step-security/harden-runner
1
0
Fork 0
mirror of synced 2026-06-05 14:28:19 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'main' into dependabot/github_actions/actions/upload-artifact-4.4.0

Browse source
This commit is contained in:
Varun Sharma 2024-09-10 15:59:46 -07:00 committed by GitHub
commit accfb74a43
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
12 changed files with 251 additions and 144 deletions
Download patch file Download diff file Expand all files Collapse all files

6
dist/index.js vendored
View file

@ -2978,7 +2978,8 @@ const CONTAINER_MESSAGE = "This job is running in a container. Harden Runner doe
const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
const SELF_HOSTED_NO_AGENT_MESSAGE = "This job is running on a self-hosted runner, but the runner does not have Harden-Runner installed. This job will not be monitored.";
const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner";
const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner.";
const ARM64_RUNNER_MESSAGE = "ARM runners are not supported in the Harden-Runner community tier.";
;// CONCATENATED MODULE: external "node:fs"
const external_node_fs_namespaceObject = require("node:fs");
@ -3042,6 +3043,9 @@ var src_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argu
console.log(HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
return;
}
if (process.env.STATE_isTLS === "false" && process.arch === "arm64") {
return;
}
if (lib_core.getBooleanInput("disable-telemetry") &&
lib_core.getInput("egress-policy") === "block") {
console.log("Telemetry will not be sent to StepSecurity API as disable-telemetry is set to true");

2
dist/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

6
dist/post/index.js vendored
View file

@ -2977,7 +2977,8 @@ const CONTAINER_MESSAGE = "This job is running in a container. Harden Runner doe
const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
const SELF_HOSTED_NO_AGENT_MESSAGE = "This job is running on a self-hosted runner, but the runner does not have Harden-Runner installed. This job will not be monitored.";
const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner";
const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner.";
const ARM64_RUNNER_MESSAGE = "ARM runners are not supported in the Harden-Runner community tier.";
;// CONCATENATED MODULE: external "node:fs"
const external_node_fs_namespaceObject = require("node:fs");
@ -3094,6 +3095,9 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
if (process.env.STATE_selfHosted === "true") {
return;
}
if (process.env.STATE_isTLS === "false" && process.arch === "arm64") {
return;
}
if (String(process.env.STATE_monitorStatusCode) ===
STATUS_HARDEN_RUNNER_UNAVAILABLE) {
console.log(HARDEN_RUNNER_UNAVAILABLE_MESSAGE);

