step-security/harden-runner
1
0
Fork 0
mirror of https://github.com/step-security/harden-runner.git synced 2026-06-07 18:17:06 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #565 from step-security/rc-24

Browse source 
Release v2.13.0
This commit is contained in:
Varun Sharma 2025-07-15 12:29:13 -07:00 committed by GitHub
commit ec9f2d5744
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
10 changed files with 123 additions and 256 deletions
Download patch file Download diff file Expand all files Collapse all files

84
dist/index.js vendored
View file

@ -27615,7 +27615,7 @@ var external_fs_ = __nccwpck_require__(5747);
;// CONCATENATED MODULE: ./src/configs.ts
const STEPSECURITY_ENV = "agent"; // agent or int
const configs_STEPSECURITY_API_URL = `https://${STEPSECURITY_ENV}.api.stepsecurity.io/v1`;
const configs_STEPSECURITY_WEB_URL = "https://app.stepsecurity.io";
const STEPSECURITY_WEB_URL = "https://app.stepsecurity.io";
;// CONCATENATED MODULE: ./src/common.ts
var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
@ -27658,14 +27658,13 @@ const processLogLine = (line, tableEntries) => {
}
};
function addSummary() {
var _a;
return __awaiter(this, void 0, void 0, function* () {
if (process.env.STATE_addSummary !== "true") {
return;
}
const web_url = STEPSECURITY_WEB_URL;
const insights_url = `${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}`;
const log = "/home/agent/agent.log";
if (!fs.existsSync(log)) {
const correlation_id = process.env.STATE_correlation_id;
if (!correlation_id) {
return;
}
let needsSubscription = false;
@ -27691,62 +27690,29 @@ function addSummary() {
.write();
return;
}
const content = fs.readFileSync(log, "utf-8");
const lines = content.split("\n");
let tableEntries = [];
for (const line of lines) {
processLogLine(line, tableEntries);
}
if (tableEntries.length === 0) {
// Extract owner and repo from GITHUB_REPOSITORY (format: owner/repo)
const [owner, repo] = ((_a = process.env["GITHUB_REPOSITORY"]) === null || _a === void 0 ? void 0 : _a.split("/")) || [];
const run_id = process.env["GITHUB_RUN_ID"];
if (!owner || !repo || !run_id || !correlation_id) {
return;
}
const insightsRow = `<p><b><a href="${insights_url}">📄 View Full Report</a></b></p>`;
yield core.summary.addSeparator().addRaw(`<h2>🛡 StepSecurity Report</h2>`);
tableEntries.sort((a, b) => {
if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") {
return -1;
// Fetch job summary from API
const apiUrl = `${STEPSECURITY_API_URL}/github/${owner}/${repo}/actions/runs/${run_id}/correlation/${correlation_id}/job-markdown-summary`;
try {
const response = yield fetch(apiUrl);
if (!response.ok) {
console.error(`Failed to fetch job summary: ${response.status} ${response.statusText}`);
return;
}
else if (a.status !== "❌ Blocked" && b.status === "❌ Blocked") {
return 1;
}
else {
return 0;
}
});
tableEntries = tableEntries.slice(0, 3);
yield core.summary.addRaw(`
<blockquote>
<p>Preview of the outbound network calls during this workflow run.</p></blockquote>
<h3>Network Calls</h3>
<table>
<thead>
<tr>
<th>Process</th>
<th>Destination</th>
<th>Status</th>
</tr>
</thead>
<tbody>
${tableEntries
.map((entry) => `<tr>
<td><code>${entry.process}</code></td>
<td>${entry.domain.replace(/\.$/, "")}</td>
<td>${entry.status}</td>
</tr>`)
.join("")}
<tr>
<td><code>...</code></td>
<td><code>...</code></td>
<td><code>...</code></td>
</tr>
</tbody>
</table>
${insightsRow}
`);
yield core.summary
.addRaw(`<p><i>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a>.</i></p>`)
.addSeparator()
.write();
const markdownSummary = yield response.text();
// Render the markdown summary using core.summary.addRaw
yield core.summary.addRaw(markdownSummary).write();
return;
}
catch (error) {
console.error(`Error fetching job summary: ${error}`);
return;
}
});
}
const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
@ -27871,7 +27837,7 @@ var src_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argu
console.log("Telemetry will not be sent to StepSecurity API as disable-telemetry is set to true");
}
else {
var web_url = configs_STEPSECURITY_WEB_URL;
var web_url = STEPSECURITY_WEB_URL;
printInfo(web_url);
}
}))();

