step-security/harden-runner
1
0
Fork 0
mirror of synced 2026-06-05 09:25:13 +00:00
Code Issues Projects Releases Packages Wiki Activity

Release v2.7.1 (#397)

Browse source
This commit is contained in:
Varun Sharma 2024-04-29 13:53:33 -07:00 committed by GitHub
commit a4aa98b93c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
19 changed files with 110 additions and 43 deletions
Download patch file Download diff file Expand all files Collapse all files

17
README.md
View file

@ -17,14 +17,11 @@
Harden-Runner provides network egress filtering and runtime security for GitHub-hosted and self-hosted runners.
For self-hosted environments, Harden-Runner supports:
Learn how Harden-Runner works through the video below, which shows how it detected a supply chain attack on a Google open-source project.
1. Kubernetes runners setup using Actions Runner Controller (ARC)
2. Virtual Machine runners (e.g. on EC2) - both ephemeral and persistent runners are supported
<a href="https://youtu.be/Yz72qAOrN9s" target="_blank"><img src="images/case-study-thumbnail1.png" alt="Harden-Runner detected supply chain attack in a Google open-source project" title="This case study video shows how StepSecurity Harden-Runner detected a CI/CD supply chain attack in real-time in Googles open-source project Flank"></a>
![Harden Runner Demo](images/main.png)
## Explore open source projects using Harden-Runner
## 3,000+ open source projects use Harden-Runner
| [![CISA](https://avatars.githubusercontent.com/u/18539691?s=60&v=4)](https://app.stepsecurity.io/github/cisagov/skeleton-generic/actions/runs/7588528684) | [![Microsoft](https://avatars.githubusercontent.com/u/6154722?s=60&v=4)](https://app.stepsecurity.io/github/microsoft/ebpf-for-windows/actions/runs/7587031851) | [![Google](https://avatars.githubusercontent.com/u/2810941?s=60&v=4)](https://app.stepsecurity.io/github/GoogleCloudPlatform/functions-framework-ruby/actions/runs/7576989995) | [![DataDog](https://avatars.githubusercontent.com/u/365230?s=60&v=4)](https://app.stepsecurity.io/github/DataDog/stratus-red-team/actions/runs/7446169664) | [![Intel](https://avatars.githubusercontent.com/u/17888862?s=60&v=4)](https://app.stepsecurity.io/github/intel/cve-bin-tool/actions/runs/7590975903) | [![Kubernetes](https://avatars.githubusercontent.com/u/36015203?s=60&v=4)](https://app.stepsecurity.io/github/kubernetes-sigs/cluster-api-provider-azure/actions/runs/7591172950) | [![Node.js](https://avatars.githubusercontent.com/u/9950313?s=60&v=4)](https://app.stepsecurity.io/github/nodejs/node/actions/runs/7591405720) | [![AWS](https://avatars.githubusercontent.com/u/2232217?s=60&v=4)](https://app.stepsecurity.io/github/aws/aperf/actions/runs/7631366761) |
| --------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- |
@ -41,11 +38,9 @@ Harden-Runner monitors process, file, and network activity to:
| | Countermeasure | Prevent Security Breach |
| --- | ----------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 1. | Monitor and block outbound network traffic at the DNS, HTTPS (Layer 7), and network layers (Layers 3 and 4) to prevent exfiltration of code and CI/CD credentials | To prevent the [Codecov breach](https://github.com/step-security/github-actions-goat/blob/main/docs/Vulnerabilities/ExfiltratingCICDSecrets.md) scenario |
| 2. | Detect if source code is being tampered during the build process to inject a backdoor | To detect the [SolarWinds incident](https://github.com/step-security/github-actions-goat/blob/main/docs/Vulnerabilities/TamperingDuringBuild.md) scenario |
| 2. | Detect if source code is being tampered during the build process to inject a backdoor | To detect the [XZ Utils](https://www.stepsecurity.io/blog/analysis-of-backdoored-xz-utils-build-process-with-harden-runner) and [SolarWinds incident](https://github.com/step-security/github-actions-goat/blob/main/docs/Vulnerabilities/TamperingDuringBuild.md) scenario |
| 3. | Detect poisoned workflows and compromised dependencies | To detect [Dependency confusion](https://github.com/step-security/github-actions-goat/blob/main/docs/Vulnerabilities/ExfiltratingCICDSecrets.md#dependency-confusion-attacks) and [Malicious dependencies](https://github.com/step-security/github-actions-goat/blob/main/docs/Vulnerabilities/ExfiltratingCICDSecrets.md#compromised-dependencies) |
Read this [case study](https://infosecwriteups.com/detecting-malware-packages-in-github-actions-7b93a9985635) on how Harden-Runner detected malicious packages in the NPM registry.
## How
### GitHub-Hosted Runners
@ -68,13 +63,13 @@ Read this [case study](https://infosecwriteups.com/detecting-malware-packages-in
3. Click on the link ([example link](https://app.stepsecurity.io/github/step-security/github-actions-goat/actions/runs/7704454287)). You will see a process monitor view of network and file events correlated with each step of the job.
<p align="left">
<img src="images/network-events.png" alt="Insights from harden-runner" >
<img src="images/network-events1.png" alt="Insights from harden-runner" >
</p>
4. In the `Recommended Policy` tab, you'll find a recommended block policy based on outbound calls aggregated from the current and past runs of the job. You can update your workflow file with this policy, or alternatively, use the [Policy Store](https://docs.stepsecurity.io/harden-runner/how-tos/block-egress-traffic#2-add-the-policy-using-the-policy-store) to apply the policy without modifying the workflow file. From now on, any outbound calls not in the allowed list will be blocked.
<p align="left">
<img src="images/recommended-policy.png" alt="Policy recommended by harden-runner" >
<img src="images/recommended-policy1.png" alt="Policy recommended by harden-runner" >
</p>
## Hands-On Tutorials

