step-security/harden-runner
1
0
Fork 0
mirror of https://github.com/step-security/harden-runner.git synced 2026-06-06 16:47:06 +00:00
Code Issues Projects Releases Packages Wiki Activity

Compare commits

merge into: step-security:main
Branches Tags
step-security:main
step-security:update-agent-v1.8.7
step-security:update-agent-v1.8.6
step-security:fix/use-policy-store-default-audit
step-security:update-agent-v1.8.5
step-security:update-agent-v1.8.4
step-security:update-agent-v1.8.3
step-security:pr/660-refactor
step-security:rc-40
step-security:feature/deploy-on-self-hosted-vm
step-security:feature/policy-store
step-security:rc-39
step-security:rc-38
step-security:rc-37
step-security:rc-36
step-security:self-hosted
step-security:rc-35
step-security:rc-33
step-security:rc-34
step-security:dependabot/npm_and_yarn/fast-xml-parser-5.3.4
step-security:macos
step-security:rc-32
step-security:rc-31
step-security:windows
step-security:rc-30
step-security:dependabot/github_actions/github/codeql-action-4.31.9
step-security:ubicloud
step-security:dependabot/github_actions/codecov/codecov-action-5.5.2
step-security:feature/custom-property-skip
step-security:rc-29
step-security:dependabot/github_actions/step-security/publish-unit-test-result-action-2.21.1
step-security:dependabot/github_actions/actions/checkout-6
step-security:dependabot/npm_and_yarn/js-yaml-3.14.2
step-security:dependabot/github_actions/actions/dependency-review-action-4.8.2
step-security:rc-28
step-security:varunsh-coder-patch-4
step-security:dependabot/github_actions/ossf/scorecard-action-2.4.3
step-security:rc-27
step-security:rc-26
step-security:chore/GHA-101846-stepsecurity-remediation
step-security:dependabot/npm_and_yarn/form-data-2.5.5
step-security:rc-25
step-security:rc-24
step-security:rc-23
step-security:rc-22
step-security:dependabot/npm_and_yarn/brace-expansion-1.1.12
step-security:rc-21
step-security:chore/GHA-051524-stepsecurity-remediation
step-security:arc-fix
step-security:rc-20-int
step-security:rc-20
step-security:chore/GHA-171216-stepsecurity-remediation
step-security:rc-20-oss-int
step-security:cirrus-test
step-security:dependabot/npm_and_yarn/multi-d2cde0b322
step-security:rc-19
step-security:stepsecurity_remediation_1742901347
step-security:fix/security/GHSA-968p-4wvh-cqc8
step-security:update-readme-2
step-security:update-readme
step-security:varunsh-coder-patch-2
step-security:varunsh-coder-patch-3
step-security:stepsecurity_remediation_1740534601
step-security:dependabot/npm_and_yarn/multi-0f30d60bd3
step-security:dependabot/npm_and_yarn/multi-939339bafa
step-security:dependabot/github_actions/step-security/harden-runner-2.10.0
step-security:rc-18
step-security:fix-enobufs
step-security:rc-17
step-security:rc-16
step-security:rc-15
step-security:rc-14
step-security:dependabot/github_actions/actions/upload-artifact-4.4.0
step-security:varunsh-coder-patch-1
step-security:int-sh
step-security:rc-12
step-security:rc-10
step-security:dependabot/npm_and_yarn/braces-3.0.3
step-security:int
step-security:rc-9
step-security:rc-8
