Merge pull request #630 from sailikhith-stepsecurity/win_agent

Update sha reference for windows agent

dist/index.js

@@ -31979,6 +31979,7 @@ function addSummary() {
 const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
 const CONTAINER_MESSAGE = "This job is running in a container. Such jobs can be monitored by installing Harden Runner in a custom VM image for GitHub-hosted runners.";
 const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
+const UNSUPPORTED_PLATFORM_MESSAGE = "This job is not running on a supported platform. Harden Runner supports Linux (Ubuntu) and Windows runners. This job will not be monitored.";
 const SELF_HOSTED_RUNNER_MESSAGE = "This job is running on a self-hosted runner.";
 const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
 const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner.";
@@ -32091,8 +32092,8 @@ var src_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argu
         console.log("Skipping harden-runner: custom property 'skip-harden-runner' is set to 'true'");
         return;
     }
-    if (process.platform !== "linux") {
+    if (process.platform !== "linux" && process.platform !== "win32") {
-        console.log(UBUNTU_MESSAGE);
+        console.log(UNSUPPORTED_PLATFORM_MESSAGE);
         return;
     }
     if (isGithubHosted() && isDocker()) {

dist/post/index.js

@@ -31878,6 +31878,8 @@ var __webpack_exports__ = {};
 var external_fs_ = __nccwpck_require__(9896);
 // EXTERNAL MODULE: external "child_process"
 var external_child_process_ = __nccwpck_require__(5317);
+// EXTERNAL MODULE: external "path"
+var external_path_ = __nccwpck_require__(6928);
 // EXTERNAL MODULE: ./node_modules/@actions/core/lib/core.js
 var lib_core = __nccwpck_require__(7484);
 ;// CONCATENATED MODULE: ./src/configs.ts
@@ -31986,6 +31988,7 @@ function addSummary() {
 const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
 const CONTAINER_MESSAGE = "This job is running in a container. Such jobs can be monitored by installing Harden Runner in a custom VM image for GitHub-hosted runners.";
 const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
+const UNSUPPORTED_PLATFORM_MESSAGE = "This job is not running on a supported platform. Harden Runner supports Linux (Ubuntu) and Windows runners. This job will not be monitored.";
 const SELF_HOSTED_RUNNER_MESSAGE = "This job is running on a self-hosted runner.";
 const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
 const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner.";
@@ -32132,6 +32135,7 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
 
 
 
+
 (() => cleanup_awaiter(void 0, void 0, void 0, function* () {
     var _a, _b;
     console.log("[harden-runner] post-step");
@@ -32140,8 +32144,8 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
         console.log("Skipping harden-runner: custom property 'skip-harden-runner' is set to 'true'");
         return;
     }
-    if (process.platform !== "linux") {
+    if (process.platform !== "linux" && process.platform !== "win32") {
-        console.log(UBUNTU_MESSAGE);
+        console.log(UNSUPPORTED_PLATFORM_MESSAGE);
         return;
     }
     if (isGithubHosted() && isDocker()) {
@@ -32158,7 +32162,10 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
     if (process.env.STATE_customVMImage === "true") {
         return;
     }
-    if (process.env.STATE_isTLS === "false" && process.arch === "arm64") {
+    if (process.platform === "linux" && process.env.STATE_isTLS === "false" && process.arch === "arm64") {
+        return;
+    }
+    else if (process.platform === "win32" && process.arch === "arm64") {
         return;
     }
     if (String(process.env.STATE_monitorStatusCode) ===
@@ -32166,6 +32173,7 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
         console.log(HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
         return;
     }
+    if (process.platform === "linux") {
         if (isGithubHosted() && external_fs_.existsSync("/home/agent/post_event.json")) {
             console.log("Post step already executed, skipping");
             return;
@@ -32189,26 +32197,26 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
         const log = "/home/agent/agent.log";
         if (external_fs_.existsSync(log)) {
             console.log("log:");
-        var content = external_fs_.readFileSync(log, "utf-8");
+            const content = external_fs_.readFileSync(log, "utf-8");
             console.log(content);
         }
         const daemonLog = "/home/agent/daemon.log";
         if (external_fs_.existsSync(daemonLog)) {
             console.log("daemonLog:");
-        var content = external_fs_.readFileSync(daemonLog, "utf-8");
+            const content = external_fs_.readFileSync(daemonLog, "utf-8");
             console.log(content);
         }
-    var status = "/home/agent/agent.status";
+        const status = "/home/agent/agent.status";
         if (external_fs_.existsSync(status)) {
             console.log("status:");
-        var content = external_fs_.readFileSync(status, "utf-8");
+            const content = external_fs_.readFileSync(status, "utf-8");
             console.log(content);
         }
-    var disable_sudo = process.env.STATE_disableSudo;
+        const disable_sudo = process.env.STATE_disableSudo;
-    var disable_sudo_and_containers = process.env.STATE_disableSudoAndContainers;
+        const disable_sudo_and_containers = process.env.STATE_disableSudoAndContainers;
         if (disable_sudo !== "true" && disable_sudo_and_containers !== "true") {
             try {
-            var journalLog = external_child_process_.execSync("sudo journalctl -u agent.service --lines=1000", {
+                const journalLog = external_child_process_.execSync("sudo journalctl -u agent.service --lines=1000", {
                     encoding: "utf8",
                     maxBuffer: 1024 * 1024 * 10, // 10MB buffer
                 });
@@ -32219,6 +32227,84 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
                 console.log("Warning: Could not fetch service logs:", error.message);
             }
         }
+    }
+    else if (process.platform === "win32") {
+        // windows cleanup
+        const agentDir = process.env.STATE_agentDir || "C:\\agent";
+        const postEventFile = external_path_.join(agentDir, "post_event.json");
+        if (isGithubHosted() && external_fs_.existsSync(postEventFile)) {
+            console.log("Windows post step already executed, skipping");
+            return;
+        }
+        const p = external_child_process_.spawn("powershell.exe", ["-NoProfile", "-NonInteractive", "-Command", "query user; exit $LASTEXITCODE"], { stdio: ["ignore", "pipe", "pipe"], shell: false, windowsHide: true });
+        p.unref();
+        external_fs_.writeFileSync(postEventFile, JSON.stringify({ event: "post" }));
+        const doneFile = external_path_.join(agentDir, "done.json");
+        let counter = 0;
+        while (true) {
+            if (!external_fs_.existsSync(doneFile)) {
+                counter++;
+                if (counter > 10) {
+                    console.log("timed out");
+                    break;
+                }
+                yield sleep(1000);
+            }
+            else {
+                break;
+            }
+        }
+        console.log("stopping windows agent process...");
+        const pidFile = external_path_.join(agentDir, "agent.pid");
+        try {
+            if (!external_fs_.existsSync(pidFile)) {
+                console.log("PID file not found. Agent may not be running.");
+                return;
+            }
+            const pid = parseInt(external_fs_.readFileSync(pidFile, "utf8").trim());
+            console.log(`agent PID from file: ${pid}`);
+            try {
+                process.kill(pid, 0); // signal 0 just checks if process exists
+            }
+            catch (_c) {
+                console.log("agent process not running.");
+                external_fs_.unlinkSync(pidFile);
+                return;
+            }
+            console.log(`stopping agent process (PID: ${pid})...`);
+            process.kill(pid, 'SIGINT');
+            let gracefulShutdown = false;
+            for (let i = 0; i < 10; i++) {
+                yield sleep(1000);
+                try {
+                    process.kill(pid, 0); // check if still exists
+                }
+                catch (_d) {
+                    gracefulShutdown = true;
+                    console.log("agent process stopped gracefully");
+                    break;
+                }
+            }
+            if (!gracefulShutdown) {
+                console.log("graceful shutdown timeout (10s), forcing termination...");
+                process.kill(pid, 'SIGKILL');
+                console.log("agent process terminated forcefully");
+            }
+            if (external_fs_.existsSync(pidFile)) {
+                external_fs_.unlinkSync(pidFile);
+                console.log("PID file cleaned up");
+            }
+        }
+        catch (error) {
+            console.log("warning: error stopping agent process:", error.message);
+        }
+        const log = external_path_.join(agentDir, "agent.log");
+        if (external_fs_.existsSync(log)) {
+            console.log("agent log:");
+            const content = external_fs_.readFileSync(log, "utf-8");
+            console.log(content);
+        }
+    }
     try {
         yield addSummary();
     }

