Merge pull request #588 from step-security/rc-26

Release v2.13.1

.github/workflows/code-review.yml

@@ -1,23 +0,0 @@
-name: Code Review
-on:
-  pull_request:
-permissions:
-  contents: read
-jobs:
-  code-review:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: read
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
-        with:
-          disable-sudo: true
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-            int.api.stepsecurity.io:443
-
-      - name: Code Review
-        uses: step-security/ai-codewise@int

.github/workflows/test.yml

@@ -44,3 +44,32 @@ jobs:
         with:
           files: |
             reports/*.xml
+
+  build-check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          disable-sudo: true
+          egress-policy: audit
+          allowed-endpoints: >
+            github.com:443
+            registry.npmjs.org:443
+
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Install Dependencies
+        run: npm ci
+      - name: Run build
+        run: npm run build
+      - name: Check for changes in dist
+        run: |
+          if [[ `git status --porcelain dist` ]]; then
+            echo "Changes detected in dist directory after build:"
+            git status --porcelain dist
+            git diff dist
+            exit 1
+          else
+            echo "No changes in dist directory - build is clean"
+          fi

package.json

@@ -26,7 +26,7 @@
     "@actions/cache": "^4.0.0",
     "@actions/core": "^1.5.0",
     "@actions/exec": "^1.1.0",
-    "@actions/github": "^5.0.0",
+    "@actions/github": "^6.0.1",
     "@actions/http-client": "^2.0.1",
     "@actions/tool-cache": "^1.7.1",
     "@babel/helpers": "^7.26.10",
@@ -40,7 +40,7 @@
     "@types/node": "^16.9.0",
     "@typescript-eslint/eslint-plugin": "^6.1.0",
     "@typescript-eslint/parser": "^6.1.0",
-    "@vercel/ncc": "^0.30.0",
+    "@vercel/ncc": "^0.38.3",
     "eslint": "^7.32.0",
     "eslint-config-google": "^0.14.0",
     "jest": "^29.3.1",

src/checksum.ts

@@ -4,8 +4,8 @@ import * as fs from "fs";
 
 const CHECKSUMS = {
   tls: {
-    amd64: "5c02a40df6e2c926c92ffc6bf02ca8a301649d44541ca57e40a87948fb0d3f2e", // v1.6.18
-    arm64: "b953784a468343c44a1a3ef4ec984c738a9a1e84aaf6932a2bb9dbf7ac7eab29",
+    amd64: "2430b850e0e4d67a2f3b626f02d2827226ee16406da6af0c47ae7b18e18bd2b8", // v1.6.23
+    arm64: "a3c89271e697ab39557ba8011cac7a2df690b5d27b4584d5d5abdf8845a6ce6c",
   },
   non_tls: {
     amd64: "336093af8ebe969567b66fd035af3bd4f7e1c723ce680d6b4b5b2a1f79bc329e", // v0.14.2

src/install-agent.ts

@@ -25,7 +25,9 @@ export async function installAgent(
 
   if (isTLS) {
     downloadPath = await tc.downloadTool(
-      `https://packages.stepsecurity.io/github-hosted/harden-runner_1.6.18_linux_${variant}.tar.gz`
+      `https://github.com/step-security/agent-ebpf/releases/download/v1.6.23/harden-runner_1.6.23_linux_${variant}.tar.gz`,
+      undefined,
+      auth
     );
   } else {
     if (variant === "arm64") {

src/policy-utils.ts

@@ -39,7 +39,12 @@ export async function fetchPolicy(
   }
 
   if (response === undefined && err !== undefined) {
-    throw new Error(`[Policy Fetch] ${err}`);
+    // Preserve the original error's statusCode if it exists
+    const error = new Error(`[Policy Fetch] ${err}`);
+    if (err.statusCode !== undefined) {
+      (error as any).statusCode = err.statusCode;
+    }
+    throw error;
   } else {
     return response.result;
   }
@@ -70,7 +75,7 @@ export function mergeConfigs(
   return localConfig;
 }
 
-function sleep(ms) {
+function sleep(ms: number) {
   return new Promise((resolve) => {
     setTimeout(resolve, ms);
   });

src/setup.ts

@@ -85,7 +85,18 @@ interface MonitorResponse {
         confg = mergeConfigs(confg, result);
       } catch (err) {
         core.info(`[!] ${err}`);
-        core.setFailed(err);
+        // Only fail the job if ID token is not available
+        if (err.message && err.message.includes('Unable to get ACTIONS_ID_TOKEN_REQUEST')) {
+          core.setFailed('Policy store requires id-token write permission as it uses OIDC to fetch the policy from StepSecurity API. Please add "id-token: write" to your job permissions.');
+        } else {
+          // Handle different HTTP status codes
+          if (err.statusCode >= 400 && err.statusCode < 500) {
+            core.error('Policy not found');
+          } else {
+            core.error(`Unexpected error occurred: ${err}. Falling back to egress policy audit`);
+            confg.egress_policy = 'audit';
+          }
+        }
       }
     }
     fs.appendFileSync(
@@ -233,7 +244,7 @@ interface MonitorResponse {
     }
 
     let _http = new httpm.HttpClient();
-    let statusCode;
+    let statusCode: number | undefined;
     _http.requestOptions = { socketTimeout: 3 * 1000 };
     let addSummary = "false";
     try {
@@ -326,7 +337,7 @@ interface MonitorResponse {
   process.exit(0);
 })();
 
-export function sleep(ms) {
+export function sleep(ms: number) {
   return new Promise((resolve) => {
     setTimeout(resolve, ms);
   });