step-security/harden-runner
1
0
Fork 0
mirror of https://github.com/step-security/harden-runner.git synced 2026-06-06 07:47:07 +00:00
Code Issues Projects Releases Packages Wiki Activity

Compare commits

merge into: step-security:main
Branches Tags
step-security:main
step-security:update-agent-v1.8.7
step-security:update-agent-v1.8.6
step-security:fix/use-policy-store-default-audit
step-security:update-agent-v1.8.5
step-security:update-agent-v1.8.4
step-security:update-agent-v1.8.3
step-security:pr/660-refactor
step-security:rc-40
step-security:feature/deploy-on-self-hosted-vm
step-security:feature/policy-store
step-security:rc-39
step-security:rc-38
step-security:rc-37
step-security:rc-36
step-security:self-hosted
step-security:rc-35
step-security:rc-33
step-security:rc-34
step-security:dependabot/npm_and_yarn/fast-xml-parser-5.3.4
step-security:macos
step-security:rc-32
step-security:rc-31
step-security:windows
step-security:rc-30
step-security:dependabot/github_actions/github/codeql-action-4.31.9
step-security:ubicloud
step-security:dependabot/github_actions/codecov/codecov-action-5.5.2
step-security:feature/custom-property-skip
step-security:rc-29
step-security:dependabot/github_actions/step-security/publish-unit-test-result-action-2.21.1
step-security:dependabot/github_actions/actions/checkout-6
step-security:dependabot/npm_and_yarn/js-yaml-3.14.2
step-security:dependabot/github_actions/actions/dependency-review-action-4.8.2
step-security:rc-28
step-security:varunsh-coder-patch-4
step-security:dependabot/github_actions/ossf/scorecard-action-2.4.3
step-security:rc-27
step-security:rc-26
step-security:chore/GHA-101846-stepsecurity-remediation
step-security:dependabot/npm_and_yarn/form-data-2.5.5
step-security:rc-25
step-security:rc-24
step-security:rc-23
step-security:rc-22
step-security:dependabot/npm_and_yarn/brace-expansion-1.1.12
step-security:rc-21
step-security:chore/GHA-051524-stepsecurity-remediation
step-security:arc-fix
step-security:rc-20-int
step-security:rc-20
step-security:chore/GHA-171216-stepsecurity-remediation
step-security:rc-20-oss-int
step-security:cirrus-test
step-security:dependabot/npm_and_yarn/multi-d2cde0b322
step-security:rc-19
step-security:stepsecurity_remediation_1742901347
step-security:fix/security/GHSA-968p-4wvh-cqc8
step-security:update-readme-2
step-security:update-readme
step-security:varunsh-coder-patch-2
step-security:varunsh-coder-patch-3
step-security:stepsecurity_remediation_1740534601
step-security:dependabot/npm_and_yarn/multi-0f30d60bd3
step-security:dependabot/npm_and_yarn/multi-939339bafa
step-security:dependabot/github_actions/step-security/harden-runner-2.10.0
step-security:rc-18
step-security:fix-enobufs
step-security:rc-17
step-security:rc-16
step-security:rc-15
step-security:rc-14
step-security:dependabot/github_actions/actions/upload-artifact-4.4.0
step-security:varunsh-coder-patch-1
step-security:int-sh
step-security:rc-12
step-security:rc-10
step-security:dependabot/npm_and_yarn/braces-3.0.3
step-security:int
step-security:rc-9
step-security:rc-8
step-security:node-20
step-security:debug-perf-issue
step-security:fix-cache
step-security:markdown
step-security:update-packages
step-security:policy-preview
step-security:rc
step-security:v2.19.4
step-security:v2
step-security:v2.19.3
step-security:v2.19.2
step-security:v2.19.1
step-security:v2.19.0
step-security:v2.18.0
step-security:v2.17.0
step-security:v2.16.1
step-security:v2.16.0
step-security:v2.15.1
step-security:v2.15.0
step-security:v2.14.2
step-security:v2.14.1
step-security:v2.14.0
step-security:v2.13.3
step-security:v2.13.2
step-security:v2.13.1
step-security:v2.13.0
step-security:v2.12.2
step-security:v2.12.1
step-security:v2.12.0
step-security:v2.11.1
step-security:v2.11.0
step-security:v2.10.4
step-security:v2.10.3
step-security:v2.10.2
step-security:v2.10.1
step-security:v2.10.0
step-security:v2.9.1
step-security:v2.9.0
step-security:v2.8.1
step-security:v2.8.0
step-security:v2.7.1
step-security:v2.7.0
step-security:v2.6.1
step-security:v2.6.0
step-security:v2.5.1
step-security:v2.5.0
step-security:v2.4.1
step-security:v2.4.0
step-security:v2.3.1
step-security:v2.3.0
step-security:v2.2.1
step-security:v2.2.0
step-security:v2.1.0
step-security:v2.0.0
step-security:v1
step-security:v1.5.0
step-security:v1.4.5
step-security:v1.4.4
step-security:v1.4.3
step-security:v1.4.2
step-security:v1.4.1
step-security:v1.4.0
step-security:v1.3.0
step-security:v1.2.0
step-security:v1.1.0
step-security:v1.0.4
step-security:v1.0.3
step-security:v1.0.2
step-security:v1.0.1
step-security:v1.0.0
step-security:v0.4.0
step-security:v0.3.0
step-security:v0.2.0
step-security:v0.1.1
step-security:v0.1.0
...
pull from: step-security:policy-preview
Branches Tags
step-security:update-agent-v1.8.7
step-security:main
step-security:update-agent-v1.8.6
step-security:fix/use-policy-store-default-audit
step-security:update-agent-v1.8.5
step-security:update-agent-v1.8.4
step-security:update-agent-v1.8.3
step-security:pr/660-refactor
step-security:rc-40
step-security:feature/deploy-on-self-hosted-vm
step-security:feature/policy-store
step-security:rc-39
step-security:rc-38
step-security:rc-37
step-security:rc-36
step-security:self-hosted
step-security:rc-35
step-security:rc-33
step-security:rc-34
step-security:dependabot/npm_and_yarn/fast-xml-parser-5.3.4
step-security:macos
step-security:rc-32
step-security:rc-31
step-security:windows
step-security:rc-30
step-security:dependabot/github_actions/github/codeql-action-4.31.9
step-security:ubicloud
step-security:dependabot/github_actions/codecov/codecov-action-5.5.2
step-security:feature/custom-property-skip
step-security:rc-29
step-security:dependabot/github_actions/step-security/publish-unit-test-result-action-2.21.1
step-security:dependabot/github_actions/actions/checkout-6
step-security:dependabot/npm_and_yarn/js-yaml-3.14.2
step-security:dependabot/github_actions/actions/dependency-review-action-4.8.2
step-security:rc-28
step-security:varunsh-coder-patch-4
step-security:dependabot/github_actions/ossf/scorecard-action-2.4.3
step-security:rc-27
step-security:rc-26
step-security:chore/GHA-101846-stepsecurity-remediation
step-security:dependabot/npm_and_yarn/form-data-2.5.5
step-security:rc-25
step-security:rc-24
step-security:rc-23
step-security:rc-22
step-security:dependabot/npm_and_yarn/brace-expansion-1.1.12
step-security:rc-21
step-security:chore/GHA-051524-stepsecurity-remediation
step-security:arc-fix
step-security:rc-20-int
step-security:rc-20
step-security:chore/GHA-171216-stepsecurity-remediation
step-security:rc-20-oss-int
step-security:cirrus-test
step-security:dependabot/npm_and_yarn/multi-d2cde0b322
step-security:rc-19
step-security:stepsecurity_remediation_1742901347
step-security:fix/security/GHSA-968p-4wvh-cqc8
step-security:update-readme-2
step-security:update-readme
step-security:varunsh-coder-patch-2
step-security:varunsh-coder-patch-3
step-security:stepsecurity_remediation_1740534601
step-security:dependabot/npm_and_yarn/multi-0f30d60bd3
step-security:dependabot/npm_and_yarn/multi-939339bafa
step-security:dependabot/github_actions/step-security/harden-runner-2.10.0
step-security:rc-18
step-security:fix-enobufs
step-security:rc-17
step-security:rc-16
step-security:rc-15
step-security:rc-14
step-security:dependabot/github_actions/actions/upload-artifact-4.4.0
step-security:varunsh-coder-patch-1
step-security:int-sh
step-security:rc-12
step-security:rc-10
step-security:dependabot/npm_and_yarn/braces-3.0.3
step-security:int
step-security:rc-9
step-security:rc-8
step-security:node-20
step-security:debug-perf-issue
step-security:fix-cache
step-security:markdown
step-security:update-packages
step-security:policy-preview
step-security:rc
step-security:v2.19.4
step-security:v2
step-security:v2.19.3
step-security:v2.19.2
step-security:v2.19.1
step-security:v2.19.0
step-security:v2.18.0
step-security:v2.17.0
step-security:v2.16.1
step-security:v2.16.0
step-security:v2.15.1
step-security:v2.15.0
step-security:v2.14.2
step-security:v2.14.1
step-security:v2.14.0
step-security:v2.13.3
step-security:v2.13.2
step-security:v2.13.1
step-security:v2.13.0
step-security:v2.12.2
step-security:v2.12.1
step-security:v2.12.0
step-security:v2.11.1
step-security:v2.11.0
step-security:v2.10.4
step-security:v2.10.3
step-security:v2.10.2
step-security:v2.10.1
step-security:v2.10.0
step-security:v2.9.1
step-security:v2.9.0
step-security:v2.8.1
step-security:v2.8.0
step-security:v2.7.1
step-security:v2.7.0
step-security:v2.6.1
step-security:v2.6.0
step-security:v2.5.1
step-security:v2.5.0
step-security:v2.4.1
step-security:v2.4.0
step-security:v2.3.1
step-security:v2.3.0
step-security:v2.2.1
step-security:v2.2.0
step-security:v2.1.0
step-security:v2.0.0
step-security:v1
step-security:v1.5.0
step-security:v1.4.5
step-security:v1.4.4
step-security:v1.4.3
step-security:v1.4.2
step-security:v1.4.1
step-security:v1.4.0
step-security:v1.3.0
step-security:v1.2.0
step-security:v1.1.0
step-security:v1.0.4
step-security:v1.0.3
step-security:v1.0.2
step-security:v1.0.1
step-security:v1.0.0
step-security:v0.4.0
step-security:v0.3.0
step-security:v0.2.0
step-security:v0.1.1
step-security:v0.1.0