2
dist/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

79
dist/post/index.js vendored
View file

@ -27660,14 +27660,13 @@ const processLogLine = (line, tableEntries) => {
}
};
function addSummary() {
var _a;
return __awaiter(this, void 0, void 0, function* () {
if (process.env.STATE_addSummary !== "true") {
return;
}
const web_url = STEPSECURITY_WEB_URL;
const insights_url = `${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}`;
const log = "/home/agent/agent.log";
if (!external_fs_.existsSync(log)) {
const correlation_id = process.env.STATE_correlation_id;
if (!correlation_id) {
return;
}
let needsSubscription = false;
@ -27691,61 +27690,29 @@ function addSummary() {
.write();
return;
}
const content = external_fs_.readFileSync(log, "utf-8");
const lines = content.split("\n");
let tableEntries = [];
for (const line of lines) {
processLogLine(line, tableEntries);
}
if (tableEntries.length === 0) {
// Extract owner and repo from GITHUB_REPOSITORY (format: owner/repo)
const [owner, repo] = ((_a = process.env["GITHUB_REPOSITORY"]) === null || _a === void 0 ? void 0 : _a.split("/")) || [];
const run_id = process.env["GITHUB_RUN_ID"];
if (!owner || !repo || !run_id || !correlation_id) {
return;
}
const insightsRow = `<p><b><a href="${insights_url}">📄 View Full Report</a></b></p>`;
yield lib_core.summary.addSeparator().addRaw(`<h2>🛡 StepSecurity Report</h2>`);
tableEntries.sort((a, b) => {
if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") {
return -1;
// Fetch job summary from API
const apiUrl = `${configs_STEPSECURITY_API_URL}/github/${owner}/${repo}/actions/runs/${run_id}/correlation/${correlation_id}/job-markdown-summary`;
try {
const response = yield fetch(apiUrl);
if (!response.ok) {
console.error(`Failed to fetch job summary: ${response.status} ${response.statusText}`);
return;
}
else if (a.status !== "❌ Blocked" && b.status === "❌ Blocked") {
return 1;
}
else {
return 0;
}
});
tableEntries = tableEntries.slice(0, 3);
yield lib_core.summary.addRaw(`
<blockquote>
<p>Preview of the outbound network calls during this workflow run.</p></blockquote>
<h3>Network Calls</h3>
<table>
<thead>
<tr>
<th>Process</th>
<th>Destination</th>
<th>Status</th>
</tr>
</thead>
<tbody>
${tableEntries
.map((entry) => `<tr>
<td><code>${entry.process}</code></td>
<td>${entry.domain.replace(/\.$/, "")}</td>
<td>${entry.status}</td>
</tr>`)
.join("")}
<tr>
<td><code>...</code></td>
<td><code>...</code></td>
<td><code>...</code></td>
</tr>
</tbody>
</table>
${insightsRow}
`);
yield lib_core.summary.addRaw(`<p><i>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a>.</i></p>`)
.addSeparator()
.write();
const markdownSummary = yield response.text();
// Render the markdown summary using core.summary.addRaw
yield lib_core.summary.addRaw(markdownSummary).write();
return;
}
catch (error) {
console.error(`Error fetching job summary: ${error}`);
return;
}
});
}
const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";