2
dist/post/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

188
dist/pre/index.js vendored
View file

@ -71388,31 +71388,8 @@ const CONTAINER_MESSAGE = "This job is running in a container. Harden Runner doe
const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
const SELF_HOSTED_NO_AGENT_MESSAGE = "This job is running on a self-hosted runner, but the runner does not have Harden-Runner installed. This job will not be monitored.";
const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner";
// EXTERNAL MODULE: ./node_modules/@actions/tool-cache/lib/tool-cache.js
var tool_cache = __nccwpck_require__(7784);
// EXTERNAL MODULE: external "crypto"
var external_crypto_ = __nccwpck_require__(6417);
;// CONCATENATED MODULE: ./src/checksum.ts
function verifyChecksum(downloadPath, is_tls) {
const fileBuffer = external_fs_.readFileSync(downloadPath);
const checksum = external_crypto_.createHash("sha256")
.update(fileBuffer)
.digest("hex"); // checksum of downloaded file
let expectedChecksum = "a9f1842e3d7f3d38c143dbe8ffe1948e6c8173cd04da072d9f9d128bb400844a"; // checksum for v0.13.7
if (is_tls) {
expectedChecksum =
"fa9defcf9e125a62cb29747574d6a07aee4f04153e7bce4a3c7ce29681469e92"; // checksum for tls_agent
}
if (checksum !== expectedChecksum) {
lib_core.setFailed(`Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`);
}
lib_core.debug("Checksum verification passed.");
}
const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner.";
const ARM64_RUNNER_MESSAGE = "ARM runners are not supported in the Harden-Runner community tier.";
;// CONCATENATED MODULE: external "node:fs"
const external_node_fs_namespaceObject = require("node:fs");
@ -71629,6 +71606,98 @@ function isGithubHosted() {
return runnerEnvironment === "github-hosted";
}
// EXTERNAL MODULE: ./node_modules/@actions/tool-cache/lib/tool-cache.js
var tool_cache = __nccwpck_require__(7784);
// EXTERNAL MODULE: external "crypto"
var external_crypto_ = __nccwpck_require__(6417);
;// CONCATENATED MODULE: ./src/checksum.ts
const CHECKSUMS = {
tls: {
amd64: "0bd500769646f0a90c0dfe9ac59699d5165bed549a9870c031b861146af337b2",
arm64: "c2448ac205fd90f46abba31c13cf34c3b997824881502f736315fb08ac0a5a5c",
},
non_tls: {
amd64: "a9f1842e3d7f3d38c143dbe8ffe1948e6c8173cd04da072d9f9d128bb400844a", // v0.13.7
},
};
function verifyChecksum(downloadPath, isTLS, variant) {
const fileBuffer = external_fs_.readFileSync(downloadPath);
const checksum = external_crypto_.createHash("sha256")
.update(fileBuffer)
.digest("hex"); // checksum of downloaded file
let expectedChecksum = "";
if (isTLS) {
expectedChecksum = CHECKSUMS["tls"][variant];
}
else {
expectedChecksum = CHECKSUMS["non_tls"][variant];
}
if (checksum !== expectedChecksum) {
lib_core.setFailed(`Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`);
}
lib_core.debug("Checksum verification passed.");
}
;// CONCATENATED MODULE: ./src/install-agent.ts
var install_agent_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
function installAgent(isTLS, configStr) {
return install_agent_awaiter(this, void 0, void 0, function* () {
// Note: to avoid github rate limiting
const token = lib_core.getInput("token", { required: true });
const auth = `token ${token}`;
const variant = process.arch === "x64" ? "amd64" : "arm64";
let downloadPath;
external_fs_.appendFileSync(process.env.GITHUB_STATE, `isTLS=${isTLS}${external_os_.EOL}`, {
encoding: "utf8",
});
if (isTLS) {
downloadPath = yield tool_cache.downloadTool(`https://packages.stepsecurity.io/github-hosted/harden-runner_1.3.2_linux_${variant}.tar.gz`);
}
else {
if (variant === "arm64") {
console.log(ARM64_RUNNER_MESSAGE);
return false;
}
downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.13.7/agent_0.13.7_linux_amd64.tar.gz", undefined, auth);
}
verifyChecksum(downloadPath, isTLS, variant);
const extractPath = yield tool_cache.extractTar(downloadPath);
let cmd = "cp", args = [external_path_.join(extractPath, "agent"), "/home/agent/agent"];
external_child_process_.execFileSync(cmd, args);
external_child_process_.execSync("chmod +x /home/agent/agent");
external_fs_.writeFileSync("/home/agent/agent.json", configStr);
cmd = "sudo";
args = [
"cp",
external_path_.join(__dirname, "agent.service"),
"/etc/systemd/system/agent.service",
];
external_child_process_.execFileSync(cmd, args);
external_child_process_.execSync("sudo systemctl daemon-reload");
external_child_process_.execSync("sudo service agent start", { timeout: 15000 });
return true;
});
}
;// CONCATENATED MODULE: ./src/setup.ts
var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
@ -71658,7 +71727,6 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
(() => setup_awaiter(void 0, void 0, void 0, function* () {
var _a, _b;
try {
@ -71815,54 +71883,32 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
const confgStr = JSON.stringify(confg);
external_child_process_.execSync("sudo mkdir -p /home/agent");
external_child_process_.execSync("sudo chown -R $USER /home/agent");
// Note: to avoid github rate limiting
let token = lib_core.getInput("token");
let auth = `token ${token}`;
let downloadPath;
if (yield isTLSEnabled(github.context.repo.owner)) {
downloadPath = yield tool_cache.downloadTool("https://packages.stepsecurity.io/github-hosted/harden-runner_1.2.3_linux_amd64.tar.gz");
verifyChecksum(downloadPath, true); // NOTE: verifying tls_agent's checksum, before extracting
}
else {
downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.13.7/agent_0.13.7_linux_amd64.tar.gz", undefined, auth);
verifyChecksum(downloadPath, false); // NOTE: verifying agent's checksum, before extracting
}
const extractPath = yield tool_cache.extractTar(downloadPath);
let cmd = "cp", args = [external_path_.join(extractPath, "agent"), "/home/agent/agent"];
external_child_process_.execFileSync(cmd, args);
external_child_process_.execSync("chmod +x /home/agent/agent");
external_fs_.writeFileSync("/home/agent/agent.json", confgStr);
cmd = "sudo";
args = [
"cp",
external_path_.join(__dirname, "agent.service"),
"/etc/systemd/system/agent.service",
];
external_child_process_.execFileSync(cmd, args);
external_child_process_.execSync("sudo systemctl daemon-reload");
external_child_process_.execSync("sudo service agent start", { timeout: 15000 });
// Check that the file exists locally
var statusFile = "/home/agent/agent.status";
var logFile = "/home/agent/agent.log";
var counter = 0;
while (true) {
if (!external_fs_.existsSync(statusFile)) {
counter++;
if (counter > 30) {
console.log("timed out");
if (external_fs_.existsSync(logFile)) {
var content = external_fs_.readFileSync(logFile, "utf-8");
console.log(content);
let isTLS = yield isTLSEnabled(github.context.repo.owner);
const agentInstalled = yield installAgent(isTLS, confgStr);
if (agentInstalled) {
// Check that the file exists locally
var statusFile = "/home/agent/agent.status";
var logFile = "/home/agent/agent.log";
var counter = 0;
while (true) {
if (!external_fs_.existsSync(statusFile)) {
counter++;
if (counter > 30) {
console.log("timed out");
if (external_fs_.existsSync(logFile)) {
var content = external_fs_.readFileSync(logFile, "utf-8");
console.log(content);
}
break;
}
yield setup_sleep(300);
} // The file *does* exist
else {
// Read the file
var content = external_fs_.readFileSync(statusFile, "utf-8");
console.log(content);
break;
}
yield setup_sleep(300);
} // The file *does* exist
else {
// Read the file
var content = external_fs_.readFileSync(statusFile, "utf-8");
console.log(content);
break;
}
}
}

2
dist/pre/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

26
src/checksum.ts
View file

@ -2,19 +2,33 @@ import * as core from "@actions/core";
import * as crypto from "crypto";
import * as fs from "fs";
export function verifyChecksum(downloadPath: string, is_tls: boolean) {
const CHECKSUMS = {
tls: {
amd64: "0bd500769646f0a90c0dfe9ac59699d5165bed549a9870c031b861146af337b2", // v1.3.2
arm64: "c2448ac205fd90f46abba31c13cf34c3b997824881502f736315fb08ac0a5a5c",
},
non_tls: {
amd64: "a9f1842e3d7f3d38c143dbe8ffe1948e6c8173cd04da072d9f9d128bb400844a", // v0.13.7
},
};
export function verifyChecksum(
downloadPath: string,
isTLS: boolean,
variant: string
) {
const fileBuffer: Buffer = fs.readFileSync(downloadPath);
const checksum: string = crypto
.createHash("sha256")
.update(fileBuffer)
.digest("hex"); // checksum of downloaded file
let expectedChecksum: string =
"a9f1842e3d7f3d38c143dbe8ffe1948e6c8173cd04da072d9f9d128bb400844a"; // checksum for v0.13.7
let expectedChecksum: string = "";
if (is_tls) {
expectedChecksum =
"fa9defcf9e125a62cb29747574d6a07aee4f04153e7bce4a3c7ce29681469e92"; // checksum for tls_agent
if (isTLS) {
expectedChecksum = CHECKSUMS["tls"][variant];
} else {
expectedChecksum = CHECKSUMS["non_tls"][variant];
}
if (checksum !== expectedChecksum) {

4
src/cleanup.ts
View file

@ -27,6 +27,10 @@ import { arcCleanUp, isArcRunner, removeStepPolicyFiles } from "./arc-runner";
return;
}
if (process.env.STATE_isTLS === "false" && process.arch === "arm64") {
return;
}
if (
String(process.env.STATE_monitorStatusCode) ===
common.STATUS_HARDEN_RUNNER_UNAVAILABLE

5
src/common.ts
View file

@ -180,4 +180,7 @@ export const HARDEN_RUNNER_UNAVAILABLE_MESSAGE =
"Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
export const ARC_RUNNER_MESSAGE =
"Workflow is currently being executed in ARC based runner";
"Workflow is currently being executed in ARC based runner.";
export const ARM64_RUNNER_MESSAGE =
"ARM runners are not supported in the Harden-Runner community tier.";

4
src/index.ts
View file

@ -23,6 +23,10 @@ import { STEPSECURITY_WEB_URL } from "./configs";
return;
}
if (process.env.STATE_isTLS === "false" && process.arch === "arm64") {
return;
}
if (
core.getBooleanInput("disable-telemetry") &&
core.getInput("egress-policy") === "block"

