Release v2.6.1 (#356)

dist/index.js

@@ -2913,8 +2913,8 @@ function addSummary() {
         if (tableEntries.length === 0) {
             return;
         }
-        const insightsRow = `<h4><a href="${insights_url}">View Full Runtime Security Report & Recommended Policy</a></h4>`;
-        yield core.summary.addSeparator().addRaw(`<h2>StepSecurity Report</h2>`);
+        const insightsRow = `<p><b><a href="${insights_url}">📄 View Full Report</a></b></p>`;
+        yield core.summary.addSeparator().addRaw(`<h2>🛡 StepSecurity Report</h2>`);
         tableEntries.sort((a, b) => {
             if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") {
                 return -1;
@@ -2928,8 +2928,9 @@ function addSummary() {
         });
         tableEntries = tableEntries.slice(0, 3);
         yield core.summary.addRaw(`
-  <p>Preview of the network events that occurred on the GitHub-hosted runner during this workflow run.</p>
-  <h3>🌐 Network Events</h3>
+  <blockquote>
+  <p>Preview of the outbound network calls during this workflow run.</p></blockquote>
+  <h3>Network Calls</h3>
   <table>
     <thead>
       <tr>
@@ -2941,22 +2942,22 @@ function addSummary() {
     <tbody>
       ${tableEntries
             .map((entry) => `<tr>
-          <td>${entry.process}</td>
+          <td><code>${entry.process}</code></td>
           <td>${entry.domain.replace(/\.$/, "")}</td>
           <td>${entry.status}</td>
         </tr>`)
             .join("")}
       <tr>
-        <td>...</td>
-        <td>...</td>
-        <td>...</td>
+        <td><code>...</code></td>
+        <td><code>...</code></td>
+        <td><code>...</code></td>
       </tr>
     </tbody>
   </table>
   ${insightsRow}
 `);
         yield core.summary
-            .addRaw(`<p>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a></p>`)
+            .addRaw(`<p><i>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a>.</i></p>`)
             .addSeparator()
             .write();
     });

package.json

@@ -1,6 +1,6 @@
 {
   "name": "step-security-harden-runner",
-  "version": "2.5.1",
+  "version": "2.6.1",
   "description": "Security agent for GitHub-hosted runner: block egress traffic & detect code overwrite to prevent breaches",
   "main": "index.js",
   "scripts": {

src/arc-runner.ts

@@ -1,14 +1,24 @@
 import * as cp from "child_process";
+import * as fs from "fs";
 import { sleep } from "./setup";
 
 export function isArcRunner(): boolean {
   const runnerUserAgent = process.env["GITHUB_ACTIONS_RUNNER_EXTRA_USER_AGENT"];
 
+  let isARC = false;
+
   if (!runnerUserAgent) {
-    return false;
+    isARC = false;
+  } else {
+    isARC = runnerUserAgent.includes("actions-runner-controller/");
   }
 
-  return runnerUserAgent.includes("actions-runner-controller/");
+  return isARC || isSecondaryPod();
+}
+
+function isSecondaryPod(): boolean {
+  const workDir = "/__w";
+  return fs.existsSync(workDir);
 }
 
 function getRunnerTempDir(): string {

src/cleanup.ts

@@ -1,11 +1,7 @@
 import * as fs from "fs";
 import * as cp from "child_process";
-import * as core from "@actions/core";
 import * as common from "./common";
 import isDocker from "is-docker";
-import * as cache from "@actions/cache";
-import { cacheFile, cacheKey, isValidEvent } from "./cache";
-import path from "path";
 import { arcCleanUp, isArcRunner, removeStepPolicyFiles } from "./arc-runner";
 
 (async () => {
@@ -18,18 +14,6 @@ import { arcCleanUp, isArcRunner, removeStepPolicyFiles } from "./arc-runner";
     return;
   }
 
-  if (isValidEvent()) {
-    try {
-      const cacheResult = await cache.saveCache(
-        [path.join(__dirname, "cache.txt")],
-        cacheKey
-      );
-      console.log(cacheResult);
-    } catch (exception) {
-      console.log(exception);
-    }
-  }
-
   if (isArcRunner()) {
     console.log(`[!] ${common.ARC_RUNNER_MESSAGE}`);
     arcCleanUp();
@@ -54,8 +38,8 @@ import { arcCleanUp, isArcRunner, removeStepPolicyFiles } from "./arc-runner";
     JSON.stringify({ event: "post" })
   );
 