13
dist/index.js vendored
View file

@ -2836,6 +2836,11 @@ __nccwpck_require__.r(__webpack_exports__);
var lib_core = __nccwpck_require__(186);
// EXTERNAL MODULE: external "fs"
var external_fs_ = __nccwpck_require__(747);
;// CONCATENATED MODULE: ./src/configs.ts
const STEPSECURITY_ENV = "agent"; // agent or int
const STEPSECURITY_API_URL = `https://${STEPSECURITY_ENV}.api.stepsecurity.io/v1`;
const configs_STEPSECURITY_WEB_URL = "https://app.stepsecurity.io";
;// CONCATENATED MODULE: ./src/common.ts
var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
@ -2848,6 +2853,7 @@ var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argume
};
function printInfo(web_url) {
console.log("\x1b[32m%s\x1b[0m", "View security insights and recommended policy at:");
console.log(`${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}`);
@ -2872,10 +2878,10 @@ const processLogLine = (line, tableEntries) => {
};
function addSummary() {
return __awaiter(this, void 0, void 0, function* () {
if (process.env.STATE_monitorStatusCode !== "200") {
if (process.env.STATE_addSummary !== "true") {
return;
}
const web_url = "https://app.stepsecurity.io";
const web_url = STEPSECURITY_WEB_URL;
const insights_url = `${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}`;
const log = "/home/agent/agent.log";
if (!fs.existsSync(log)) {
@ -3015,6 +3021,7 @@ var src_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argu
(() => src_awaiter(void 0, void 0, void 0, function* () {
if (process.platform !== "linux") {
console.log(UBUNTU_MESSAGE);
@ -3034,7 +3041,7 @@ var src_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argu
console.log("Telemetry will not be sent to StepSecurity API as disable-telemetry is set to true");
}
else {
var web_url = "https://app.stepsecurity.io";
var web_url = configs_STEPSECURITY_WEB_URL;
printInfo(web_url);
}
}))();