step-security:node-20
step-security:debug-perf-issue
step-security:fix-cache
step-security:markdown
step-security:update-packages
step-security:policy-preview
step-security:rc
step-security:v2.19.4
step-security:v2
step-security:v2.19.3
step-security:v2.19.2
step-security:v2.19.1
step-security:v2.19.0
step-security:v2.18.0
step-security:v2.17.0
step-security:v2.16.1
step-security:v2.16.0
step-security:v2.15.1
step-security:v2.15.0
step-security:v2.14.2
step-security:v2.14.1
step-security:v2.14.0
step-security:v2.13.3
step-security:v2.13.2
step-security:v2.13.1
step-security:v2.13.0
step-security:v2.12.2
step-security:v2.12.1
step-security:v2.12.0
step-security:v2.11.1
step-security:v2.11.0
step-security:v2.10.4
step-security:v2.10.3
step-security:v2.10.2
step-security:v2.10.1
step-security:v2.10.0
step-security:v2.9.1
step-security:v2.9.0
step-security:v2.8.1
step-security:v2.8.0
step-security:v2.7.1
step-security:v2.7.0
step-security:v2.6.1
step-security:v2.6.0
step-security:v2.5.1
step-security:v2.5.0
step-security:v2.4.1
step-security:v2.4.0
step-security:v2.3.1
step-security:v2.3.0
step-security:v2.2.1
step-security:v2.2.0
step-security:v2.1.0
step-security:v2.0.0
step-security:v1
step-security:v1.5.0
step-security:v1.4.5
step-security:v1.4.4
step-security:v1.4.3
step-security:v1.4.2
step-security:v1.4.1
step-security:v1.4.0
step-security:v1.3.0
step-security:v1.2.0
step-security:v1.1.0
step-security:v1.0.4
step-security:v1.0.3
step-security:v1.0.2
step-security:v1.0.1
step-security:v1.0.0
step-security:v0.4.0
step-security:v0.3.0
step-security:v0.2.0
step-security:v0.1.1
step-security:v0.1.0
...
pull from: step-security:markdown
Branches Tags
step-security:update-agent-v1.8.7
step-security:main
step-security:update-agent-v1.8.6
step-security:fix/use-policy-store-default-audit
step-security:update-agent-v1.8.5
step-security:update-agent-v1.8.4
step-security:update-agent-v1.8.3
step-security:pr/660-refactor
step-security:rc-40
step-security:feature/deploy-on-self-hosted-vm
step-security:feature/policy-store
step-security:rc-39
step-security:rc-38
step-security:rc-37
step-security:rc-36
step-security:self-hosted
step-security:rc-35
step-security:rc-33
step-security:rc-34
step-security:dependabot/npm_and_yarn/fast-xml-parser-5.3.4
step-security:macos
step-security:rc-32
step-security:rc-31
step-security:windows
step-security:rc-30
step-security:dependabot/github_actions/github/codeql-action-4.31.9
step-security:ubicloud
step-security:dependabot/github_actions/codecov/codecov-action-5.5.2
step-security:feature/custom-property-skip
step-security:rc-29
step-security:dependabot/github_actions/step-security/publish-unit-test-result-action-2.21.1
step-security:dependabot/github_actions/actions/checkout-6
step-security:dependabot/npm_and_yarn/js-yaml-3.14.2
step-security:dependabot/github_actions/actions/dependency-review-action-4.8.2
step-security:rc-28
step-security:varunsh-coder-patch-4
step-security:dependabot/github_actions/ossf/scorecard-action-2.4.3
step-security:rc-27
step-security:rc-26
