mirror of
https://github.com/step-security/harden-runner.git
synced 2026-06-06 12:17:06 +00:00
Merge pull request #49 from step-security/v1branch
Merge current release branch into main
This commit is contained in:
Varun Sharma
GitHub
commit
ca228fc2f6
8 changed files with 1755 additions and 27 deletions
|
|
@ -2,9 +2,13 @@ name: 'Harden Runner'
|
|||
description: 'GitHub Actions Runtime Security'
|
||||
inputs:
|
||||
allowed-endpoints:
|
||||
description: 'Allowed endpoints'
|
||||
description: 'Only these endpoints will be allowed if egress-policy is set to block'
|
||||
required: false
|
||||
default: ''
|
||||
egress-policy:
|
||||
description: 'Policy for outbound traffic, can be either audit or block'
|
||||
required: false
|
||||
default: 'block'
|
||||
branding:
|
||||
icon: 'check-square'
|
||||
color: 'green'
|
||||
|
|
@ -12,4 +16,4 @@ runs:
|
|||
using: 'node12'
|
||||
pre: 'dist/pre/index.js'
|
||||
main: 'dist/index.js'
|
||||
post: 'dist/post/index.js'
|
||||
post: 'dist/post/index.js'
|
||||
1712
dist/post/index.js
vendored
1712
dist/post/index.js
vendored
File diff suppressed because it is too large
Load diff
2
dist/post/index.js.map
vendored
2
dist/post/index.js.map
vendored
File diff suppressed because one or more lines are too long
17
dist/pre/index.js
vendored
17
dist/pre/index.js
vendored
|
|
@ -6290,7 +6290,13 @@ var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argume
|
|||
var api_url = `https://${env}.api.stepsecurity.io/v1`;
|
||||
var web_url = "https://app.stepsecurity.io";
|
||||
let _http = new http_client.HttpClient();
|
||||
yield _http.get(`${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`);
|
||||
_http.requestOptions = { socketTimeout: 3 * 1000 };
|
||||
try {
|
||||
yield _http.get(`${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`);
|
||||
}
|
||||
catch (e) {
|
||||
console.log(`error in connecting to ${api_url}: ${e}`);
|
||||
}
|
||||
const confg = {
|
||||
repo: process.env["GITHUB_REPOSITORY"],
|
||||
run_id: process.env["GITHUB_RUN_ID"],
|
||||
|
|
@ -6298,11 +6304,18 @@ var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argume
|
|||
working_directory: process.env["GITHUB_WORKSPACE"],
|
||||
api_url: api_url,
|
||||
allowed_endpoints: core.getInput("allowed-endpoints"),
|
||||
egress_policy: core.getInput("egress-policy"),
|
||||
};
|
||||
if (confg.egress_policy !== "audit" && confg.egress_policy !== "block") {
|
||||
core.setFailed("egress-policy must be either audit or block");
|
||||
}
|
||||
if (confg.egress_policy === "block" && confg.allowed_endpoints === "") {
|
||||
core.warning("egress-policy is set to block (default) and allowed-endpoints is empty. No outbound traffic will be allowed for job steps.");
|
||||
}
|
||||
const confgStr = JSON.stringify(confg);
|
||||
external_child_process_.execSync("sudo mkdir -p /home/agent");
|
||||
external_child_process_.execSync("sudo chown -R $USER /home/agent");
|
||||
const downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.3.0/agent_0.3.0_linux_amd64.tar.gz");
|
||||
const downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.7.2/agent_0.7.2_linux_amd64.tar.gz");
|
||||
const extractPath = yield tool_cache.extractTar(downloadPath);
|
||||
console.log(`Step Security Job Correlation ID: ${correlation_id}`);
|
||||
printInfo(web_url);
|
||||
|
|
|
|||
2
dist/pre/index.js.map
vendored
2
dist/pre/index.js.map
vendored
File diff suppressed because one or more lines are too long