2
dist/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

22
dist/post/index.js vendored
View file

@ -139,7 +139,7 @@ const command_1 = __nccwpck_require__(351);
const file_command_1 = __nccwpck_require__(717);
const utils_1 = __nccwpck_require__(278);
const os = __importStar(__nccwpck_require__(87));
const path = __importStar(__nccwpck_require__(622));
const path = __importStar(__nccwpck_require__(277));
const oidc_utils_1 = __nccwpck_require__(41);
/**
* The code to exit an action
@ -618,7 +618,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
};
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.toPlatformPath = exports.toWin32Path = exports.toPosixPath = void 0;
const path = __importStar(__nccwpck_require__(622));
const path = __importStar(__nccwpck_require__(277));
/**
* toPosixPath converts the given path to the posix form. On Windows, \\ will be
* replaced with /.
@ -2752,7 +2752,7 @@ module.exports = require("os");
/***/ }),
/***/ 622:
/***/ 277:
/***/ ((module) => {
"use strict";
@ -2838,6 +2838,11 @@ var external_fs_ = __nccwpck_require__(747);
const external_child_process_namespaceObject = require("child_process");
// EXTERNAL MODULE: ./node_modules/@actions/core/lib/core.js
var core = __nccwpck_require__(186);
;// CONCATENATED MODULE: ./src/configs.ts
const STEPSECURITY_ENV = "agent"; // agent or int
const STEPSECURITY_API_URL = `https://${STEPSECURITY_ENV}.api.stepsecurity.io/v1`;
const STEPSECURITY_WEB_URL = "https://app.stepsecurity.io";
;// CONCATENATED MODULE: ./src/common.ts
var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
@ -2850,6 +2855,7 @@ var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argume
};
function printInfo(web_url) {
console.log("\x1b[32m%s\x1b[0m", "View security insights and recommended policy at:");
console.log(`${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}`);
@ -2874,10 +2880,10 @@ const processLogLine = (line, tableEntries) => {
};
function addSummary() {
return __awaiter(this, void 0, void 0, function* () {
if (process.env.STATE_monitorStatusCode !== "200") {
if (process.env.STATE_addSummary !== "true") {
return;
}
const web_url = "https://app.stepsecurity.io";
const web_url = STEPSECURITY_WEB_URL;
const insights_url = `${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}`;
const log = "/home/agent/agent.log";
if (!external_fs_.existsSync(log)) {
@ -3109,6 +3115,12 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
var content = external_fs_.readFileSync(log, "utf-8");
console.log(content);
}
const daemonLog = "/home/agent/daemon.log";
if (external_fs_.existsSync(daemonLog)) {
console.log("daemonLog:");
var content = external_fs_.readFileSync(daemonLog, "utf-8");
console.log(content);
}
var status = "/home/agent/agent.status";
if (external_fs_.existsSync(status)) {
console.log("status:");

2
dist/post/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

39
dist/pre/index.js vendored
View file

@ -71246,6 +71246,11 @@ const validate = dist.validate;
const stringify = dist.stringify;
const parse = dist.parse;
;// CONCATENATED MODULE: ./src/configs.ts
const STEPSECURITY_ENV = "agent"; // agent or int
const STEPSECURITY_API_URL = `https://${STEPSECURITY_ENV}.api.stepsecurity.io/v1`;
const configs_STEPSECURITY_WEB_URL = "https://app.stepsecurity.io";
;// CONCATENATED MODULE: ./src/common.ts
var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
@ -71258,6 +71263,7 @@ var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argume
};
function printInfo(web_url) {
console.log("\x1b[32m%s\x1b[0m", "View security insights and recommended policy at:");
console.log(`${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}`);
@ -71282,10 +71288,10 @@ const processLogLine = (line, tableEntries) => {
};
function addSummary() {
return __awaiter(this, void 0, void 0, function* () {
if (process.env.STATE_monitorStatusCode !== "200") {
if (process.env.STATE_addSummary !== "true") {
return;
}
const web_url = "https://app.stepsecurity.io";
const web_url = STEPSECURITY_WEB_URL;
const insights_url = `${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}`;
const log = "/home/agent/agent.log";
if (!fs.existsSync(log)) {
@ -71395,7 +71401,7 @@ function verifyChecksum(downloadPath, is_tls) {
let expectedChecksum = "ceb925c78e5c79af4f344f08f59bbdcf3376d20d15930a315f9b24b6c4d0328a"; // checksum for v0.13.5
if (is_tls) {
expectedChecksum =
"204c82116e8c0eebf5409bb2b81aa5d96fe32f0c5abc1cb0364ee70937c32056"; // checksum for tls_agent
"e0cd0f0da1ac48df713acd8c4f0e591274de0f2c251b8526cf956c654f024ec2"; // checksum for tls_agent
}
if (checksum !== expectedChecksum) {
lib_core.setFailed(`Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`);
@ -71457,11 +71463,6 @@ function isValidEvent() {
return RefKey in process.env && Boolean(process.env[RefKey]);
}
;// CONCATENATED MODULE: ./src/configs.ts
const STEPSECURITY_ENV = "agent"; // agent or int
const STEPSECURITY_API_URL = `https://${STEPSECURITY_ENV}.api.stepsecurity.io/v1`;
const STEPSECURITY_WEB_URL = "https://app.stepsecurity.io";
;// CONCATENATED MODULE: ./src/policy-utils.ts
var policy_utils_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
@ -71666,7 +71667,7 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
}
var correlation_id = v4();
var api_url = STEPSECURITY_API_URL;
var web_url = STEPSECURITY_WEB_URL;
var web_url = configs_STEPSECURITY_WEB_URL;
let confg = {
repo: process.env["GITHUB_REPOSITORY"],
run_id: process.env["GITHUB_RUN_ID"],
@ -71680,6 +71681,7 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
disable_file_monitoring: lib_core.getBooleanInput("disable-file-monitoring"),
private: ((_b = (_a = github.context === null || github.context === void 0 ? void 0 : github.context.payload) === null || _a === void 0 ? void 0 : _a.repository) === null || _b === void 0 ? void 0 : _b.private) || false,
is_github_hosted: isGithubHosted(),
is_debug: lib_core.isDebug(),
};
let policyName = lib_core.getInput("policy");
if (policyName !== "") {
@ -71774,16 +71776,29 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
let _http = new lib.HttpClient();
let statusCode;
_http.requestOptions = { socketTimeout: 3 * 1000 };
let addSummary = "false";
try {
const resp = yield _http.get(`${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`);
statusCode = resp.message.statusCode; // adding error code to check whether agent is getting installed or not.
const monitorRequestData = {
correlation_id: correlation_id,
job: process.env["GITHUB_JOB"],
};
const resp = yield _http.postJson(`${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`, monitorRequestData);
const responseData = resp.result;
statusCode = resp.statusCode; // adding error code to check whether agent is getting installed or not.
external_fs_.appendFileSync(process.env.GITHUB_STATE, `monitorStatusCode=${statusCode}${external_os_.EOL}`, {
encoding: "utf8",
});
if (statusCode === 200 && responseData) {
console.log(`Runner IP Address: ${responseData.runner_ip_address}`);
addSummary = responseData.monitoring_started ? "true" : "false";
}
}
catch (e) {
console.log(`error in connecting to ${api_url}: ${e}`);
}
external_fs_.appendFileSync(process.env.GITHUB_STATE, `addSummary=${addSummary}${external_os_.EOL}`, {
encoding: "utf8",
});
console.log(`Step Security Job Correlation ID: ${correlation_id}`);
if (String(statusCode) === STATUS_HARDEN_RUNNER_UNAVAILABLE) {
console.log(HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
@ -71797,7 +71812,7 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
let auth = `token ${token}`;
let downloadPath;
if (yield isTLSEnabled(github.context.repo.owner)) {
downloadPath = yield tool_cache.downloadTool("https://packages.stepsecurity.io/github-hosted/harden-runner_1.1.0_linux_amd64.tar.gz");
downloadPath = yield tool_cache.downloadTool("https://packages.stepsecurity.io/github-hosted/harden-runner_1.1.3_linux_amd64.tar.gz");
verifyChecksum(downloadPath, true); // NOTE: verifying tls_agent's checksum, before extracting
}
else {