step-security:chore/GHA-101846-stepsecurity-remediation
step-security:dependabot/npm_and_yarn/form-data-2.5.5
step-security:rc-25
step-security:rc-24
step-security:rc-23
step-security:rc-22
step-security:dependabot/npm_and_yarn/brace-expansion-1.1.12
step-security:rc-21
step-security:chore/GHA-051524-stepsecurity-remediation
step-security:arc-fix
step-security:rc-20-int
step-security:rc-20
step-security:chore/GHA-171216-stepsecurity-remediation
step-security:rc-20-oss-int
step-security:cirrus-test
step-security:dependabot/npm_and_yarn/multi-d2cde0b322
step-security:rc-19
step-security:stepsecurity_remediation_1742901347
step-security:fix/security/GHSA-968p-4wvh-cqc8
step-security:update-readme-2
step-security:update-readme
step-security:varunsh-coder-patch-2
step-security:varunsh-coder-patch-3
step-security:stepsecurity_remediation_1740534601
step-security:dependabot/npm_and_yarn/multi-0f30d60bd3
step-security:dependabot/npm_and_yarn/multi-939339bafa
step-security:dependabot/github_actions/step-security/harden-runner-2.10.0
step-security:rc-18
step-security:fix-enobufs
step-security:rc-17
step-security:rc-16
step-security:rc-15
step-security:rc-14
step-security:dependabot/github_actions/actions/upload-artifact-4.4.0
step-security:varunsh-coder-patch-1
step-security:int-sh
step-security:rc-12
step-security:rc-10
step-security:dependabot/npm_and_yarn/braces-3.0.3
step-security:int
step-security:rc-9
step-security:rc-8
step-security:node-20
step-security:debug-perf-issue
step-security:fix-cache
step-security:markdown
step-security:update-packages
step-security:policy-preview
step-security:rc
step-security:v2.19.4
step-security:v2
step-security:v2.19.3
step-security:v2.19.2
step-security:v2.19.1
step-security:v2.19.0
step-security:v2.18.0
step-security:v2.17.0
step-security:v2.16.1
step-security:v2.16.0
step-security:v2.15.1
step-security:v2.15.0
step-security:v2.14.2
step-security:v2.14.1
step-security:v2.14.0
step-security:v2.13.3
step-security:v2.13.2
step-security:v2.13.1
step-security:v2.13.0
step-security:v2.12.2
step-security:v2.12.1
step-security:v2.12.0
step-security:v2.11.1
step-security:v2.11.0
step-security:v2.10.4
step-security:v2.10.3
step-security:v2.10.2
step-security:v2.10.1
step-security:v2.10.0
step-security:v2.9.1
step-security:v2.9.0
step-security:v2.8.1
step-security:v2.8.0
step-security:v2.7.1
step-security:v2.7.0
step-security:v2.6.1
step-security:v2.6.0
step-security:v2.5.1
step-security:v2.5.0
step-security:v2.4.1
step-security:v2.4.0
step-security:v2.3.1
step-security:v2.3.0
step-security:v2.2.1
step-security:v2.2.0
step-security:v2.1.0
step-security:v2.0.0
step-security:v1
step-security:v1.5.0
step-security:v1.4.5
step-security:v1.4.4
step-security:v1.4.3
step-security:v1.4.2
step-security:v1.4.1
step-security:v1.4.0
step-security:v1.3.0
step-security:v1.2.0
step-security:v1.1.0
step-security:v1.0.4
step-security:v1.0.3
step-security:v1.0.2
step-security:v1.0.1
step-security:v1.0.0
step-security:v0.4.0
step-security:v0.3.0
step-security:v0.2.0
step-security:v0.1.1
step-security:v0.1.0

4 commits
main ... markdown

Author SHA1 Message Date
Varun Sharma
fc9d972ad4 Merge branch 'rc-v2.6.1' into markdown 2023-10-27 15:26:34 -07:00
Varun Sharma
0827586e44 Update markdown 2023-10-27 13:37:20 -07:00
Varun Sharma
f5cfd3fe85 Update markdown 2023-10-27 13:19:55 -07:00
jatin
abb3730f28
 		Add k8s-mode detection (#345) 2023-10-27 12:58:37 -07:00
8 changed files with 77 additions and 45 deletions
Download patch file Download diff file Expand all files Collapse all files

19
dist/index.js vendored
View file

@ -2913,8 +2913,8 @@ function addSummary() {
if (tableEntries.length === 0) { if (tableEntries.length === 0) {
return; return;
} }
const insightsRow = `<h4><a href="${insights_url}">View Full Runtime Security Report & Recommended Policy</a></h4>`; const insightsRow = `<p><b><a href="${insights_url}">📄 View Full Runtime Security Report & Recommended Policy</a></b></p>`;
yield core.summary.addSeparator().addRaw(`<h2>StepSecurity Report</h2>`); yield core.summary.addSeparator().addRaw(`<h2>🛡 StepSecurity Report</h2>`);
tableEntries.sort((a, b) => { tableEntries.sort((a, b) => {
if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") { if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") {
return -1; return -1;
@ -2928,8 +2928,9 @@ function addSummary() {
}); });
tableEntries = tableEntries.slice(0, 3); tableEntries = tableEntries.slice(0, 3);
yield core.summary.addRaw(` yield core.summary.addRaw(`
<p>Preview of the network events that occurred on the GitHub-hosted runner during this workflow run.</p> <blockquote>
<h3>🌐 Network Events</h3> <p>Preview of the outbound network calls during this workflow run.</p></blockquote>
<h3>Network Events</h3>
<table> <table>
<thead> <thead>
<tr> <tr>
@ -2941,22 +2942,22 @@ function addSummary() {
<tbody> <tbody>
${tableEntries ${tableEntries
.map((entry) => `<tr> .map((entry) => `<tr>
<td>${entry.process}</td> <td><code>${entry.process}</code></td>
<td>${entry.domain.replace(/\.$/, "")}</td> <td>${entry.domain.replace(/\.$/, "")}</td>
<td>${entry.status}</td> <td>${entry.status}</td>
</tr>`) </tr>`)
.join("")} .join("")}
<tr> <tr>
<td>...</td> <td><code>...</code></td>
<td>...</td> <td><code>...</code></td>
<td>...</td> <td><code>...</code></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
${insightsRow} ${insightsRow}
`); `);
yield core.summary yield core.summary
.addRaw(`<p>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a></p>`) .addRaw(`<p><i>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a>.</i></p>`)
.addSeparator() .addSeparator()
.write(); .write();
}); });

2
dist/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

32
dist/post/index.js vendored
View file

@ -61211,8 +61211,8 @@ function addSummary() {
if (tableEntries.length === 0) { if (tableEntries.length === 0) {
return; return;
} }
const insightsRow = `<h4><a href="${insights_url}">View Full Runtime Security Report & Recommended Policy</a></h4>`; const insightsRow = `<p><b><a href="${insights_url}">📄 View Full Runtime Security Report & Recommended Policy</a></b></p>`;
yield core.summary.addSeparator().addRaw(`<h2>StepSecurity Report</h2>`); yield core.summary.addSeparator().addRaw(`<h2>🛡 StepSecurity Report</h2>`);
tableEntries.sort((a, b) => { tableEntries.sort((a, b) => {
if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") { if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") {
return -1; return -1;
@ -61226,8 +61226,9 @@ function addSummary() {
}); });
tableEntries = tableEntries.slice(0, 3); tableEntries = tableEntries.slice(0, 3);
yield core.summary.addRaw(` yield core.summary.addRaw(`
<p>Preview of the network events that occurred on the GitHub-hosted runner during this workflow run.</p> <blockquote>
<h3>🌐 Network Events</h3> <p>Preview of the outbound network calls during this workflow run.</p></blockquote>
<h3>Network Events</h3>
<table> <table>
<thead> <thead>
<tr> <tr>
@ -61239,21 +61240,21 @@ function addSummary() {
<tbody> <tbody>
${tableEntries ${tableEntries
.map((entry) => `<tr> .map((entry) => `<tr>
<td>${entry.process}</td> <td><code>${entry.process}</code></td>
<td>${entry.domain.replace(/\.$/, "")}</td> <td>${entry.domain.replace(/\.$/, "")}</td>
<td>${entry.status}</td> <td>${entry.status}</td>
</tr>`) </tr>`)
.join("")} .join("")}
<tr> <tr>
<td>...</td> <td><code>...</code></td>
<td>...</td> <td><code>...</code></td>
<td>...</td> <td><code>...</code></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
${insightsRow} ${insightsRow}
`); `);
yield core.summary.addRaw(`<p>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a></p>`) yield core.summary.addRaw(`<p><i>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a>.</i></p>`)
.addSeparator() .addSeparator()
.write(); .write();
}); });
@ -61322,12 +61323,21 @@ var external_path_ = __nccwpck_require__(5622);
var external_path_default = /*#__PURE__*/__nccwpck_require__.n(external_path_); var external_path_default = /*#__PURE__*/__nccwpck_require__.n(external_path_);
;// CONCATENATED MODULE: ./src/arc-runner.ts ;// CONCATENATED MODULE: ./src/arc-runner.ts
function isArcRunner() { function isArcRunner() {
const runnerUserAgent = process.env["GITHUB_ACTIONS_RUNNER_EXTRA_USER_AGENT"]; const runnerUserAgent = process.env["GITHUB_ACTIONS_RUNNER_EXTRA_USER_AGENT"];
let isARC = false;
if (!runnerUserAgent) { if (!runnerUserAgent) {
return false; isARC = false;
} }
return runnerUserAgent.includes("actions-runner-controller/"); else {
isARC = runnerUserAgent.includes("actions-runner-controller/");
}
return isARC || isSecondaryPod();
}
function isSecondaryPod() {
const workDir = "/__w";
return external_fs_.existsSync(workDir);
} }
function getRunnerTempDir() { function getRunnerTempDir() {
const isTest = process.env["isTest"]; const isTest = process.env["isTest"];

2
dist/post/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

32
dist/pre/index.js vendored
View file

@ -69085,8 +69085,8 @@ function addSummary() {
if (tableEntries.length === 0) { if (tableEntries.length === 0) {
return; return;
} }
const insightsRow = `<h4><a href="${insights_url}">View Full Runtime Security Report & Recommended Policy</a></h4>`; const insightsRow = `<p><b><a href="${insights_url}">📄 View Full Runtime Security Report & Recommended Policy</a></b></p>`;
yield core.summary.addSeparator().addRaw(`<h2>StepSecurity Report</h2>`); yield core.summary.addSeparator().addRaw(`<h2>🛡 StepSecurity Report</h2>`);
tableEntries.sort((a, b) => { tableEntries.sort((a, b) => {
if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") { if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") {
return -1; return -1;
@ -69100,8 +69100,9 @@ function addSummary() {
}); });
tableEntries = tableEntries.slice(0, 3); tableEntries = tableEntries.slice(0, 3);
yield core.summary.addRaw(` yield core.summary.addRaw(`
<p>Preview of the network events that occurred on the GitHub-hosted runner during this workflow run.</p> <blockquote>
<h3>🌐 Network Events</h3> <p>Preview of the outbound network calls during this workflow run.</p></blockquote>
<h3>Network Events</h3>
<table> <table>
<thead> <thead>
<tr> <tr>
@ -69113,22 +69114,22 @@ function addSummary() {
<tbody> <tbody>
${tableEntries ${tableEntries
.map((entry) => `<tr> .map((entry) => `<tr>
<td>${entry.process}</td> <td><code>${entry.process}</code></td>
<td>${entry.domain.replace(/\.$/, "")}</td> <td>${entry.domain.replace(/\.$/, "")}</td>
<td>${entry.status}</td> <td>${entry.status}</td>
</tr>`) </tr>`)
.join("")} .join("")}
<tr> <tr>
<td>...</td> <td><code>...</code></td>
<td>...</td> <td><code>...</code></td>
<td>...</td> <td><code>...</code></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
${insightsRow} ${insightsRow}
`); `);
yield core.summary yield core.summary
.addRaw(`<p>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a></p>`) .addRaw(`<p><i>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a>.</i></p>`)
.addSeparator() .addSeparator()
.write(); .write();
}); });
@ -69286,12 +69287,21 @@ var cacheHttpClient = __nccwpck_require__(8245);
var cacheUtils = __nccwpck_require__(1518); var cacheUtils = __nccwpck_require__(1518);
;// CONCATENATED MODULE: ./src/arc-runner.ts ;// CONCATENATED MODULE: ./src/arc-runner.ts
function isArcRunner() { function isArcRunner() {
const runnerUserAgent = process.env["GITHUB_ACTIONS_RUNNER_EXTRA_USER_AGENT"]; const runnerUserAgent = process.env["GITHUB_ACTIONS_RUNNER_EXTRA_USER_AGENT"];
let isARC = false;
if (!runnerUserAgent) { if (!runnerUserAgent) {
return false; isARC = false;
} }
return runnerUserAgent.includes("actions-runner-controller/"); else {
isARC = runnerUserAgent.includes("actions-runner-controller/");
}
return isARC || isSecondaryPod();
}
function isSecondaryPod() {
const workDir = "/__w";
return external_fs_.existsSync(workDir);
} }
function getRunnerTempDir() { function getRunnerTempDir() {
const isTest = process.env["isTest"]; const isTest = process.env["isTest"];

