apache License 2.0",
"dependencies": {
"@actions/core": "^1.5.0",
"@actions/exec": "^1.1.0",
"@actions/github": "^5.0.0",
"@actions/tool-cache": "^1.7.1",
"node-fetch": "^2.6.1",
"uuid": "^8.3.2"
},
@ -69,6 +70,36 @@
"resolved": "https://registry.npmjs.org/@actions/io/-/io-1.1.1.tgz",
"integrity": "sha512-Qi4JoKXjmE0O67wAOH6y0n26QXhMKMFo7GD/4IXNVcrtLjUlGjGuVys6pQgwF3ArfGTQu0XpqaNr0YhED2RaRA=="
},
"node_modules/@actions/tool-cache": {
"version": "1.7.1",
"resolved": "https://registry.npmjs.org/@actions/tool-cache/-/tool-cache-1.7.1.tgz",
"integrity": "sha512-y1xxxOhXaBUIUit3lhepmu/0xdgiTMpnZRLmVdtF0hTm521doi+MdRRRP62czHvM7wxH6epj4JPNJQ3iJpOrkQ==",
"dependencies": {
"@actions/core": "^1.2.6",
"@actions/exec": "^1.0.0",
"@actions/http-client": "^1.0.8",
"@actions/io": "^1.1.1",
"semver": "^6.1.0",
"uuid": "^3.3.2"
}
},
"node_modules/@actions/tool-cache/node_modules/semver": {
"version": "6.3.0",
"resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz",
"integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==",
"bin": {
"semver": "bin/semver.js"
}
},
"node_modules/@actions/tool-cache/node_modules/uuid": {
"version": "3.4.0",
"resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz",
"integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==",
"deprecated": "Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.",
"bin": {
"uuid": "bin/uuid"
}
},
"node_modules/@babel/code-frame": {
"version": "7.12.11",
"resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.12.11.tgz",
@ -7635,6 +7666,31 @@
"resolved": "https://registry.npmjs.org/@actions/io/-/io-1.1.1.tgz",
"integrity": "sha512-Qi4JoKXjmE0O67wAOH6y0n26QXhMKMFo7GD/4IXNVcrtLjUlGjGuVys6pQgwF3ArfGTQu0XpqaNr0YhED2RaRA=="
},
"@actions/tool-cache": {
"version": "1.7.1",
"resolved": "https://registry.npmjs.org/@actions/tool-cache/-/tool-cache-1.7.1.tgz",
"integrity": "sha512-y1xxxOhXaBUIUit3lhepmu/0xdgiTMpnZRLmVdtF0hTm521doi+MdRRRP62czHvM7wxH6epj4JPNJQ3iJpOrkQ==",
"requires": {
"@actions/core": "^1.2.6",
"@actions/exec": "^1.0.0",
"@actions/http-client": "^1.0.8",
"@actions/io": "^1.1.1",
"semver": "^6.1.0",
"uuid": "^3.3.2"
},
"dependencies": {
"semver": {
"version": "6.3.0",
"resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz",
"integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw=="
},
"uuid": {
"version": "3.4.0",
"resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz",
"integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A=="
}
}
},
"@babel/code-frame": {
"version": "7.12.11",
"resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.12.11.tgz",

3
package.json
View file

@ -1,6 +1,6 @@
{
"name": "step-security-harden-runner",
"version": "0.1.0",
"version": "0.3.0",
"description": "GitHub Actions Runtime Security",
"main": "index.js",
"scripts": {
@ -25,6 +25,7 @@
"@actions/core": "^1.5.0",
"@actions/exec": "^1.1.0",
"@actions/github": "^5.0.0",
"@actions/tool-cache": "^1.7.1",
"node-fetch": "^2.6.1",
"uuid": "^8.3.2"
},

106
src/setup.ts
View file

@ -5,6 +5,7 @@ import * as https from "https";
import * as path from "path";
import { v4 as uuidv4 } from "uuid";
import { printInfo } from "./common";
import * as tc from "@actions/tool-cache";
(async () => {
try {
@ -31,64 +32,55 @@ import { printInfo } from "./common";
cp.execSync("sudo mkdir -p /home/agent");
cp.execSync("sudo chown -R $USER /home/agent");
const filename = path.join(__dirname, "agent");
https.get(
`https://step-security-agent.s3.us-west-2.amazonaws.com/refs/heads/${env}/agent`,
(res) => {
const filePath = fs.createWriteStream(filename);
res.pipe(filePath);
filePath
.on("error", (err) => {})
.on("finish", async () => {
filePath.close();
console.log(`Step Security Job Correlation ID: ${correlation_id}`);
printInfo(web_url);
let cmd = "cp",
args = [path.join(__dirname, "agent"), "/home/agent/agent"];
cp.execFileSync(cmd, args);
cp.execSync("chmod +x /home/agent/agent");
fs.writeFileSync("/home/agent/agent.json", confgStr);
cmd = "sudo";
args = [
"cp",
path.join(__dirname, "agent.service"),
"/etc/systemd/system/agent.service",
];
cp.execFileSync(cmd, args);
cp.execSync("sudo systemctl daemon-reload");
cp.execSync("sudo service agent start", { timeout: 15000 });
// Check that the file exists locally
var statusFile = "/home/agent/agent.status";
var logFile = "/home/agent/agent.log";
var counter = 0;
while (true) {
if (!fs.existsSync(statusFile)) {
counter++;
if (counter > 30) {
console.log("timed out");
if (fs.existsSync(logFile)) {
var content = fs.readFileSync(logFile, "utf-8");
console.log(content);
}
break;
}
await sleep(300);
} // The file *does* exist
else {
// Read the file
var content = fs.readFileSync(statusFile, "utf-8");
console.log(content);
break;
}
}
});
}
const downloadPath: string = await tc.downloadTool(
"https://github.com/step-security/agent/releases/download/v0.1.5/agent_0.1.5_linux_amd64.tar.gz"
);
const extractPath = await tc.extractTar(downloadPath);
console.log(`Step Security Job Correlation ID: ${correlation_id}`);
printInfo(web_url);
let cmd = "cp",
args = [path.join(extractPath, "agent"), "/home/agent/agent"];
cp.execFileSync(cmd, args);
cp.execSync("chmod +x /home/agent/agent");
fs.writeFileSync("/home/agent/agent.json", confgStr);
cmd = "sudo";
args = [
"cp",
path.join(__dirname, "agent.service"),
"/etc/systemd/system/agent.service",
];
cp.execFileSync(cmd, args);
cp.execSync("sudo systemctl daemon-reload");
cp.execSync("sudo service agent start", { timeout: 15000 });
// Check that the file exists locally
var statusFile = "/home/agent/agent.status";
var logFile = "/home/agent/agent.log";
var counter = 0;
while (true) {
if (!fs.existsSync(statusFile)) {
counter++;
if (counter > 30) {
console.log("timed out");
if (fs.existsSync(logFile)) {
var content = fs.readFileSync(logFile, "utf-8");
console.log(content);
}
break;
}
await sleep(300);
} // The file *does* exist
else {
// Read the file
var content = fs.readFileSync(statusFile, "utf-8");
console.log(content);
break;
}
}
} catch (error) {
core.setFailed(error.message);
}