2
dist/post/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

101
dist/pre/index.js vendored
View file

@ -87641,8 +87641,8 @@ const parse = dist/* parse */.Qc;
;// CONCATENATED MODULE: ./src/configs.ts
const STEPSECURITY_ENV = "agent"; // agent or int
const STEPSECURITY_API_URL = `https://${STEPSECURITY_ENV}.api.stepsecurity.io/v1`;
const configs_STEPSECURITY_WEB_URL = "https://app.stepsecurity.io";
const configs_STEPSECURITY_API_URL = `https://${STEPSECURITY_ENV}.api.stepsecurity.io/v1`;
const STEPSECURITY_WEB_URL = "https://app.stepsecurity.io";
;// CONCATENATED MODULE: ./src/common.ts
var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
@ -87685,14 +87685,13 @@ const processLogLine = (line, tableEntries) => {
}
};
function addSummary() {
var _a;
return __awaiter(this, void 0, void 0, function* () {
if (process.env.STATE_addSummary !== "true") {
return;
}
const web_url = STEPSECURITY_WEB_URL;
const insights_url = `${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}`;
const log = "/home/agent/agent.log";
if (!fs.existsSync(log)) {
const correlation_id = process.env.STATE_correlation_id;
if (!correlation_id) {
return;
}
let needsSubscription = false;
@ -87718,62 +87717,29 @@ function addSummary() {
.write();
return;
}
const content = fs.readFileSync(log, "utf-8");
const lines = content.split("\n");
let tableEntries = [];
for (const line of lines) {
processLogLine(line, tableEntries);
}
if (tableEntries.length === 0) {
// Extract owner and repo from GITHUB_REPOSITORY (format: owner/repo)
const [owner, repo] = ((_a = process.env["GITHUB_REPOSITORY"]) === null || _a === void 0 ? void 0 : _a.split("/")) || [];
const run_id = process.env["GITHUB_RUN_ID"];
if (!owner || !repo || !run_id || !correlation_id) {
return;
}
const insightsRow = `<p><b><a href="${insights_url}">📄 View Full Report</a></b></p>`;
yield core.summary.addSeparator().addRaw(`<h2>🛡 StepSecurity Report</h2>`);
tableEntries.sort((a, b) => {
if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") {
return -1;
// Fetch job summary from API
const apiUrl = `${STEPSECURITY_API_URL}/github/${owner}/${repo}/actions/runs/${run_id}/correlation/${correlation_id}/job-markdown-summary`;
try {
const response = yield fetch(apiUrl);
if (!response.ok) {
console.error(`Failed to fetch job summary: ${response.status} ${response.statusText}`);
return;
}
else if (a.status !== "❌ Blocked" && b.status === "❌ Blocked") {
return 1;
}
else {
return 0;
}
});
tableEntries = tableEntries.slice(0, 3);
yield core.summary.addRaw(`
<blockquote>
<p>Preview of the outbound network calls during this workflow run.</p></blockquote>
<h3>Network Calls</h3>
<table>
<thead>
<tr>
<th>Process</th>
<th>Destination</th>
<th>Status</th>
</tr>
</thead>
<tbody>
${tableEntries
.map((entry) => `<tr>
<td><code>${entry.process}</code></td>
<td>${entry.domain.replace(/\.$/, "")}</td>
<td>${entry.status}</td>
</tr>`)
.join("")}
<tr>
<td><code>...</code></td>
<td><code>...</code></td>
<td><code>...</code></td>
</tr>
</tbody>
</table>
${insightsRow}
`);
yield core.summary
.addRaw(`<p><i>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a>.</i></p>`)