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"name": "step-security-harden-runner",
|
||||
"version": "0.4.0",
|
||||
"version": "1.1.0",
|
||||
"description": "GitHub Actions Runtime Security",
|
||||
"main": "index.js",
|
||||
"scripts": {
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
import * as fs from "fs";
|
||||
import * as cp from "child_process";
|
||||
import * as core from "@actions/core";
|
||||
|
||||
(async () => {
|
||||
if (process.platform !== "linux") {
|
||||
|
|
@ -30,9 +31,12 @@ import * as cp from "child_process";
|
|||
}
|
||||
|
||||
var log = "/home/agent/agent.log";
|
||||
console.log("log:");
|
||||
var content = fs.readFileSync(log, "utf-8");
|
||||
console.log(content);
|
||||
if (fs.existsSync(log)) {
|
||||
console.log("log:");
|
||||
var content = fs.readFileSync(log, "utf-8");
|
||||
console.log(content);
|
||||
}
|
||||
|
||||
var status = "/home/agent/agent.status";
|
||||
if (fs.existsSync(status)) {
|
||||
console.log("status:");
|
||||
|
|
@ -40,6 +44,15 @@ import * as cp from "child_process";
|
|||
console.log(content);
|
||||
}
|
||||
|
||||
// write annotations
|
||||
var annotationsFile = "/home/agent/annotation.log";
|
||||
if (fs.existsSync(annotationsFile)) {
|
||||
var content = fs.readFileSync(annotationsFile, "utf-8");
|
||||
content.split(/\r?\n/).forEach((line) => {
|
||||
core.error(line);
|
||||
});
|
||||
}
|
||||
|
||||
if (!fs.existsSync(doneFile)) {
|
||||
var journalLog = cp.execSync("sudo journalctl -u agent.service", {
|
||||
encoding: "utf8",
|
||||
|
|
|
|||
24
src/setup.ts
24
src/setup.ts
|
|
@ -20,9 +20,14 @@ import * as tc from "@actions/tool-cache";
|
|||
var web_url = "https://app.stepsecurity.io";
|
||||
|
||||
let _http = new httpm.HttpClient();
|
||||
await _http.get(
|
||||
`${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`
|
||||
);
|
||||
_http.requestOptions = { socketTimeout: 3 * 1000 };
|
||||
try {
|
||||
await _http.get(
|
||||
`${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`
|
||||
);
|
||||
} catch (e) {
|
||||
console.log(`error in connecting to ${api_url}: ${e}`);
|
||||
}
|
||||
|
||||
const confg = {
|
||||
repo: process.env["GITHUB_REPOSITORY"],
|
||||
|
|
@ -31,14 +36,25 @@ import * as tc from "@actions/tool-cache";
|
|||
working_directory: process.env["GITHUB_WORKSPACE"],
|
||||
api_url: api_url,
|
||||
allowed_endpoints: core.getInput("allowed-endpoints"),
|
||||
egress_policy: core.getInput("egress-policy"),
|
||||
};
|
||||
|
||||
if (confg.egress_policy !== "audit" && confg.egress_policy !== "block") {
|
||||
core.setFailed("egress-policy must be either audit or block");
|
||||
}
|
||||
|
||||
if (confg.egress_policy === "block" && confg.allowed_endpoints === "") {
|
||||
core.warning(
|
||||
"egress-policy is set to block (default) and allowed-endpoints is empty. No outbound traffic will be allowed for job steps."
|
||||
);
|
||||
}
|
||||
|
||||
const confgStr = JSON.stringify(confg);
|
||||
cp.execSync("sudo mkdir -p /home/agent");
|
||||
cp.execSync("sudo chown -R $USER /home/agent");
|
||||
|
||||
const downloadPath: string = await tc.downloadTool(
|
||||
"https://github.com/step-security/agent/releases/download/v0.3.0/agent_0.3.0_linux_amd64.tar.gz"
|
||||
"https://github.com/step-security/agent/releases/download/v0.7.2/agent_0.7.2_linux_amd64.tar.gz"
|
||||
);
|
||||
const extractPath = await tc.extractTar(downloadPath);
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue