Update agent-ebpf to v1.8.0 with global block list support

dist/pre/index.js

@@ -85266,6 +85266,48 @@ function fetchPolicy(owner, policyName, idToken) {
         }
     });
 }
+function fetchPolicyFromStore(owner, repo, apiKey, workflow, runId, correlationId) {
+    return policy_utils_awaiter(this, void 0, void 0, function* () {
+        if (apiKey === "") {
+            throw new Error("[PolicyStoreFetch]: api-key is empty");
+        }
+        let policyEndpoint = `${configs_STEPSECURITY_API_URL}/github/${owner}/${repo}/actions/policies/workflow-policy?workflow=${encodeURIComponent(workflow)}&run_id=${encodeURIComponent(runId)}&correlationId=${encodeURIComponent(correlationId)}`;
+        let httpClient = new lib.HttpClient();
+        let headers = {};
+        headers["Authorization"] = `vm-api-key ${apiKey}`;
+        headers["Source"] = "github-actions";
+        let response = undefined;
+        let err = undefined;
+        let retry = 0;
+        while (retry < 3) {
+            try {
+                console.log(`Attempt: ${retry + 1}`);
+                response = yield httpClient.getJson(policyEndpoint, headers);
+                break;
+            }
+            catch (e) {
+                err = e;
+            }
+            retry += 1;
+            yield sleep(1000);
+        }
+        if (response === undefined && err !== undefined) {
+            const error = new Error(`[Policy Store Fetch] ${err}`);
+            if (err.statusCode !== undefined) {
+                error.statusCode = err.statusCode;
+            }
+            throw error;
+        }
+        if (response.statusCode === 404) {
+            return null;
+        }
+        const result = response.result;
+        if (!result || (!result.egress_policy && (!result.allowed_endpoints || result.allowed_endpoints.length === 0))) {
+            return null;
+        }
+        return result;
+    });
+}
 function mergeConfigs(localConfig, remoteConfig) {
     if (localConfig.allowed_endpoints === "") {
         localConfig.allowed_endpoints = remoteConfig.allowed_endpoints.join(" ");
@@ -85397,8 +85439,8 @@ var external_crypto_ = __nccwpck_require__(6982);
 
 const CHECKSUMS = {
     tls: {
-        amd64: "d4b80f15758bb950787000e802cc58a565919a8cb9ecf405777b304ef42911fe",
-        arm64: "3c224ea1da1776d1ba9f70b8dd8f0d8432230a7c2d464bca84bbdee8b7d46f6c",
+        amd64: "86d042adcdc03eb1ea50d35d265da47622a6d0aedef9657f84ce1eb7f04d6057",
+        arm64: "ea1074a2358d50db9a9fe18ae3971b87305cda63f262c494a5f43b25f4e524ce",
     },
     non_tls: {
         amd64: "4aaaeebbe10e619d8ce13e8cc4a1acbafc8f891e8cdd319984480b9ec08407b8", // v0.15.0
@@ -85469,7 +85511,7 @@ function installAgent(isTLS, configStr) {
             encoding: "utf8",
         });
         if (isTLS) {
-            downloadPath = yield tool_cache.downloadTool(`https://github.com/step-security/agent-ebpf/releases/download/v1.7.15/harden-runner_1.7.15_linux_${variant}.tar.gz`, undefined, auth);
+            downloadPath = yield tool_cache.downloadTool(`https://github.com/step-security/agent-ebpf/releases/download/v1.8.0/harden-runner_1.8.0_linux_${variant}.tar.gz`, undefined, auth);
         }
         else {
             if (variant === "arm64") {
@@ -85628,6 +85670,17 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
         step((generator = generator.apply(thisArg, _arguments || [])).next());
     });
 };
+var __rest = (undefined && undefined.__rest) || function (s, e) {
+    var t = {};
+    for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p) && e.indexOf(p) < 0)
+        t[p] = s[p];
+    if (s != null && typeof Object.getOwnPropertySymbols === "function")
+        for (var i = 0, p = Object.getOwnPropertySymbols(s); i < p.length; i++) {
+            if (e.indexOf(p[i]) < 0 && Object.prototype.propertyIsEnumerable.call(s, p[i]))
+                t[p[i]] = s[p[i]];
+        }
+    return t;
+};
 