4 commits
main ... policy-pre

Author SHA1 Message Date
Varun Sharma
aefd2a8358 Update README.md 2023-04-03 13:18:29 -07:00
Varun Sharma
4fcd5054a5 Update version 2023-04-01 23:25:34 -07:00
jatin
840250fc42
 		Add retry mechanism in fetchPolicy (#263) 2023-03-30 03:20:18 +01:00
jatin
61c2ffb99a
 		Add policy fetching from insights api with authorization (#259) 2023-03-22 21:16:01 -07:00
13 changed files with 505 additions and 321 deletions
Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -63,7 +63,7 @@ Read this [case study](https://infosecwriteups.com/detecting-malware-packages-in
<img src="images/insights2.png" alt="Insights from harden-runner" >
</p>
4. Below the insights, you will see the recommended policy. Update your workflow file with the recommended policy.
4. Under the insights section, you'll find a suggested policy. You can either update your workflow file with this policy, or alternatively, use the [Policy Store](https://docs.stepsecurity.io/harden-runner/how-tos/block-egress-traffic#2-add-the-policy-using-the-policy-store) to apply the policy without modifying the workflow file.
<p align="left">
<img src="images/rec-policy1.png" alt="Policy recommended by harden-runner" >
@ -79,7 +79,7 @@ For details, check out the documentation at https://docs.stepsecurity.io
### Restrict egress traffic to allowed endpoints
Once allowed endpoints are set in the workflow file,
Once allowed endpoints are set in the policy in the workflow file, or in the [Policy Store](https://docs.stepsecurity.io/harden-runner/how-tos/block-egress-traffic#2-add-the-policy-using-the-policy-store)
- Harden-Runner blocks egress traffic at the DNS (Layer 7) and network layers (Layers 3 and 4).
- It blocks DNS exfiltration, where attacker tries to send data out using DNS resolution
@ -140,7 +140,7 @@ If you have questions or ideas, please use [discussions](https://github.com/step
## Limitations
1. Harden-Runner GitHub Action only works for GitHub-hosted runners. Self-hosted runners are not supported.
1. Harden-Runner GitHub Action only works for GitHub-hosted runners. Self-hosted runners are not supported. We have started work on supporting [Kubernetes-Based Self-Hosted Actions Runners](https://github.com/step-security/harden-runner/issues/104).
2. Only Ubuntu VM is supported. Windows and MacOS GitHub-hosted runners are not supported. There is a discussion about that [here](https://github.com/step-security/harden-runner/discussions/121).
3. Harden-Runner is not supported when [job is run in a container](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container) as it needs sudo access on the Ubuntu VM to run. It can be used to monitor jobs that use containers to run steps. The limitation is if the entire job is run in a container. That is not common for GitHub Actions workflows, as most of them run directly on `ubuntu-latest`.

5
action.yml
View file

@ -24,6 +24,11 @@ inputs:
description: "Disable file monitoring"
required: false
default: "false"
policy:
description: "Policy name to be used from the policy store"
required: false
default: ""
branding:
icon: "check-square"
color: "green"