-  var doneFile = "/home/agent/done.json";
-  var counter = 0;
+  const doneFile = "/home/agent/done.json";
+  let counter = 0;
   while (true) {
     if (!fs.existsSync(doneFile)) {
       counter++;
@@ -71,7 +55,7 @@ import { arcCleanUp, isArcRunner, removeStepPolicyFiles } from "./arc-runner";
     }
   }
 
-  var log = "/home/agent/agent.log";
+  const log = "/home/agent/agent.log";
   if (fs.existsSync(log)) {
     console.log("log:");
     var content = fs.readFileSync(log, "utf-8");

src/common.ts

@@ -101,9 +101,9 @@ export async function addSummary() {
     return;
   }
 
-  const insightsRow = `<h4><a href="${insights_url}">View Full Runtime Security Report & Recommended Policy</a></h4>`;
+  const insightsRow = `<p><b><a href="${insights_url}">📄 View Full Report</a></b></p>`;
 
-  await core.summary.addSeparator().addRaw(`<h2>StepSecurity Report</h2>`);
+  await core.summary.addSeparator().addRaw(`<h2>🛡 StepSecurity Report</h2>`);
 
   tableEntries.sort((a, b) => {
     if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") {
@@ -118,8 +118,9 @@ export async function addSummary() {
   tableEntries = tableEntries.slice(0, 3);
 
   await core.summary.addRaw(`
-  <p>Preview of the network events that occurred on the GitHub-hosted runner during this workflow run.</p>
-  <h3>🌐 Network Events</h3>
+  <blockquote>
+  <p>Preview of the outbound network calls during this workflow run.</p></blockquote>
+  <h3>Network Calls</h3>
   <table>
     <thead>
       <tr>
@@ -132,16 +133,16 @@ export async function addSummary() {
       ${tableEntries
         .map(
           (entry) => `<tr>
-          <td>${entry.process}</td>
+          <td><code>${entry.process}</code></td>
           <td>${entry.domain.replace(/\.$/, "")}</td>
           <td>${entry.status}</td>
         </tr>`
         )
         .join("")}
       <tr>
-        <td>...</td>
-        <td>...</td>
-        <td>...</td>
+        <td><code>...</code></td>
+        <td><code>...</code></td>
+        <td><code>...</code></td>
       </tr>
     </tbody>
   </table>
@@ -150,7 +151,7 @@ export async function addSummary() {
 
   await core.summary
     .addRaw(
-      `<p>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a></p>`
+      `<p><i>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a>.</i></p>`
     )
     .addSeparator()
     .write();

src/setup.ts

@@ -19,7 +19,7 @@ import {
 } from "./cache";
 import { Configuration, PolicyResponse } from "./interfaces";
 import { fetchPolicy, mergeConfigs } from "./policy-utils";
-
+import * as cache from "@actions/cache";
 import { getCacheEntry } from "@actions/cache/lib/internal/cacheHttpClient";
 import * as utils from "@actions/cache/lib/internal/cacheUtils";
 import { isArcRunner, sendAllowedEndpoints } from "./arc-runner";
@@ -93,13 +93,20 @@ import { isArcRunner, sendAllowedEndpoints } from "./arc-runner";
       core.setFailed("disable-telemetry must be a boolean value");
     }
 
-    if (isValidEvent()) {
+    if (isValidEvent() && confg.egress_policy === "block") {
       try {
-        let compressionMethod: CompressionMethod =
+        const cacheResult = await cache.saveCache(
+          [path.join(__dirname, "cache.txt")],
+          cacheKey
+        );
+        console.log(cacheResult);
+      } catch (exception) {
+        console.log(exception);
+      }
+      try {
+        const compressionMethod: CompressionMethod =
           await utils.getCompressionMethod();
-
-        let cacheFilePath = path.join(__dirname, "cache.txt");
-        cacheFilePath = cacheFilePath.replace("/pre/", "/post/");
+        const cacheFilePath = path.join(__dirname, "cache.txt");
         core.info(`cacheFilePath ${cacheFilePath}`);
         const cacheEntry: ArtifactCacheEntry = await getCacheEntry(
           [cacheKey],