65
src/install-agent.ts Normal file
View file

@ -0,0 +1,65 @@
import * as tc from "@actions/tool-cache";
import * as core from "@actions/core";
import * as cp from "child_process";
import * as path from "path";
import * as fs from "fs";
import { verifyChecksum } from "./checksum";
import { EOL } from "os";
import { ARM64_RUNNER_MESSAGE } from "./common";
export async function installAgent(
isTLS: boolean,
configStr: string
): Promise<boolean> {
// Note: to avoid github rate limiting
const token = core.getInput("token", { required: true });
const auth = `token ${token}`;
const variant = process.arch === "x64" ? "amd64" : "arm64";
let downloadPath: string;
fs.appendFileSync(process.env.GITHUB_STATE, `isTLS=${isTLS}${EOL}`, {
encoding: "utf8",
});
if (isTLS) {
downloadPath = await tc.downloadTool(
`https://packages.stepsecurity.io/github-hosted/harden-runner_1.3.2_linux_${variant}.tar.gz`
);
} else {
if (variant === "arm64") {
console.log(ARM64_RUNNER_MESSAGE);
return false;
}
downloadPath = await tc.downloadTool(
"https://github.com/step-security/agent/releases/download/v0.13.7/agent_0.13.7_linux_amd64.tar.gz",
undefined,
auth
);
}
verifyChecksum(downloadPath, isTLS, variant);
const extractPath = await tc.extractTar(downloadPath);
let cmd = "cp",
args = [path.join(extractPath, "agent"), "/home/agent/agent"];
cp.execFileSync(cmd, args);
cp.execSync("chmod +x /home/agent/agent");
fs.writeFileSync("/home/agent/agent.json", configStr);
cmd = "sudo";
args = [
"cp",
path.join(__dirname, "agent.service"),
"/etc/systemd/system/agent.service",
];
cp.execFileSync(cmd, args);
cp.execSync("sudo systemctl daemon-reload");
cp.execSync("sudo service agent start", { timeout: 15000 });
return true;
}

85
src/setup.ts
View file

@ -5,8 +5,6 @@ import * as httpm from "@actions/http-client";
import * as path from "path";
import { v4 as uuidv4 } from "uuid";
import * as common from "./common";
import * as tc from "@actions/tool-cache";
import { verifyChecksum } from "./checksum";
import isDocker from "is-docker";
import { context } from "@actions/github";
import { EOL } from "os";
@ -25,6 +23,7 @@ import * as utils from "@actions/cache/lib/internal/cacheUtils";
import { isArcRunner, sendAllowedEndpoints } from "./arc-runner";
import { STEPSECURITY_API_URL, STEPSECURITY_WEB_URL } from "./configs";
import { isGithubHosted, isTLSEnabled } from "./tls-inspect";
import { installAgent } from "./install-agent";
interface MonitorResponse {
runner_ip_address?: string;
@ -228,70 +227,34 @@ interface MonitorResponse {
cp.execSync("sudo mkdir -p /home/agent");
cp.execSync("sudo chown -R $USER /home/agent");
// Note: to avoid github rate limiting
let token = core.getInput("token");
let auth = `token ${token}`;
let isTLS = await isTLSEnabled(context.repo.owner);
let downloadPath: string;
const agentInstalled = await installAgent(isTLS, confgStr);
if (await isTLSEnabled(context.repo.owner)) {
downloadPath = await tc.downloadTool(
"https://packages.stepsecurity.io/github-hosted/harden-runner_1.2.3_linux_amd64.tar.gz"
);
verifyChecksum(downloadPath, true); // NOTE: verifying tls_agent's checksum, before extracting
} else {
downloadPath = await tc.downloadTool(
"https://github.com/step-security/agent/releases/download/v0.13.7/agent_0.13.7_linux_amd64.tar.gz",
undefined,
auth
);
verifyChecksum(downloadPath, false); // NOTE: verifying agent's checksum, before extracting
}
const extractPath = await tc.extractTar(downloadPath);
let cmd = "cp",
args = [path.join(extractPath, "agent"), "/home/agent/agent"];
cp.execFileSync(cmd, args);
cp.execSync("chmod +x /home/agent/agent");
fs.writeFileSync("/home/agent/agent.json", confgStr);
cmd = "sudo";
args = [
"cp",
path.join(__dirname, "agent.service"),
"/etc/systemd/system/agent.service",
];
cp.execFileSync(cmd, args);
cp.execSync("sudo systemctl daemon-reload");
cp.execSync("sudo service agent start", { timeout: 15000 });
// Check that the file exists locally
var statusFile = "/home/agent/agent.status";
var logFile = "/home/agent/agent.log";
var counter = 0;
while (true) {
if (!fs.existsSync(statusFile)) {
counter++;
if (counter > 30) {
console.log("timed out");
if (fs.existsSync(logFile)) {
var content = fs.readFileSync(logFile, "utf-8");
console.log(content);
if (agentInstalled) {
// Check that the file exists locally
var statusFile = "/home/agent/agent.status";
var logFile = "/home/agent/agent.log";
var counter = 0;
while (true) {
if (!fs.existsSync(statusFile)) {
counter++;
if (counter > 30) {
console.log("timed out");
if (fs.existsSync(logFile)) {
var content = fs.readFileSync(logFile, "utf-8");
console.log(content);
}
break;
}
await sleep(300);
} // The file *does* exist
else {
// Read the file
var content = fs.readFileSync(statusFile, "utf-8");
console.log(content);
break;
}
await sleep(300);
} // The file *does* exist
else {
// Read the file
var content = fs.readFileSync(statusFile, "utf-8");
console.log(content);
break;
}
}
} catch (error) {