.addSeparator()
.write();
const markdownSummary = yield response.text();
// Render the markdown summary using core.summary.addRaw
yield core.summary.addRaw(markdownSummary).write();
return;
}
catch (error) {
console.error(`Error fetching job summary: ${error}`);
return;
}
});
}
const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
@ -87855,7 +87821,7 @@ function fetchPolicy(owner, policyName, idToken) {
if (idToken === "") {
throw new Error("[PolicyFetch]: id-token in empty");
}
let policyEndpoint = `${STEPSECURITY_API_URL}/github/${owner}/actions/policies/${policyName}`;
let policyEndpoint = `${configs_STEPSECURITY_API_URL}/github/${owner}/actions/policies/${policyName}`;
let httpClient = new lib.HttpClient();
let headers = {};
headers["Authorization"] = `Bearer ${idToken}`;
@ -87978,7 +87944,7 @@ var tls_inspect_awaiter = (undefined && undefined.__awaiter) || function (thisAr
function isTLSEnabled(owner) {
return tls_inspect_awaiter(this, void 0, void 0, function* () {
let tlsStatusEndpoint = `${STEPSECURITY_API_URL}/github/${owner}/actions/tls-inspection-status`;
let tlsStatusEndpoint = `${configs_STEPSECURITY_API_URL}/github/${owner}/actions/tls-inspection-status`;
let httpClient = new lib.HttpClient();
httpClient.requestOptions = { socketTimeout: 3 * 1000 };
lib_core.info(`[!] Checking TLS_STATUS: ${owner}`);
@ -88014,8 +87980,8 @@ var external_crypto_ = __nccwpck_require__(6417);
const CHECKSUMS = {
tls: {
amd64: "3f2dc32f300071289650d1f9cbd3c04527ff8cc13e213eeccb70d4d6d2a0c8d5",
arm64: "96967e419b358b664658fa218b712fdb439ffb8eef3bb7b170f122d1e96b4779",
amd64: "5c02a40df6e2c926c92ffc6bf02ca8a301649d44541ca57e40a87948fb0d3f2e",
arm64: "b953784a468343c44a1a3ef4ec984c738a9a1e84aaf6932a2bb9dbf7ac7eab29",
},
non_tls: {
amd64: "336093af8ebe969567b66fd035af3bd4f7e1c723ce680d6b4b5b2a1f79bc329e", // v0.14.2
@ -88068,7 +88034,7 @@ function installAgent(isTLS, configStr) {
encoding: "utf8",
});
if (isTLS) {
downloadPath = yield tool_cache.downloadTool(`https://packages.stepsecurity.io/github-hosted/harden-runner_1.6.15_linux_${variant}.tar.gz`);
downloadPath = yield tool_cache.downloadTool(`https://packages.stepsecurity.io/github-hosted/harden-runner_1.6.18_linux_${variant}.tar.gz`);
}
else {
if (variant === "arm64") {
@ -88140,8 +88106,8 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
return;
}
var correlation_id = v4();
var api_url = STEPSECURITY_API_URL;
var web_url = configs_STEPSECURITY_WEB_URL;
var api_url = configs_STEPSECURITY_API_URL;
var web_url = STEPSECURITY_WEB_URL;
let confg = {
repo: process.env["GITHUB_REPOSITORY"],
run_id: process.env["GITHUB_RUN_ID"],
@ -88297,6 +88263,9 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
external_fs_.appendFileSync(process.env.GITHUB_STATE, `addSummary=${addSummary}${external_os_.EOL}`, {
encoding: "utf8",
});
external_fs_.appendFileSync(process.env.GITHUB_STATE, `correlation_id=${correlation_id}${external_os_.EOL}`, {
encoding: "utf8",
});
console.log(`Step Security Job Correlation ID: ${correlation_id}`);
if (String(statusCode) === STATUS_HARDEN_RUNNER_UNAVAILABLE) {
console.log(HARDEN_RUNNER_UNAVAILABLE_MESSAGE);