369
dist/post/index.js vendored
View file

@ -82,10 +82,9 @@ exports.isFeatureAvailable = isFeatureAvailable;
* @param primaryKey an explicit key for restoring the cache
* @param restoreKeys an optional ordered list of keys to use for restoring the cache if no cache hit occurred for key
* @param downloadOptions cache download options
* @param enableCrossOsArchive an optional boolean enabled to restore on windows any cache created on any platform
* @returns string returns the key for the cache hit, otherwise returns undefined
*/
function restoreCache(paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) {
function restoreCache(paths, primaryKey, restoreKeys, options) {
return __awaiter(this, void 0, void 0, function* () {
checkPaths(paths);
restoreKeys = restoreKeys || [];
@ -103,8 +102,7 @@ function restoreCache(paths, primaryKey, restoreKeys, options, enableCrossOsArch
try {
// path are needed to compute version
const cacheEntry = yield cacheHttpClient.getCacheEntry(keys, paths, {
compressionMethod,
enableCrossOsArchive
compressionMethod
});
if (!(cacheEntry === null || cacheEntry === void 0 ? void 0 : cacheEntry.archiveLocation)) {
// Cache not found
@ -151,11 +149,10 @@ exports.restoreCache = restoreCache;
*
* @param paths a list of file paths to be cached
* @param key an explicit key for restoring the cache
* @param enableCrossOsArchive an optional boolean enabled to save cache on windows which could be restored on any platform
* @param options cache upload options
* @returns number returns cacheId if the cache was saved successfully and throws an error if save fails
*/
function saveCache(paths, key, options, enableCrossOsArchive = false) {
function saveCache(paths, key, options) {
var _a, _b, _c, _d, _e;
return __awaiter(this, void 0, void 0, function* () {
checkPaths(paths);
@ -186,7 +183,6 @@ function saveCache(paths, key, options, enableCrossOsArchive = false) {
core.debug('Reserving Cache');
const reserveCacheResponse = yield cacheHttpClient.reserveCache(key, paths, {
compressionMethod,
enableCrossOsArchive,
cacheSize: archiveFileSize
});
if ((_a = reserveCacheResponse === null || reserveCacheResponse === void 0 ? void 0 : reserveCacheResponse.result) === null || _a === void 0 ? void 0 : _a.cacheId) {
@ -259,6 +255,7 @@ const crypto = __importStar(__nccwpck_require__(6417));
const fs = __importStar(__nccwpck_require__(5747));
const url_1 = __nccwpck_require__(8835);
const utils = __importStar(__nccwpck_require__(1518));
const constants_1 = __nccwpck_require__(8840);
const downloadUtils_1 = __nccwpck_require__(5500);
const options_1 = __nccwpck_require__(6215);
const requestUtils_1 = __nccwpck_require__(3981);
@ -288,17 +285,10 @@ function createHttpClient() {
const bearerCredentialHandler = new auth_1.BearerCredentialHandler(token);
return new http_client_1.HttpClient('actions/cache', [bearerCredentialHandler], getRequestOptions());
}
function getCacheVersion(paths, compressionMethod, enableCrossOsArchive = false) {
const components = paths;
// Add compression method to cache version to restore
// compressed cache as per compression method
if (compressionMethod) {
components.push(compressionMethod);
}
// Only check for windows platforms if enableCrossOsArchive is false
if (process.platform === 'win32' && !enableCrossOsArchive) {
components.push('windows-only');
}
function getCacheVersion(paths, compressionMethod) {
const components = paths.concat(!compressionMethod || compressionMethod === constants_1.CompressionMethod.Gzip
? []
: [compressionMethod]);
// Add salt to cache version to support breaking changes in cache entry
components.push(versionSalt);
return crypto
@ -310,15 +300,10 @@ exports.getCacheVersion = getCacheVersion;
function getCacheEntry(keys, paths, options) {
return __awaiter(this, void 0, void 0, function* () {
const httpClient = createHttpClient();
const version = getCacheVersion(paths, options === null || options === void 0 ? void 0 : options.compressionMethod, options === null || options === void 0 ? void 0 : options.enableCrossOsArchive);
const version = getCacheVersion(paths, options === null || options === void 0 ? void 0 : options.compressionMethod);
const resource = `cache?keys=${encodeURIComponent(keys.join(','))}&version=${version}`;
const response = yield requestUtils_1.retryTypedResponse('getCacheEntry', () => __awaiter(this, void 0, void 0, function* () { return httpClient.getJson(getCacheApiUrl(resource)); }));
// Cache not found
if (response.statusCode === 204) {
// List cache for primary key only if cache miss occurs
if (core.isDebug()) {
yield printCachesListForDiagnostics(keys[0], httpClient, version);
}
return null;
}
if (!requestUtils_1.isSuccessStatusCode(response.statusCode)) {
@ -327,7 +312,6 @@ function getCacheEntry(keys, paths, options) {
const cacheResult = response.result;
const cacheDownloadUrl = cacheResult === null || cacheResult === void 0 ? void 0 : cacheResult.archiveLocation;
if (!cacheDownloadUrl) {
// Cache achiveLocation not found. This should never happen, and hence bail out.
throw new Error('Cache not found.');
}
core.setSecret(cacheDownloadUrl);
@ -337,22 +321,6 @@ function getCacheEntry(keys, paths, options) {
});
}
exports.getCacheEntry = getCacheEntry;
function printCachesListForDiagnostics(key, httpClient, version) {
return __awaiter(this, void 0, void 0, function* () {
const resource = `caches?key=${encodeURIComponent(key)}`;
const response = yield requestUtils_1.retryTypedResponse('listCache', () => __awaiter(this, void 0, void 0, function* () { return httpClient.getJson(getCacheApiUrl(resource)); }));
if (response.statusCode === 200) {
const cacheListResult = response.result;
const totalCount = cacheListResult === null || cacheListResult === void 0 ? void 0 : cacheListResult.totalCount;
if (totalCount && totalCount > 0) {
core.debug(`No matching cache found for cache key '${key}', version '${version} and scope ${process.env['GITHUB_REF']}. There exist one or more cache(s) with similar key but they have different version or scope. See more info on cache matching here: https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#matching-a-cache-key \nOther caches with similar key:`);
for (const cacheEntry of (cacheListResult === null || cacheListResult === void 0 ? void 0 : cacheListResult.artifactCaches) || []) {
core.debug(`Cache Key: ${cacheEntry === null || cacheEntry === void 0 ? void 0 : cacheEntry.cacheKey}, Cache Version: ${cacheEntry === null || cacheEntry === void 0 ? void 0 : cacheEntry.cacheVersion}, Cache Scope: ${cacheEntry === null || cacheEntry === void 0 ? void 0 : cacheEntry.scope}, Cache Created: ${cacheEntry === null || cacheEntry === void 0 ? void 0 : cacheEntry.creationTime}`);
}
}
}
});
}
function downloadCache(archiveLocation, archivePath, options) {
return __awaiter(this, void 0, void 0, function* () {
const archiveUrl = new url_1.URL(archiveLocation);
@ -373,7 +341,7 @@ exports.downloadCache = downloadCache;
function reserveCache(key, paths, options) {
return __awaiter(this, void 0, void 0, function* () {
const httpClient = createHttpClient();
const version = getCacheVersion(paths, options === null || options === void 0 ? void 0 : options.compressionMethod, options === null || options === void 0 ? void 0 : options.enableCrossOsArchive);
const version = getCacheVersion(paths, options === null || options === void 0 ? void 0 : options.compressionMethod);
const reserveCacheRequest = {
key,
version,
@ -591,13 +559,12 @@ function unlinkFile(filePath) {
});
}
exports.unlinkFile = unlinkFile;
function getVersion(app, additionalArgs = []) {