2
dist/pre/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

14
src/arc-runner.ts
View file

@ -1,14 +1,24 @@
import * as cp from "child_process"; import * as cp from "child_process";
import * as fs from "fs";
import { sleep } from "./setup"; import { sleep } from "./setup";
export function isArcRunner(): boolean { export function isArcRunner(): boolean {
const runnerUserAgent = process.env["GITHUB_ACTIONS_RUNNER_EXTRA_USER_AGENT"]; const runnerUserAgent = process.env["GITHUB_ACTIONS_RUNNER_EXTRA_USER_AGENT"];
let isARC = false;
if (!runnerUserAgent) { if (!runnerUserAgent) {
return false; isARC = false;
} else {
isARC = runnerUserAgent.includes("actions-runner-controller/");
} }
return runnerUserAgent.includes("actions-runner-controller/"); return isARC || isSecondaryPod();
}
function isSecondaryPod(): boolean {
const workDir = "/__w";
return fs.existsSync(workDir);
} }
function getRunnerTempDir(): string { function getRunnerTempDir(): string {

19
src/common.ts
View file

@ -101,9 +101,9 @@ export async function addSummary() {
return; return;
} }
const insightsRow = `<h4><a href="${insights_url}">View Full Runtime Security Report & Recommended Policy</a></h4>`; const insightsRow = `<p><b><a href="${insights_url}">📄 View Full Runtime Security Report & Recommended Policy</a></b></p>`;
await core.summary.addSeparator().addRaw(`<h2>StepSecurity Report</h2>`); await core.summary.addSeparator().addRaw(`<h2>🛡 StepSecurity Report</h2>`);
tableEntries.sort((a, b) => { tableEntries.sort((a, b) => {
if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") { if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") {
@ -118,8 +118,9 @@ export async function addSummary() {
tableEntries = tableEntries.slice(0, 3); tableEntries = tableEntries.slice(0, 3);
await core.summary.addRaw(` await core.summary.addRaw(`
<p>Preview of the network events that occurred on the GitHub-hosted runner during this workflow run.</p> <blockquote>
<h3>🌐 Network Events</h3> <p>Preview of the outbound network calls during this workflow run.</p></blockquote>
<h3>Network Events</h3>
<table> <table>
<thead> <thead>
<tr> <tr>
@ -132,16 +133,16 @@ export async function addSummary() {
${tableEntries ${tableEntries
.map( .map(
(entry) => `<tr> (entry) => `<tr>
<td>${entry.process}</td> <td><code>${entry.process}</code></td>
<td>${entry.domain.replace(/\.$/, "")}</td> <td>${entry.domain.replace(/\.$/, "")}</td>
<td>${entry.status}</td> <td>${entry.status}</td>
</tr>` </tr>`
) )
.join("")} .join("")}
<tr> <tr>
<td>...</td> <td><code>...</code></td>
<td>...</td> <td><code>...</code></td>
<td>...</td> <td><code>...</code></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -150,7 +151,7 @@ export async function addSummary() {
await core.summary await core.summary
.addRaw( .addRaw(
`<p>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a></p>` `<p><i>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a>.</i></p>`
) )
.addSeparator() .addSeparator()
.write(); .write();