step-security/harden-runner
1
0
Fork 0
mirror of https://github.com/step-security/harden-runner.git synced 2026-06-05 21:17:06 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fixed verifyChecksum logic and updated macos checksum

Browse source
This commit is contained in:
Jatin 2026-02-03 16:06:10 +05:30
commit e823d39c9a
No known key found for this signature in database
GPG key ID: 0C17698EE30CA603
4 changed files with 34 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

22
dist/pre/index.js vendored
View file

@ -88035,11 +88035,12 @@ const CHECKSUMS = {
non_tls: {
amd64: "336093af8ebe969567b66fd035af3bd4f7e1c723ce680d6b4b5b2a1f79bc329e", // v0.14.2
},
darwin: "caaacc24bbf6a39ba7560e5e4701353c537883cb3ab9553359bd5caf5097246f",
darwin: "eefb162810c378653c16e122e024314a2e47592dc98b295433b26ad1a4f28590",
windows: {
amd64: "9e4fde66331be3261ae6ff954e531e94335b5774ac7e105f0126b391ee1c6d66", // v1.0.0-int
},
};
// verifyChecksum returns true if checksum is valid
function verifyChecksum(downloadPath, isTLS, variant, platform) {
const fileBuffer = external_fs_.readFileSync(downloadPath);
const checksum = external_crypto_.createHash("sha256")
@ -88059,13 +88060,15 @@ function verifyChecksum(downloadPath, isTLS, variant, platform) {
expectedChecksum = CHECKSUMS["windows"][variant];
break;
default:
throw new Error(`Unsupported platform: ${platform}`);
console.log(`Unsupported platform: ${platform}`);
return false;
}
if (checksum !== expectedChecksum) {
lib_core.setFailed(`❌ Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`);
return;
return false;
}
lib_core.info(`✅ Checksum verification passed. checksum=${checksum}`);
return true;
}
;// CONCATENATED MODULE: ./src/install-agent.ts
@ -88107,7 +88110,9 @@ function installAgent(isTLS, configStr) {
}
downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.14.2/agent_0.14.2_linux_amd64.tar.gz", undefined, auth);
}
verifyChecksum(downloadPath, isTLS, variant, "linux");
if (!verifyChecksum(downloadPath, isTLS, variant, "linux")) {
return false;
}
const extractPath = yield tool_cache.extractTar(downloadPath);
let cmd = "cp", args = [external_path_.join(extractPath, "agent"), "/home/agent/agent"];
external_child_process_.execFileSync(cmd, args);
@ -88146,7 +88151,9 @@ function installMacosAgent(configStr) {
lib_core.info(`✓ Successfully downloaded installer to: ${downloadPath}`);
// Verify SHA256 checksum
lib_core.info("Verifying SHA256 checksum of downloaded tar file...");
verifyChecksum(downloadPath, false, "", "darwin");
if (!verifyChecksum(downloadPath, false, "", "darwin")) {
return false;
}
// Extract installer package
lib_core.info("Extracting installer...");
const extractPath = yield tool_cache.extractTar(downloadPath);
@ -88204,7 +88211,10 @@ function installWindowsAgent(configStr) {
});
const agentExePath = external_path_.join(agentDir, "agent.exe");
const downloadPath = yield tool_cache.downloadTool(`https://github.com/step-security/agent-releases/releases/download/v1.0.0-int/harden-runner-agent-windows_int_windows_amd64.tar.gz`, undefined, auth);
verifyChecksum(downloadPath, false, variant, process.platform);
// validate the checksum
if (!verifyChecksum(downloadPath, false, variant, process.platform)) {
return false;
}
const extractPath = yield tool_cache.extractTar(downloadPath);
const extractedAgentPath = external_path_.join(extractPath, "agent.exe");
external_fs_.copyFileSync(extractedAgentPath, agentExePath);

2
dist/pre/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

9
src/checksum.ts
View file

@ -10,12 +10,13 @@ const CHECKSUMS = {
non_tls: {
amd64: "336093af8ebe969567b66fd035af3bd4f7e1c723ce680d6b4b5b2a1f79bc329e", // v0.14.2
},
darwin: "caaacc24bbf6a39ba7560e5e4701353c537883cb3ab9553359bd5caf5097246f", // v0.0.1
darwin: "eefb162810c378653c16e122e024314a2e47592dc98b295433b26ad1a4f28590", // v0.0.2
windows: {
amd64: "9e4fde66331be3261ae6ff954e531e94335b5774ac7e105f0126b391ee1c6d66", // v1.0.0-int
},
};
// verifyChecksum returns true if checksum is valid
export function verifyChecksum(
downloadPath: string,
isTLS: boolean,
@ -43,15 +44,17 @@ export function verifyChecksum(
expectedChecksum = CHECKSUMS["windows"][variant];
break;
default:
throw new Error(`Unsupported platform: ${platform}`);
console.log(`Unsupported platform: ${platform}`);
return false;
}
if (checksum !== expectedChecksum) {
core.setFailed(
`❌ Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`
);
return;
return false;
}
core.info(`✅ Checksum verification passed. checksum=${checksum}`);
return true;
}

14
src/install-agent.ts
View file

@ -42,7 +42,9 @@ export async function installAgent(
);
}
verifyChecksum(downloadPath, isTLS, variant, "linux");
if (!verifyChecksum(downloadPath, isTLS, variant, "linux")) {
return false;
}
const extractPath = await tc.extractTar(downloadPath);
@ -94,7 +96,9 @@ export async function installMacosAgent(configStr: string): Promise<boolean> {
// Verify SHA256 checksum
core.info("Verifying SHA256 checksum of downloaded tar file...");
verifyChecksum(downloadPath, false, "", "darwin");
if (!verifyChecksum(downloadPath, false, "", "darwin")) {
return false;
}
// Extract installer package
core.info("Extracting installer...");
@ -171,7 +175,11 @@ export async function installWindowsAgent(configStr: string): Promise<boolean> {
undefined,
auth
);
verifyChecksum(downloadPath, false, variant, process.platform);
// validate the checksum
if (!verifyChecksum(downloadPath, false, variant, process.platform)) {
return false;
}
const extractPath = await tc.extractTar(downloadPath);