function getVersion(app) {
return __awaiter(this, void 0, void 0, function* () {
core.debug(`Checking ${app} --version`);
let versionOutput = '';
additionalArgs.push('--version');
core.debug(`Checking ${app} ${additionalArgs.join(' ')}`);
try {
yield exec.exec(`${app}`, additionalArgs, {
yield exec.exec(`${app} --version`, [], {
ignoreReturnCode: true,
silent: true,
listeners: {
@ -617,15 +584,24 @@ function getVersion(app, additionalArgs = []) {
// Use zstandard if possible to maximize cache performance
function getCompressionMethod() {
return __awaiter(this, void 0, void 0, function* () {
const versionOutput = yield getVersion('zstd', ['--quiet']);
const version = semver.clean(versionOutput);
core.debug(`zstd version: ${version}`);
if (versionOutput === '') {
if (process.platform === 'win32' && !(yield isGnuTarInstalled())) {
// Disable zstd due to bug https://github.com/actions/cache/issues/301
return constants_1.CompressionMethod.Gzip;
}
else {
const versionOutput = yield getVersion('zstd');
const version = semver.clean(versionOutput);
if (!versionOutput.toLowerCase().includes('zstd command line interface')) {
// zstd is not installed
return constants_1.CompressionMethod.Gzip;
}
else if (!version || semver.lt(version, 'v1.3.2')) {
// zstd is installed but using a version earlier than v1.3.2
// v1.3.2 is required to use the `--long` options in zstd
return constants_1.CompressionMethod.ZstdWithoutLong;
}
else {
return constants_1.CompressionMethod.Zstd;
}
});
}
exports.getCompressionMethod = getCompressionMethod;
@ -635,16 +611,13 @@ function getCacheFileName(compressionMethod) {
: constants_1.CacheFilename.Zstd;
}
exports.getCacheFileName = getCacheFileName;
function getGnuTarPathOnWindows() {
function isGnuTarInstalled() {
return __awaiter(this, void 0, void 0, function* () {
if (fs.existsSync(constants_1.GnuTarPathOnWindows)) {
return constants_1.GnuTarPathOnWindows;
}
const versionOutput = yield getVersion('tar');
return versionOutput.toLowerCase().includes('gnu tar') ? io.which('tar') : '';
return versionOutput.toLowerCase().includes('gnu tar');
});
}
exports.getGnuTarPathOnWindows = getGnuTarPathOnWindows;
exports.isGnuTarInstalled = isGnuTarInstalled;
function assertDefined(name, value) {
if (value === undefined) {
throw Error(`Expected ${name} but value was undefiend`);
@ -680,11 +653,6 @@ var CompressionMethod;
CompressionMethod["ZstdWithoutLong"] = "zstd-without-long";
CompressionMethod["Zstd"] = "zstd";
})(CompressionMethod = exports.CompressionMethod || (exports.CompressionMethod = {}));
var ArchiveToolType;
(function (ArchiveToolType) {
ArchiveToolType["GNU"] = "gnu";
ArchiveToolType["BSD"] = "bsd";
})(ArchiveToolType = exports.ArchiveToolType || (exports.ArchiveToolType = {}));
// The default number of retry attempts.
exports.DefaultRetryAttempts = 2;
// The default delay in milliseconds between retry attempts.
@ -693,12 +661,6 @@ exports.DefaultRetryDelay = 5000;
// over the socket during this period, the socket is destroyed and the download
// is aborted.
exports.SocketTimeout = 5000;
// The default path of GNUtar on hosted Windows runners
exports.GnuTarPathOnWindows = `${process.env['PROGRAMFILES']}\\Git\\usr\\bin\\tar.exe`;
// The default path of BSDtar on hosted Windows runners
exports.SystemTarPathOnWindows = `${process.env['SYSTEMDRIVE']}\\Windows\\System32\\tar.exe`;
exports.TarFilename = 'cache.tar';
exports.ManifestFilename = 'manifest.txt';
//# sourceMappingURL=constants.js.map
/***/ }),
@ -1117,19 +1079,21 @@ const path = __importStar(__nccwpck_require__(5622));
const utils = __importStar(__nccwpck_require__(1518));
const constants_1 = __nccwpck_require__(8840);
const IS_WINDOWS = process.platform === 'win32';
// Returns tar path and type: BSD or GNU
function getTarPath() {
function getTarPath(args, compressionMethod) {
return __awaiter(this, void 0, void 0, function* () {
switch (process.platform) {
case 'win32': {
const gnuTar = yield utils.getGnuTarPathOnWindows();
const systemTar = constants_1.SystemTarPathOnWindows;
if (gnuTar) {
// Use GNUtar as default on windows
return { path: gnuTar, type: constants_1.ArchiveToolType.GNU };
const systemTar = `${process.env['windir']}\\System32\\tar.exe`;
if (compressionMethod !== constants_1.CompressionMethod.Gzip) {
// We only use zstandard compression on windows when gnu tar is installed due to
// a bug with compressing large files with bsdtar + zstd
args.push('--force-local');
}
else if (fs_1.existsSync(systemTar)) {
return { path: systemTar, type: constants_1.ArchiveToolType.BSD };
return systemTar;
}
else if (yield utils.isGnuTarInstalled()) {
args.push('--force-local');
}
break;
}
@ -1137,92 +1101,25 @@ function getTarPath() {
const gnuTar = yield io.which('gtar', false);
if (gnuTar) {
// fix permission denied errors when extracting BSD tar archive with GNU tar - https://github.com/actions/cache/issues/527
return { path: gnuTar, type: constants_1.ArchiveToolType.GNU };
}
else {
return {
path: yield io.which('tar', true),
type: constants_1.ArchiveToolType.BSD
};
args.push('--delay-directory-restore');
return gnuTar;
}
break;
}
default:
break;
}
// Default assumption is GNU tar is present in path
return {
path: yield io.which('tar', true),
type: constants_1.ArchiveToolType.GNU
};
return yield io.which('tar', true);
});
}
// Return arguments for tar as per tarPath, compressionMethod, method type and os
function getTarArgs(tarPath, compressionMethod, type, archivePath = '') {
function execTar(args, compressionMethod, cwd) {
return __awaiter(this, void 0, void 0, function* () {
const args = [`"${tarPath.path}"`];
const cacheFileName = utils.getCacheFileName(compressionMethod);
const tarFile = 'cache.tar';
const workingDirectory = getWorkingDirectory();
// Speficic args for BSD tar on windows for workaround
const BSD_TAR_ZSTD = tarPath.type === constants_1.ArchiveToolType.BSD &&
compressionMethod !== constants_1.CompressionMethod.Gzip &&
IS_WINDOWS;
// Method specific args
switch (type) {
case 'create':
args.push('--posix', '-cf', BSD_TAR_ZSTD
? tarFile
: cacheFileName.replace(new RegExp(`\\${path.sep}`, 'g'), '/'), '--exclude', BSD_TAR_ZSTD
? tarFile
: cacheFileName.replace(new RegExp(`\\${path.sep}`, 'g'), '/'), '-P', '-C', workingDirectory.replace(new RegExp(`\\${path.sep}`, 'g'), '/'), '--files-from', constants_1.ManifestFilename);
break;
case 'extract':
args.push('-xf', BSD_TAR_ZSTD
? tarFile
: archivePath.replace(new RegExp(`\\${path.sep}`, 'g'), '/'), '-P', '-C', workingDirectory.replace(new RegExp(`\\${path.sep}`, 'g'), '/'));
break;
case 'list':
args.push('-tf', BSD_TAR_ZSTD
? tarFile
: archivePath.replace(new RegExp(`\\${path.sep}`, 'g'), '/'), '-P');
break;
try {
yield exec_1.exec(`"${yield getTarPath(args, compressionMethod)}"`, args, { cwd });
}
// Platform specific args
if (tarPath.type === constants_1.ArchiveToolType.GNU) {
switch (process.platform) {
case 'win32':
args.push('--force-local');
break;
case 'darwin':
args.push('--delay-directory-restore');
break;
}
catch (error) {
throw new Error(`Tar failed with error: ${error === null || error === void 0 ? void 0 : error.message}`);
}
return args;
});
}
// Returns commands to run tar and compression program
function getCommands(compressionMethod, type, archivePath = '') {
return __awaiter(this, void 0, void 0, function* () {
let args;
const tarPath = yield getTarPath();
const tarArgs = yield getTarArgs(tarPath, compressionMethod, type, archivePath);
const compressionArgs = type !== 'create'
? yield getDecompressionProgram(tarPath, compressionMethod, archivePath)
: yield getCompressionProgram(tarPath, compressionMethod);
const BSD_TAR_ZSTD = tarPath.type === constants_1.ArchiveToolType.BSD &&
compressionMethod !== constants_1.CompressionMethod.Gzip &&
IS_WINDOWS;
if (BSD_TAR_ZSTD && type !== 'create') {
args = [[...compressionArgs].join(' '), [...tarArgs].join(' ')];
}
else {
args = [[...tarArgs].join(' '), [...compressionArgs].join(' ')];
}
if (BSD_TAR_ZSTD) {
return args;
}
return [args.join(' ')];
});
}
function getWorkingDirectory() {
@ -1230,119 +1127,91 @@ function getWorkingDirectory() {
return (_a = process.env['GITHUB_WORKSPACE']) !== null && _a !== void 0 ? _a : process.cwd();
}
// Common function for extractTar and listTar to get the compression method
function getDecompressionProgram(tarPath, compressionMethod, archivePath) {
return __awaiter(this, void 0, void 0, function* () {
// -d: Decompress.
// unzstd is equivalent to 'zstd -d'
// --long=#: Enables long distance matching with # bits. Maximum is 30 (1GB) on 32-bit OS and 31 (2GB) on 64-bit.
// Using 30 here because we also support 32-bit self-hosted runners.
const BSD_TAR_ZSTD = tarPath.type === constants_1.ArchiveToolType.BSD &&
compressionMethod !== constants_1.CompressionMethod.Gzip &&
IS_WINDOWS;
switch (compressionMethod) {
case constants_1.CompressionMethod.Zstd:
return BSD_TAR_ZSTD
? [
'zstd -d --long=30 --force -o',
constants_1.TarFilename,
archivePath.replace(new RegExp(`\\${path.sep}`, 'g'), '/')
]
: [
'--use-compress-program',
IS_WINDOWS ? '"zstd -d --long=30"' : 'unzstd --long=30'
];
case constants_1.CompressionMethod.ZstdWithoutLong:
return BSD_TAR_ZSTD
? [
'zstd -d --force -o',
constants_1.TarFilename,
archivePath.replace(new RegExp(`\\${path.sep}`, 'g'), '/')
]
: ['--use-compress-program', IS_WINDOWS ? '"zstd -d"' : 'unzstd'];
default:
return ['-z'];
}
});
function getCompressionProgram(compressionMethod) {
// -d: Decompress.
// unzstd is equivalent to 'zstd -d'
// --long=#: Enables long distance matching with # bits. Maximum is 30 (1GB) on 32-bit OS and 31 (2GB) on 64-bit.
// Using 30 here because we also support 32-bit self-hosted runners.
switch (compressionMethod) {
case constants_1.CompressionMethod.Zstd:
return [
'--use-compress-program',
IS_WINDOWS ? 'zstd -d --long=30' : 'unzstd --long=30'
];
case constants_1.CompressionMethod.ZstdWithoutLong:
return ['--use-compress-program', IS_WINDOWS ? 'zstd -d' : 'unzstd'];
default:
return ['-z'];
}
}
// Used for creating the archive
// -T#: Compress using # working thread. If # is 0, attempt to detect and use the number of physical CPU cores.
// zstdmt is equivalent to 'zstd -T0'
// --long=#: Enables long distance matching with # bits. Maximum is 30 (1GB) on 32-bit OS and 31 (2GB) on 64-bit.
// Using 30 here because we also support 32-bit self-hosted runners.
// Long range mode is added to zstd in v1.3.2 release, so we will not use --long in older version of zstd.
function getCompressionProgram(tarPath, compressionMethod) {
return __awaiter(this, void 0, void 0, function* () {
const cacheFileName = utils.getCacheFileName(compressionMethod);
const BSD_TAR_ZSTD = tarPath.type === constants_1.ArchiveToolType.BSD &&
compressionMethod !== constants_1.CompressionMethod.Gzip &&
IS_WINDOWS;
switch (compressionMethod) {
case constants_1.CompressionMethod.Zstd:
return BSD_TAR_ZSTD
? [
'zstd -T0 --long=30 --force -o',
cacheFileName.replace(new RegExp(`\\${path.sep}`, 'g'), '/'),
constants_1.TarFilename
]
: [
'--use-compress-program',
IS_WINDOWS ? '"zstd -T0 --long=30"' : 'zstdmt --long=30'
];
case constants_1.CompressionMethod.ZstdWithoutLong:
return BSD_TAR_ZSTD
? [
'zstd -T0 --force -o',
cacheFileName.replace(new RegExp(`\\${path.sep}`, 'g'), '/'),
constants_1.TarFilename
]
: ['--use-compress-program', IS_WINDOWS ? '"zstd -T0"' : 'zstdmt'];
default:
return ['-z'];
}
});
}
// Executes all commands as separate processes
function execCommands(commands, cwd) {
return __awaiter(this, void 0, void 0, function* () {
for (const command of commands) {
try {
yield exec_1.exec(command, undefined, {
cwd,
env: Object.assign(Object.assign({}, process.env), { MSYS: 'winsymlinks:nativestrict' })
});
}
catch (error) {
throw new Error(`${command.split(' ')[0]} failed with error: ${error === null || error === void 0 ? void 0 : error.message}`);
}
}
});
}
// List the contents of a tar
function listTar(archivePath, compressionMethod) {
return __awaiter(this, void 0, void 0, function* () {
const commands = yield getCommands(compressionMethod, 'list', archivePath);
yield execCommands(commands);
const args = [
...getCompressionProgram(compressionMethod),
'-tf',
archivePath.replace(new RegExp(`\\${path.sep}`, 'g'), '/'),
'-P'
];
yield execTar(args, compressionMethod);
});
}
exports.listTar = listTar;
// Extract a tar
function extractTar(archivePath, compressionMethod) {
return __awaiter(this, void 0, void 0, function* () {
// Create directory to extract tar into
const workingDirectory = getWorkingDirectory();
yield io.mkdirP(workingDirectory);
const commands = yield getCommands(compressionMethod, 'extract', archivePath);
yield execCommands(commands);
const args = [
...getCompressionProgram(compressionMethod),
'-xf',
archivePath.replace(new RegExp(`\\${path.sep}`, 'g'), '/'),
'-P',
'-C',
workingDirectory.replace(new RegExp(`\\${path.sep}`, 'g'), '/')
];
yield execTar(args, compressionMethod);
});
}
exports.extractTar = extractTar;
// Create a tar
function createTar(archiveFolder, sourceDirectories, compressionMethod) {
return __awaiter(this, void 0, void 0, function* () {
// Write source directories to manifest.txt to avoid command length limits
fs_1.writeFileSync(path.join(archiveFolder, constants_1.ManifestFilename), sourceDirectories.join('\n'));
const commands = yield getCommands(compressionMethod, 'create');
yield execCommands(commands, archiveFolder);
const manifestFilename = 'manifest.txt';
const cacheFileName = utils.getCacheFileName(compressionMethod);
fs_1.writeFileSync(path.join(archiveFolder, manifestFilename), sourceDirectories.join('\n'));
const workingDirectory = getWorkingDirectory();
// -T#: Compress using # working thread. If # is 0, attempt to detect and use the number of physical CPU cores.
// zstdmt is equivalent to 'zstd -T0'
// --long=#: Enables long distance matching with # bits. Maximum is 30 (1GB) on 32-bit OS and 31 (2GB) on 64-bit.
// Using 30 here because we also support 32-bit self-hosted runners.
// Long range mode is added to zstd in v1.3.2 release, so we will not use --long in older version of zstd.
function getCompressionProgram() {
switch (compressionMethod) {
case constants_1.CompressionMethod.Zstd:
return [
'--use-compress-program',
IS_WINDOWS ? 'zstd -T0 --long=30' : 'zstdmt --long=30'
];
case constants_1.CompressionMethod.ZstdWithoutLong:
return ['--use-compress-program', IS_WINDOWS ? 'zstd -T0' : 'zstdmt'];
default:
return ['-z'];
}
}
const args = [
'--posix',
...getCompressionProgram(),
'-cf',
cacheFileName.replace(new RegExp(`\\${path.sep}`, 'g'), '/'),
'--exclude',
cacheFileName.replace(new RegExp(`\\${path.sep}`, 'g'), '/'),
'-P',
'-C',
workingDirectory.replace(new RegExp(`\\${path.sep}`, 'g'), '/'),
'--files-from',
manifestFilename
];
yield execTar(args, compressionMethod, archiveFolder);
});
}
exports.createTar = createTar;
@ -61292,8 +61161,8 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
core.error(line);
});
}
var disable_sudo = core.getBooleanInput("disable-sudo");
if (!disable_sudo) {
var disable_sudo = process.env.STATE_disableSudo;
if (disable_sudo !== "true") {
var journalLog = external_child_process_.execSync("sudo journalctl -u agent.service", {
encoding: "utf8",
});