2
dist/pre/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

BIN
images/case-study-thumbnail1.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 632 KiB

BIN
images/network-events.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 107 KiB

BIN
images/network-events1.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 134 KiB

BIN
images/recommended-policy.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 174 KiB

BIN
images/recommended-policy1.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 188 KiB

2
src/checksum.ts
View file

@ -14,7 +14,7 @@ export function verifyChecksum(downloadPath: string, is_tls: boolean) {
if (is_tls) {
expectedChecksum =
"204c82116e8c0eebf5409bb2b81aa5d96fe32f0c5abc1cb0364ee70937c32056"; // checksum for tls_agent
"e0cd0f0da1ac48df713acd8c4f0e591274de0f2c251b8526cf956c654f024ec2"; // checksum for tls_agent
}
if (checksum !== expectedChecksum) {

7
src/cleanup.ts
View file

@ -62,6 +62,13 @@ import { arcCleanUp, isArcRunner, removeStepPolicyFiles } from "./arc-runner";
console.log(content);
}
const daemonLog = "/home/agent/daemon.log";
if (fs.existsSync(daemonLog)) {
console.log("daemonLog:");
var content = fs.readFileSync(daemonLog, "utf-8");
console.log(content);
}
var status = "/home/agent/agent.status";
if (fs.existsSync(status)) {
console.log("status:");

7
src/common.ts
View file

@ -1,5 +1,6 @@
import * as core from "@actions/core";
import * as fs from "fs";
import { STEPSECURITY_WEB_URL } from "./configs";
export function printInfo(web_url) {
console.log(
@ -47,11 +48,11 @@ export const processLogLine = (
};
export async function addSummary() {
if (process.env.STATE_monitorStatusCode !== "200") {
if (process.env.STATE_addSummary !== "true") {
return;
}
const web_url = "https://app.stepsecurity.io";
const web_url = STEPSECURITY_WEB_URL;
const insights_url = `${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}`;
const log = "/home/agent/agent.log";
@ -172,4 +173,4 @@ export const HARDEN_RUNNER_UNAVAILABLE_MESSAGE =
"Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
export const ARC_RUNNER_MESSAGE =
"Workflow is currently being executed in ARC based runner";
"Workflow is currently being executed in ARC based runner";

3
src/index.ts
View file

@ -1,6 +1,7 @@
import * as common from "./common";
import * as core from "@actions/core";
import isDocker from "is-docker";
import { STEPSECURITY_WEB_URL } from "./configs";
(async () => {
if (process.platform !== "linux") {
@ -28,7 +29,7 @@ import isDocker from "is-docker";
"Telemetry will not be sent to StepSecurity API as disable-telemetry is set to true"
);
} else {
var web_url = "https://app.stepsecurity.io";
var web_url = STEPSECURITY_WEB_URL;
common.printInfo(web_url);
}
})();

1
src/interfaces.ts
View file

@ -11,6 +11,7 @@ export interface Configuration {
disable_file_monitoring: boolean;
is_github_hosted: boolean;
private: string;
is_debug: boolean;
}
export interface PolicyResponse {

2
src/policy-utils.test.ts
View file

@ -39,6 +39,7 @@ test("merge configs", async () => {
disable_file_monitoring: false,
private: "true",
is_github_hosted: true,
is_debug: false,
};
let policyResponse: PolicyResponse = {
owner: "h0x0er",
@ -63,6 +64,7 @@ test("merge configs", async () => {
disable_file_monitoring: false,
private: "true",
is_github_hosted: true,
is_debug: false,
};
localConfig = mergeConfigs(localConfig, policyResponse);

34
src/setup.ts
View file

@ -26,6 +26,11 @@ import { isArcRunner, sendAllowedEndpoints } from "./arc-runner";
import { STEPSECURITY_API_URL, STEPSECURITY_WEB_URL } from "./configs";
import { isGithubHosted, isTLSEnabled } from "./tls-inspect";
interface MonitorResponse {
runner_ip_address?: string;
monitoring_started?: boolean;
}
(async () => {
try {
if (process.platform !== "linux") {
@ -54,6 +59,7 @@ import { isGithubHosted, isTLSEnabled } from "./tls-inspect";
disable_file_monitoring: core.getBooleanInput("disable-file-monitoring"),
private: context?.payload?.repository?.private || false,
is_github_hosted: isGithubHosted(),
is_debug: core.isDebug(),
};
let policyName = core.getInput("policy");
@ -171,11 +177,19 @@ import { isGithubHosted, isTLSEnabled } from "./tls-inspect";
let _http = new httpm.HttpClient();
let statusCode;
_http.requestOptions = { socketTimeout: 3 * 1000 };
let addSummary = "false";
try {
const resp: httpm.HttpClientResponse = await _http.get(
`${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`
const monitorRequestData = {
correlation_id: correlation_id,
job: process.env["GITHUB_JOB"],
};
const resp = await _http.postJson<MonitorResponse>(
`${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`,
monitorRequestData
);
statusCode = resp.message.statusCode; // adding error code to check whether agent is getting installed or not.
const responseData = resp.result;
statusCode = resp.statusCode; // adding error code to check whether agent is getting installed or not.
fs.appendFileSync(
process.env.GITHUB_STATE,
`monitorStatusCode=${statusCode}${EOL}`,
@ -183,9 +197,21 @@ import { isGithubHosted, isTLSEnabled } from "./tls-inspect";
encoding: "utf8",
}
);
if (statusCode === 200 && responseData) {
console.log(`Runner IP Address: ${responseData.runner_ip_address}`);
addSummary = responseData.monitoring_started ? "true" : "false";
}
} catch (e) {
console.log(`error in connecting to ${api_url}: ${e}`);
}
fs.appendFileSync(
process.env.GITHUB_STATE,
`addSummary=${addSummary}${EOL}`,
{
encoding: "utf8",
}
);
console.log(`Step Security Job Correlation ID: ${correlation_id}`);
if (String(statusCode) === common.STATUS_HARDEN_RUNNER_UNAVAILABLE) {
@ -205,7 +231,7 @@ import { isGithubHosted, isTLSEnabled } from "./tls-inspect";
if (await isTLSEnabled(context.repo.owner)) {
downloadPath = await tc.downloadTool(
"https://packages.stepsecurity.io/github-hosted/harden-runner_1.1.0_linux_amd64.tar.gz"
"https://packages.stepsecurity.io/github-hosted/harden-runner_1.1.3_linux_amd64.tar.gz"
);
verifyChecksum(downloadPath, true); // NOTE: verifying tls_agent's checksum, before extracting
} else {