2
dist/pre/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

4
src/checksum.ts
View file

@ -4,8 +4,8 @@ import * as fs from "fs";
const CHECKSUMS = {
tls: {
amd64: "3f2dc32f300071289650d1f9cbd3c04527ff8cc13e213eeccb70d4d6d2a0c8d5", // v1.6.15
arm64: "96967e419b358b664658fa218b712fdb439ffb8eef3bb7b170f122d1e96b4779",
amd64: "5c02a40df6e2c926c92ffc6bf02ca8a301649d44541ca57e40a87948fb0d3f2e", // v1.6.18
arm64: "b953784a468343c44a1a3ef4ec984c738a9a1e84aaf6932a2bb9dbf7ac7eab29",
},
non_tls: {
amd64: "336093af8ebe969567b66fd035af3bd4f7e1c723ce680d6b4b5b2a1f79bc329e", // v0.14.2

96
src/common.ts
View file

@ -1,6 +1,6 @@
import * as core from "@actions/core";
import * as fs from "fs";
import { STEPSECURITY_WEB_URL } from "./configs";
import { STEPSECURITY_API_URL, STEPSECURITY_WEB_URL } from "./configs";
export function printInfo(web_url) {
console.log(
@ -59,14 +59,12 @@ export async function addSummary() {
return;
}
const web_url = STEPSECURITY_WEB_URL;
const insights_url = `${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}`;
const log = "/home/agent/agent.log";
if (!fs.existsSync(log)) {
const correlation_id = process.env.STATE_correlation_id;
if (!correlation_id) {
return;
}
let needsSubscription = false;
try {
let data = fs.readFileSync("/home/agent/annotation.log", "utf8");
@ -96,73 +94,33 @@ export async function addSummary() {
return;
}
const content = fs.readFileSync(log, "utf-8");
const lines = content.split("\n");
let tableEntries = [];
for (const line of lines) {
processLogLine(line, tableEntries);
}
if (tableEntries.length === 0) {
// Extract owner and repo from GITHUB_REPOSITORY (format: owner/repo)
const [owner, repo] = process.env["GITHUB_REPOSITORY"]?.split("/") || [];
const run_id = process.env["GITHUB_RUN_ID"];
if (!owner || !repo || !run_id || !correlation_id) {
return;
}
const insightsRow = `<p><b><a href="${insights_url}">📄 View Full Report</a></b></p>`;
await core.summary.addSeparator().addRaw(`<h2>🛡 StepSecurity Report</h2>`);
tableEntries.sort((a, b) => {
if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") {
return -1;
} else if (a.status !== "❌ Blocked" && b.status === "❌ Blocked") {
return 1;
} else {
return 0;
// Fetch job summary from API
const apiUrl = `${STEPSECURITY_API_URL}/github/${owner}/${repo}/actions/runs/${run_id}/correlation/${correlation_id}/job-markdown-summary`;
try {
const response = await fetch(apiUrl);
if (!response.ok) {
console.error(`Failed to fetch job summary: ${response.status} ${response.statusText}`);
return;
}
});
tableEntries = tableEntries.slice(0, 3);
await core.summary.addRaw(`
<blockquote>
<p>Preview of the outbound network calls during this workflow run.</p></blockquote>
<h3>Network Calls</h3>
<table>
<thead>
<tr>
<th>Process</th>
<th>Destination</th>
<th>Status</th>
</tr>
</thead>
<tbody>
${tableEntries
.map(
(entry) => `<tr>
<td><code>${entry.process}</code></td>
<td>${entry.domain.replace(/\.$/, "")}</td>
<td>${entry.status}</td>
</tr>`
)
.join("")}
<tr>
<td><code>...</code></td>
<td><code>...</code></td>
<td><code>...</code></td>
</tr>
</tbody>
</table>
${insightsRow}
`);
await core.summary
.addRaw(
`<p><i>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a>.</i></p>`
)
.addSeparator()
.write();
const markdownSummary = await response.text();
// Render the markdown summary using core.summary.addRaw
await core.summary.addRaw(markdownSummary).write();
return;
} catch (error) {
console.error(`Error fetching job summary: ${error}`);
return;
}
}
export const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";

2
src/install-agent.ts
View file

@ -25,7 +25,7 @@ export async function installAgent(
if (isTLS) {
downloadPath = await tc.downloadTool(
`https://packages.stepsecurity.io/github-hosted/harden-runner_1.6.15_linux_${variant}.tar.gz`
`https://packages.stepsecurity.io/github-hosted/harden-runner_1.6.18_linux_${variant}.tar.gz`
);
} else {
if (variant === "arm64") {

7
src/setup.ts
View file

@ -271,6 +271,13 @@ interface MonitorResponse {
encoding: "utf8",
}
);
fs.appendFileSync(
process.env.GITHUB_STATE,
`correlation_id=${correlation_id}${EOL}`,
{
encoding: "utf8",
}
);
console.log(`Step Security Job Correlation ID: ${correlation_id}`);
if (String(statusCode) === common.STATUS_HARDEN_RUNNER_UNAVAILABLE) {