Merge pull request #416 from step-security/rc-8

Release 2.8.0

README.md

@@ -161,6 +161,34 @@ Once allowed endpoints are set in the policy in the workflow file, or in the [Po
   <img src="images/blocked-outbound-call-3.png" alt="Policy recommended by harden-runner" >
 </p>
 
+### 📋 View the name and path of every file written during the build process
+
+> Applies to both GitHub-hosted and self-hosted runners
+
+View the name and path of every file that was written during the build process. This feature is supported with a commercial license.
+
+- Harden-Runner tracks every file written to the GitHub Actions working directory during the build process.
+- In the insights page in the `File Write Events` tab you can see a file explorer view of each file that was written to.
+- Clicking on any file reveals a list of processes that wrote to it, providing complete transparency.
+
+<p align="left">
+  <img src="images/file-write-events.png" alt="View the name and path of every file written during the build process" >
+</p>
+
+### 🔄 View process names and arguments
+
+> Applies to both GitHub-hosted and self-hosted runners
+
+View process names, PIDs, and process arguments. This feature is supported with a commercial license.
+
+- Harden-Runner tracks every process that is run during the build process.
+- Clicking on any file reveals a list of processes that wrote to it.
+- You can walk up the process tree and view process arguments to understand the build process and detect suspicious activity.
+
+<p align="left">
+  <img src="images/process-events-3.png" alt="View process names and arguments" >
+</p>
+
 ### 📁 Detect tampering of source code during build
 
 > Applies to both GitHub-hosted and self-hosted runners

dist/pre/index.js

@@ -71401,7 +71401,7 @@ function verifyChecksum(downloadPath, is_tls) {
     let expectedChecksum = "ceb925c78e5c79af4f344f08f59bbdcf3376d20d15930a315f9b24b6c4d0328a"; // checksum for v0.13.5
     if (is_tls) {
         expectedChecksum =
-            "e0cd0f0da1ac48df713acd8c4f0e591274de0f2c251b8526cf956c654f024ec2"; // checksum for tls_agent
+            "846ae66c6cfab958fe61736cec0b58bdb7651b36af04c279405c7114675d7033"; // checksum for tls_agent
     }
     if (checksum !== expectedChecksum) {
         lib_core.setFailed(`Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`);
@@ -71812,7 +71812,7 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
         let auth = `token ${token}`;
         let downloadPath;
         if (yield isTLSEnabled(github.context.repo.owner)) {
-            downloadPath = yield tool_cache.downloadTool("https://packages.stepsecurity.io/github-hosted/harden-runner_1.1.3_linux_amd64.tar.gz");
+            downloadPath = yield tool_cache.downloadTool("https://packages.stepsecurity.io/github-hosted/harden-runner_1.2.0_linux_amd64.tar.gz");
             verifyChecksum(downloadPath, true); // NOTE: verifying tls_agent's checksum, before extracting
         }
         else {

src/checksum.ts

@@ -14,7 +14,7 @@ export function verifyChecksum(downloadPath: string, is_tls: boolean) {
 
   if (is_tls) {
     expectedChecksum =
-      "e0cd0f0da1ac48df713acd8c4f0e591274de0f2c251b8526cf956c654f024ec2"; // checksum for tls_agent
+      "846ae66c6cfab958fe61736cec0b58bdb7651b36af04c279405c7114675d7033"; // checksum for tls_agent
   }
 
   if (checksum !== expectedChecksum) {

src/setup.ts

@@ -231,7 +231,7 @@ interface MonitorResponse {
 
     if (await isTLSEnabled(context.repo.owner)) {
       downloadPath = await tc.downloadTool(
-        "https://packages.stepsecurity.io/github-hosted/harden-runner_1.1.3_linux_amd64.tar.gz"
+        "https://packages.stepsecurity.io/github-hosted/harden-runner_1.2.0_linux_amd64.tar.gz"
       );
       verifyChecksum(downloadPath, true); // NOTE: verifying tls_agent's checksum, before extracting
     } else {