2
dist/post/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

178
dist/pre/index.js vendored
View file

@ -46,6 +46,7 @@ const crypto = __importStar(__nccwpck_require__(6417));
const fs = __importStar(__nccwpck_require__(5747));
const url_1 = __nccwpck_require__(8835);
const utils = __importStar(__nccwpck_require__(1518));
const constants_1 = __nccwpck_require__(8840);
const downloadUtils_1 = __nccwpck_require__(5500);
const options_1 = __nccwpck_require__(6215);
const requestUtils_1 = __nccwpck_require__(3981);
@ -75,17 +76,10 @@ function createHttpClient() {
const bearerCredentialHandler = new auth_1.BearerCredentialHandler(token);
return new http_client_1.HttpClient('actions/cache', [bearerCredentialHandler], getRequestOptions());
}
function getCacheVersion(paths, compressionMethod, enableCrossOsArchive = false) {
const components = paths;
// Add compression method to cache version to restore
// compressed cache as per compression method
if (compressionMethod) {
components.push(compressionMethod);
}
// Only check for windows platforms if enableCrossOsArchive is false
if (process.platform === 'win32' && !enableCrossOsArchive) {
components.push('windows-only');
}
function getCacheVersion(paths, compressionMethod) {
const components = paths.concat(!compressionMethod || compressionMethod === constants_1.CompressionMethod.Gzip
? []
: [compressionMethod]);
// Add salt to cache version to support breaking changes in cache entry
components.push(versionSalt);
return crypto
@ -97,15 +91,10 @@ exports.getCacheVersion = getCacheVersion;
function getCacheEntry(keys, paths, options) {
return __awaiter(this, void 0, void 0, function* () {
const httpClient = createHttpClient();
const version = getCacheVersion(paths, options === null || options === void 0 ? void 0 : options.compressionMethod, options === null || options === void 0 ? void 0 : options.enableCrossOsArchive);
const version = getCacheVersion(paths, options === null || options === void 0 ? void 0 : options.compressionMethod);
const resource = `cache?keys=${encodeURIComponent(keys.join(','))}&version=${version}`;
const response = yield requestUtils_1.retryTypedResponse('getCacheEntry', () => __awaiter(this, void 0, void 0, function* () { return httpClient.getJson(getCacheApiUrl(resource)); }));
// Cache not found
if (response.statusCode === 204) {
// List cache for primary key only if cache miss occurs
if (core.isDebug()) {
yield printCachesListForDiagnostics(keys[0], httpClient, version);
}
return null;
}
if (!requestUtils_1.isSuccessStatusCode(response.statusCode)) {
@ -114,7 +103,6 @@ function getCacheEntry(keys, paths, options) {
const cacheResult = response.result;
const cacheDownloadUrl = cacheResult === null || cacheResult === void 0 ? void 0 : cacheResult.archiveLocation;
if (!cacheDownloadUrl) {
// Cache achiveLocation not found. This should never happen, and hence bail out.
throw new Error('Cache not found.');
}
core.setSecret(cacheDownloadUrl);
@ -124,22 +112,6 @@ function getCacheEntry(keys, paths, options) {
});
}
exports.getCacheEntry = getCacheEntry;
function printCachesListForDiagnostics(key, httpClient, version) {
return __awaiter(this, void 0, void 0, function* () {
const resource = `caches?key=${encodeURIComponent(key)}`;
const response = yield requestUtils_1.retryTypedResponse('listCache', () => __awaiter(this, void 0, void 0, function* () { return httpClient.getJson(getCacheApiUrl(resource)); }));
if (response.statusCode === 200) {
const cacheListResult = response.result;
const totalCount = cacheListResult === null || cacheListResult === void 0 ? void 0 : cacheListResult.totalCount;
if (totalCount && totalCount > 0) {
core.debug(`No matching cache found for cache key '${key}', version '${version} and scope ${process.env['GITHUB_REF']}. There exist one or more cache(s) with similar key but they have different version or scope. See more info on cache matching here: https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#matching-a-cache-key \nOther caches with similar key:`);
for (const cacheEntry of (cacheListResult === null || cacheListResult === void 0 ? void 0 : cacheListResult.artifactCaches) || []) {
core.debug(`Cache Key: ${cacheEntry === null || cacheEntry === void 0 ? void 0 : cacheEntry.cacheKey}, Cache Version: ${cacheEntry === null || cacheEntry === void 0 ? void 0 : cacheEntry.cacheVersion}, Cache Scope: ${cacheEntry === null || cacheEntry === void 0 ? void 0 : cacheEntry.scope}, Cache Created: ${cacheEntry === null || cacheEntry === void 0 ? void 0 : cacheEntry.creationTime}`);
}
}
}
});
}
function downloadCache(archiveLocation, archivePath, options) {
return __awaiter(this, void 0, void 0, function* () {
const archiveUrl = new url_1.URL(archiveLocation);
@ -160,7 +132,7 @@ exports.downloadCache = downloadCache;
function reserveCache(key, paths, options) {
return __awaiter(this, void 0, void 0, function* () {
const httpClient = createHttpClient();
const version = getCacheVersion(paths, options === null || options === void 0 ? void 0 : options.compressionMethod, options === null || options === void 0 ? void 0 : options.enableCrossOsArchive);
const version = getCacheVersion(paths, options === null || options === void 0 ? void 0 : options.compressionMethod);
const reserveCacheRequest = {
key,
version,
@ -378,13 +350,12 @@ function unlinkFile(filePath) {
});
}
exports.unlinkFile = unlinkFile;
function getVersion(app, additionalArgs = []) {
function getVersion(app) {
return __awaiter(this, void 0, void 0, function* () {
core.debug(`Checking ${app} --version`);
let versionOutput = '';
additionalArgs.push('--version');
core.debug(`Checking ${app} ${additionalArgs.join(' ')}`);
try {
yield exec.exec(`${app}`, additionalArgs, {
yield exec.exec(`${app} --version`, [], {
ignoreReturnCode: true,
silent: true,
listeners: {
@ -404,15 +375,24 @@ function getVersion(app, additionalArgs = []) {
// Use zstandard if possible to maximize cache performance
function getCompressionMethod() {
return __awaiter(this, void 0, void 0, function* () {
const versionOutput = yield getVersion('zstd', ['--quiet']);
const version = semver.clean(versionOutput);
core.debug(`zstd version: ${version}`);
if (versionOutput === '') {
if (process.platform === 'win32' && !(yield isGnuTarInstalled())) {
// Disable zstd due to bug https://github.com/actions/cache/issues/301
return constants_1.CompressionMethod.Gzip;
}
else {
const versionOutput = yield getVersion('zstd');
const version = semver.clean(versionOutput);
if (!versionOutput.toLowerCase().includes('zstd command line interface')) {
// zstd is not installed
return constants_1.CompressionMethod.Gzip;
}
else if (!version || semver.lt(version, 'v1.3.2')) {
// zstd is installed but using a version earlier than v1.3.2
// v1.3.2 is required to use the `--long` options in zstd
return constants_1.CompressionMethod.ZstdWithoutLong;
}
else {
return constants_1.CompressionMethod.Zstd;
}
});
}
exports.getCompressionMethod = getCompressionMethod;
@ -422,16 +402,13 @@ function getCacheFileName(compressionMethod) {
: constants_1.CacheFilename.Zstd;
}
exports.getCacheFileName = getCacheFileName;
function getGnuTarPathOnWindows() {
function isGnuTarInstalled() {
return __awaiter(this, void 0, void 0, function* () {
if (fs.existsSync(constants_1.GnuTarPathOnWindows)) {
return constants_1.GnuTarPathOnWindows;
}
const versionOutput = yield getVersion('tar');
return versionOutput.toLowerCase().includes('gnu tar') ? io.which('tar') : '';
return versionOutput.toLowerCase().includes('gnu tar');
});
}
exports.getGnuTarPathOnWindows = getGnuTarPathOnWindows;
exports.isGnuTarInstalled = isGnuTarInstalled;
function assertDefined(name, value) {
if (value === undefined) {
throw Error(`Expected ${name} but value was undefiend`);
@ -467,11 +444,6 @@ var CompressionMethod;
CompressionMethod["ZstdWithoutLong"] = "zstd-without-long";
CompressionMethod["Zstd"] = "zstd";
})(CompressionMethod = exports.CompressionMethod || (exports.CompressionMethod = {}));
var ArchiveToolType;
(function (ArchiveToolType) {
ArchiveToolType["GNU"] = "gnu";
ArchiveToolType["BSD"] = "bsd";
})(ArchiveToolType = exports.ArchiveToolType || (exports.ArchiveToolType = {}));
// The default number of retry attempts.
exports.DefaultRetryAttempts = 2;
// The default delay in milliseconds between retry attempts.
@ -480,12 +452,6 @@ exports.DefaultRetryDelay = 5000;
// over the socket during this period, the socket is destroyed and the download
// is aborted.
exports.SocketTimeout = 5000;
// The default path of GNUtar on hosted Windows runners
exports.GnuTarPathOnWindows = `${process.env['PROGRAMFILES']}\\Git\\usr\\bin\\tar.exe`;
// The default path of BSDtar on hosted Windows runners
exports.SystemTarPathOnWindows = `${process.env['SYSTEMDRIVE']}\\Windows\\System32\\tar.exe`;
exports.TarFilename = 'cache.tar';
exports.ManifestFilename = 'manifest.txt';
//# sourceMappingURL=constants.js.map
/***/ }),
@ -69094,6 +69060,72 @@ function isValidEvent() {
return RefKey in process.env && Boolean(process.env[RefKey]);
}
;// CONCATENATED MODULE: ./src/policy-utils.ts
var policy_utils_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
const API_ENDPOINT = "https://agent.api.stepsecurity.io/v1";
function fetchPolicy(owner, policyName, idToken) {
return policy_utils_awaiter(this, void 0, void 0, function* () {
if (idToken === "") {
throw new Error("[PolicyFetch]: id-token in empty");
}
let policyEndpoint = `${API_ENDPOINT}/github/${owner}/actions/policies/${policyName}`;
let httpClient = new lib.HttpClient();
let headers = {};
headers["Authorization"] = `Bearer ${idToken}`;
headers["Source"] = "github-actions";
let response = undefined;
let err = undefined;
let retry = 0;
while (retry < 3) {
try {
console.log(`Attempt: ${retry + 1}`);
response = yield httpClient.getJson(policyEndpoint, headers);
break;
}
catch (e) {
err = e;
}
retry += 1;
yield sleep(1000);
}
if (response === undefined && err !== undefined) {
throw new Error(`[Policy Fetch] ${err}`);
}
else {
return response.result;
}
});
}
function mergeConfigs(localConfig, remoteConfig) {
if (localConfig.allowed_endpoints === "") {
localConfig.allowed_endpoints = remoteConfig.allowed_endpoints.join(" ");
}
if (remoteConfig.disable_sudo !== undefined) {
localConfig.disable_sudo = remoteConfig.disable_sudo;
}
if (remoteConfig.disable_file_monitoring !== undefined) {
localConfig.disable_file_monitoring = remoteConfig.disable_file_monitoring;
}
if (remoteConfig.egress_policy !== undefined) {
localConfig.egress_policy = remoteConfig.egress_policy;
}
return localConfig;
}
function sleep(ms) {
return new Promise((resolve) => {
setTimeout(resolve, ms);
});
}
// EXTERNAL MODULE: ./node_modules/@actions/cache/lib/internal/cacheHttpClient.js
var cacheHttpClient = __nccwpck_require__(8245);
// EXTERNAL MODULE: ./node_modules/@actions/cache/lib/internal/cacheUtils.js
@ -69123,6 +69155,7 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
(() => setup_awaiter(void 0, void 0, void 0, function* () {
try {
if (process.platform !== "linux") {
@ -69137,7 +69170,7 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
var env = "agent";
var api_url = `https://${env}.api.stepsecurity.io/v1`;
var web_url = "https://app.stepsecurity.io";
const confg = {
let confg = {
repo: process.env["GITHUB_REPOSITORY"],
run_id: process.env["GITHUB_RUN_ID"],
correlation_id: correlation_id,
@ -69150,6 +69183,23 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
disable_file_monitoring: lib_core.getBooleanInput("disable-file-monitoring"),
private: github.context.payload.repository.private,
};
let policyName = lib_core.getInput("policy");
if (policyName !== "") {
console.log(`Fetching policy from API with name: ${policyName}`);
try {
let idToken = yield lib_core.getIDToken();
let result = yield fetchPolicy(github.context.repo.owner, policyName, idToken);
confg = mergeConfigs(confg, result);
}
catch (err) {
lib_core.info(`[!] ${err}`);
lib_core.setFailed(err);
}
}
external_fs_.appendFileSync(process.env.GITHUB_STATE, `disableSudo=${confg.disable_sudo}${external_os_.EOL}`, {
encoding: "utf8",
});
lib_core.info(`[!] Current Configuration: \n${JSON.stringify(confg)}\n`);
if (confg.egress_policy !== "audit" && confg.egress_policy !== "block") {
lib_core.setFailed("egress-policy must be either audit or block");
}
@ -69236,7 +69286,7 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
}
break;
}
yield sleep(300);
yield setup_sleep(300);
} // The file *does* exist
else {
// Read the file
@ -69250,7 +69300,7 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
lib_core.setFailed(error.message);
}
}))();
function sleep(ms) {
function setup_sleep(ms) {
return new Promise((resolve) => {
setTimeout(resolve, ms);
});

2
dist/pre/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

67
package-lock.json generated
View file

@ -30,6 +30,7 @@
"eslint-config-google": "^0.14.0",
"jest": "^29.3.1",
"jest-junit": ">=13.0.0",
"nock": "^13.3.0",
"ts-jest": "^29.0.3",
"typescript": "^4.3.5"
}
@ -5404,6 +5405,12 @@
"integrity": "sha1-nbe1lJatPzz+8wp1FC0tkwrXJlE=",
"dev": true
},
"node_modules/json-stringify-safe": {
"version": "5.0.1",
"resolved": "https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz",
"integrity": "sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==",
"dev": true
},
"node_modules/json5": {
"version": "2.2.3",
"resolved": "https://registry.npmjs.org/json5/-/json5-2.2.3.tgz",
@ -5465,6 +5472,12 @@
"node": ">=8"
}
},
"node_modules/lodash": {
"version": "4.17.21",
"resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
"integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==",
"dev": true
},
"node_modules/lodash.memoize": {
"version": "4.1.2",
"resolved": "https://registry.npmjs.org/lodash.memoize/-/lodash.memoize-4.1.2.tgz",
@ -5616,6 +5629,21 @@
"integrity": "sha1-Sr6/7tdUHywnrPspvbvRXI1bpPc=",
"dev": true
},
"node_modules/nock": {
"version": "13.3.0",
"resolved": "https://registry.npmjs.org/nock/-/nock-13.3.0.tgz",
"integrity": "sha512-HHqYQ6mBeiMc+N038w8LkMpDCRquCHWeNmN3v6645P3NhN2+qXOBqvPqo7Rt1VyCMzKhJ733wZqw5B7cQVFNPg==",
"dev": true,
"dependencies": {
"debug": "^4.1.0",
"json-stringify-safe": "^5.0.1",
"lodash": "^4.17.21",
"propagate": "^2.0.0"
},
"engines": {
"node": ">= 10.13"
}
},
"node_modules/node-domexception": {
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/node-domexception/-/node-domexception-1.0.0.tgz",
@ -5945,6 +5973,15 @@
"node": ">= 6"
}
},
"node_modules/propagate": {
"version": "2.0.1",
"resolved": "https://registry.npmjs.org/propagate/-/propagate-2.0.1.tgz",
"integrity": "sha512-vGrhOavPSTz4QVNuBNdcNXePNdNMaO1xj9yBeH1ScQPjk/rhg9sSlCXPhMkFuaNNW/syTvYqsnbIJxMBfRbbag==",
"dev": true,
"engines": {
"node": ">= 8"
}
},
"node_modules/psl": {
"version": "1.8.0",
"resolved": "https://registry.npmjs.org/psl/-/psl-1.8.0.tgz",
@ -10914,6 +10951,12 @@
"integrity": "sha1-nbe1lJatPzz+8wp1FC0tkwrXJlE=",
"dev": true
},
"json-stringify-safe": {
"version": "5.0.1",
"resolved": "https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz",
"integrity": "sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==",
"dev": true
},
"json5": {
"version": "2.2.3",
"resolved": "https://registry.npmjs.org/json5/-/json5-2.2.3.tgz",
@ -10957,6 +11000,12 @@
"p-locate": "^4.1.0"
}
},
"lodash": {
"version": "4.17.21",
"resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
"integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==",
"dev": true
},
"lodash.memoize": {
"version": "4.1.2",
"resolved": "https://registry.npmjs.org/lodash.memoize/-/lodash.memoize-4.1.2.tgz",
@ -11075,6 +11124,18 @@
"integrity": "sha1-Sr6/7tdUHywnrPspvbvRXI1bpPc=",
"dev": true
},
"nock": {
"version": "13.3.0",
"resolved": "https://registry.npmjs.org/nock/-/nock-13.3.0.tgz",
"integrity": "sha512-HHqYQ6mBeiMc+N038w8LkMpDCRquCHWeNmN3v6645P3NhN2+qXOBqvPqo7Rt1VyCMzKhJ733wZqw5B7cQVFNPg==",
"dev": true,
"requires": {
"debug": "^4.1.0",
"json-stringify-safe": "^5.0.1",
"lodash": "^4.17.21",
"propagate": "^2.0.0"
}
},
"node-domexception": {
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/node-domexception/-/node-domexception-1.0.0.tgz",
@ -11302,6 +11363,12 @@
"sisteransi": "^1.0.5"
}
},
"propagate": {
"version": "2.0.1",
"resolved": "https://registry.npmjs.org/propagate/-/propagate-2.0.1.tgz",
"integrity": "sha512-vGrhOavPSTz4QVNuBNdcNXePNdNMaO1xj9yBeH1ScQPjk/rhg9sSlCXPhMkFuaNNW/syTvYqsnbIJxMBfRbbag==",
"dev": true
},
"psl": {
"version": "1.8.0",
"resolved": "https://registry.npmjs.org/psl/-/psl-1.8.0.tgz",

3
package.json
View file

@ -1,6 +1,6 @@
{
"name": "step-security-harden-runner",
"version": "2.2.1",
"version": "2.3.0",
"description": "Security agent for GitHub-hosted runner to monitor the build process",
"main": "index.js",
"scripts": {
@ -44,6 +44,7 @@
"eslint-config-google": "^0.14.0",
"jest": "^29.3.1",
"jest-junit": ">=13.0.0",
"nock": "^13.3.0",
"ts-jest": "^29.0.3",
"typescript": "^4.3.5"
}

4
src/cleanup.ts
View file

@ -70,8 +70,8 @@ import path from "path";
});
}
var disable_sudo = core.getBooleanInput("disable-sudo");
if (!disable_sudo) {
var disable_sudo = process.env.STATE_disableSudo;
if (disable_sudo !== "true") {
var journalLog = cp.execSync("sudo journalctl -u agent.service", {
encoding: "utf8",
});

23
src/interfaces.ts Normal file
View file

@ -0,0 +1,23 @@
export interface Configuration {
repo: string;
run_id: string;
correlation_id: string;
working_directory: string;
api_url: string;
allowed_endpoints: string;
egress_policy: string;
disable_telemetry: boolean;
disable_sudo: boolean;
disable_file_monitoring: boolean;
private: string;
}
export interface PolicyResponse {
owner?: string;
policyName?: string;
allowed_endpoints?: string[];
disable_sudo?: boolean;
disable_file_monitoring?: boolean;
disable_telemetry?: boolean;
egress_policy?: string;
}

67
src/policy-utils.test.ts Normal file
View file

@ -0,0 +1,67 @@
import nock from "nock";
import { API_ENDPOINT, fetchPolicy, mergeConfigs } from "./policy-utils";
import { Configuration, PolicyResponse } from "./interfaces";
test("success: fetching policy", async () => {
let owner = "h0x0er";
let policyName = "policy1";
let response = {
owner: "h0x0er",
policyName: "policy1",
allowed_endpoints: ["github.com:443"],
egress_policy: "audit",
disable_telemetry: false,
disable_sudo: false,
disable_file_monitoring: false,
};
const policyScope = nock(`${API_ENDPOINT}`)
.get(`/github/${owner}/actions/policies/${policyName}`)
.reply(200, response);
let idToken = "xyz";
let policy = await fetchPolicy(owner, policyName, idToken);
console.log(policy);
expect(policy).toStrictEqual(response);
});
test("merge configs", async () => {
let localConfig: Configuration = {
repo: "test/repo",
run_id: "xyx",
correlation_id: "aaaaa",
working_directory: "/xyz",
api_url: "xyz",
allowed_endpoints: "",
egress_policy: "audit",
disable_telemetry: false,
disable_sudo: false,
disable_file_monitoring: false,
private: "true",
};
let policyResponse: PolicyResponse = {
owner: "h0x0er",
policyName: "policy1",
allowed_endpoints: ["github.com:443", "google.com:443"],
egress_policy: "audit",
disable_telemetry: false,
disable_sudo: false,
disable_file_monitoring: false,
};
let expectedConfiguration: Configuration = {
repo: "test/repo",
run_id: "xyx",
correlation_id: "aaaaa",
working_directory: "/xyz",
api_url: "xyz",
allowed_endpoints: "github.com:443 google.com:443",
egress_policy: "audit",
disable_telemetry: false,
disable_sudo: false,
disable_file_monitoring: false,
private: "true",
};
localConfig = mergeConfigs(localConfig, policyResponse);
expect(localConfig).toStrictEqual(expectedConfiguration);
});

75
src/policy-utils.ts Normal file
View file

@ -0,0 +1,75 @@
import { HttpClient } from "@actions/http-client";
import { PolicyResponse, Configuration } from "./interfaces";
export const API_ENDPOINT = "https://agent.api.stepsecurity.io/v1";
export async function fetchPolicy(
owner: string,
policyName: string,
idToken: string
): Promise<PolicyResponse> {
if (idToken === "") {
throw new Error("[PolicyFetch]: id-token in empty");
}
let policyEndpoint = `${API_ENDPOINT}/github/${owner}/actions/policies/${policyName}`;
let httpClient = new HttpClient();
let headers = {};
headers["Authorization"] = `Bearer ${idToken}`;
headers["Source"] = "github-actions";
let response = undefined;
let err = undefined;
let retry = 0;
while(retry < 3){
try{
console.log(`Attempt: ${retry+1}`)
response = await httpClient.getJson<PolicyResponse>(
policyEndpoint,
headers
);
break;
}catch(e){
err = e
}
retry += 1
await sleep(1000);
}
if(response === undefined && err !== undefined){
throw new Error(`[Policy Fetch] ${err}`)
}else{
return response.result;
}
}
export function mergeConfigs(
localConfig: Configuration,
remoteConfig: PolicyResponse
) {
if (localConfig.allowed_endpoints === "") {
localConfig.allowed_endpoints = remoteConfig.allowed_endpoints.join(" ");
}
if (remoteConfig.disable_sudo !== undefined) {
localConfig.disable_sudo = remoteConfig.disable_sudo;
}
if (remoteConfig.disable_file_monitoring !== undefined) {
localConfig.disable_file_monitoring = remoteConfig.disable_file_monitoring;
}
if (remoteConfig.egress_policy !== undefined) {
localConfig.egress_policy = remoteConfig.egress_policy;
}
return localConfig;
}
function sleep(ms) {
return new Promise((resolve) => {
setTimeout(resolve, ms);
});
}

29
src/setup.ts
View file

@ -17,6 +17,8 @@ import {
CompressionMethod,
isValidEvent,
} from "./cache";
import { Configuration, PolicyResponse } from "./interfaces";
import { fetchPolicy, mergeConfigs } from "./policy-utils";
import {getCacheEntry} from "@actions/cache/lib/internal/cacheHttpClient"
import * as utils from '@actions/cache/lib/internal/cacheUtils'
@ -37,7 +39,7 @@ import * as utils from '@actions/cache/lib/internal/cacheUtils'
var api_url = `https://${env}.api.stepsecurity.io/v1`;
var web_url = "https://app.stepsecurity.io";
const confg = {
let confg: Configuration = {
repo: process.env["GITHUB_REPOSITORY"],
run_id: process.env["GITHUB_RUN_ID"],
correlation_id: correlation_id,
@ -51,6 +53,31 @@ import * as utils from '@actions/cache/lib/internal/cacheUtils'
private: context.payload.repository.private,
};
let policyName = core.getInput("policy");
if (policyName !== "") {
console.log(`Fetching policy from API with name: ${policyName}`);
try {
let idToken: string = await core.getIDToken()
let result: PolicyResponse = await fetchPolicy(
context.repo.owner,
policyName,
idToken
);
confg = mergeConfigs(confg, result);
} catch (err) {
core.info(`[!] ${err}`);
core.setFailed(err);
}
}
fs.appendFileSync(
process.env.GITHUB_STATE,
`disableSudo=${confg.disable_sudo}${EOL}`,
{
encoding: "utf8",
}
);
core.info(`[!] Current Configuration: \n${JSON.stringify(confg)}\n`);
if (confg.egress_policy !== "audit" && confg.egress_policy !== "block") {
core.setFailed("egress-policy must be either audit or block");
}