 
 
@@ -85687,10 +85740,48 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
             is_github_hosted: isGithubHosted(),
             is_debug: lib_core.isDebug(),
             one_time_key: "",
+            api_key: lib_core.getInput("api-key"),
+            use_policy_store: lib_core.getBooleanInput("use-policy-store"),
             deploy_on_self_hosted_vm: lib_core.getBooleanInput("deploy-on-self-hosted-vm"),
         };
+        if (confg.api_key !== "") {
+            lib_core.setSecret(confg.api_key);
+        }
         let policyName = lib_core.getInput("policy");
-        if (policyName !== "") {
+        if (confg.use_policy_store) {
+            console.log(`Fetching policy from policy store`);
+            if (confg.api_key === "") {
+                lib_core.setFailed("api-key is required when use-policy-store is set to true");
+            }
+            else {
+                try {
+                    const repoName = (process.env["GITHUB_REPOSITORY"] || "").split("/")[1] || "";
+                    const workflowRef = process.env["GITHUB_WORKFLOW_REF"] || "";
+                    const workflow = workflowRef.replace(/.*\.github\/workflows\//, "").replace(/@.*/, "");
+                    let result = yield fetchPolicyFromStore(github.context.repo.owner, repoName, confg.api_key, workflow, confg.run_id, confg.correlation_id);
+                    if (result !== null) {
+                        lib_core.info(`Policy found: ${result.policy_name || "unnamed"}`);
+                        confg = mergeConfigs(confg, result);
+                    }
+                    else {
+                        lib_core.info("No policy found in policy store. Defaulting to audit mode.");
+                        confg.egress_policy = "audit";
+                    }
+                }
+                catch (err) {
+                    lib_core.info(`[!] ${err}`);
+                    if (err.statusCode >= 400 && err.statusCode < 500) {
+                        lib_core.info("Policy not found in policy store. Defaulting to audit mode.");
+                        confg.egress_policy = "audit";
+                    }
+                    else {
+                        lib_core.error(`Unexpected error fetching from policy store: ${err}. Falling back to audit mode.`);
+                        confg.egress_policy = "audit";
+                    }
+                }
+            }
+        }
+        else if (policyName !== "") {
             console.log(`Fetching policy from API with name: ${policyName}`);
             try {
                 let idToken = yield lib_core.getIDToken();
@@ -85880,7 +85971,8 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
             console.log(HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
             return;
         }
-        const configStr = JSON.stringify(confg);
+        const { api_key, use_policy_store } = confg, agentConfig = __rest(confg, ["api_key", "use_policy_store"]);
+        const configStr = JSON.stringify(agentConfig);
         // platform specific
         let statusFile = "";
         let logFile = "";

src/checksum.ts

@@ -4,8 +4,8 @@ import * as fs from "fs";
 
 const CHECKSUMS = {
   tls: {
-    amd64: "d4b80f15758bb950787000e802cc58a565919a8cb9ecf405777b304ef42911fe", // v1.7.15
-    arm64: "3c224ea1da1776d1ba9f70b8dd8f0d8432230a7c2d464bca84bbdee8b7d46f6c",
+    amd64: "86d042adcdc03eb1ea50d35d265da47622a6d0aedef9657f84ce1eb7f04d6057", // v1.8.0
+    arm64: "ea1074a2358d50db9a9fe18ae3971b87305cda63f262c494a5f43b25f4e524ce",
   },
   non_tls: {
     amd64: "4aaaeebbe10e619d8ce13e8cc4a1acbafc8f891e8cdd319984480b9ec08407b8", // v0.15.0

src/install-agent.ts

@@ -26,7 +26,7 @@ export async function installAgent(
 
   if (isTLS) {
     downloadPath = await tc.downloadTool(
-      `https://github.com/step-security/agent-ebpf/releases/download/v1.7.15/harden-runner_1.7.15_linux_${variant}.tar.gz`,
+      `https://github.com/step-security/agent-ebpf/releases/download/v1.8.0/harden-runner_1.8.0_linux_${variant}.tar.gz`,
       undefined,
       auth
     );