dist/pre/index.js

@@ -85250,6 +85250,7 @@ function addSummary() {
 const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
 const CONTAINER_MESSAGE = "This job is running in a container. Such jobs can be monitored by installing Harden Runner in a custom VM image for GitHub-hosted runners.";
 const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
+const UNSUPPORTED_PLATFORM_MESSAGE = "This job is not running on a supported platform. Harden Runner supports Linux (Ubuntu) and Windows runners. This job will not be monitored.";
 const SELF_HOSTED_RUNNER_MESSAGE = "This job is running on a self-hosted runner.";
 const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
 const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner.";
@@ -85501,18 +85502,27 @@ const CHECKSUMS = {
     non_tls: {
         amd64: "336093af8ebe969567b66fd035af3bd4f7e1c723ce680d6b4b5b2a1f79bc329e", // v0.14.2
     },
+    windows: {
+        amd64: "9e4fde66331be3261ae6ff954e531e94335b5774ac7e105f0126b391ee1c6d66", // v1.0.0-int
+    },
 };
-function verifyChecksum(downloadPath, isTLS, variant) {
+function verifyChecksum(downloadPath, isTLS, variant, platform) {
     const fileBuffer = external_fs_.readFileSync(downloadPath);
     const checksum = external_crypto_.createHash("sha256")
         .update(fileBuffer)
         .digest("hex"); // checksum of downloaded file
     let expectedChecksum = "";
-    if (isTLS) {
+    switch (platform) {
-        expectedChecksum = CHECKSUMS["tls"][variant];
+        case "linux":
-    }
+            expectedChecksum = isTLS
-    else {
+                ? CHECKSUMS["tls"][variant]
-        expectedChecksum = CHECKSUMS["non_tls"][variant];
+                : CHECKSUMS["non_tls"][variant];
+            break;
+        case "win32":
+            expectedChecksum = CHECKSUMS["windows"][variant];
+            break;
+        default:
+            throw new Error(`Unsupported platform: ${platform}`);
     }
     if (checksum !== expectedChecksum) {
         lib_core.setFailed(`Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`);
@@ -85558,7 +85568,7 @@ function installAgent(isTLS, configStr) {
             }
             downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.14.2/agent_0.14.2_linux_amd64.tar.gz", undefined, auth);
         }
-        verifyChecksum(downloadPath, isTLS, variant);
+        verifyChecksum(downloadPath, isTLS, variant, process.platform);
         const extractPath = yield tool_cache.extractTar(downloadPath);
         let cmd = "cp", args = [external_path_.join(extractPath, "agent"), "/home/agent/agent"];
         external_child_process_.execFileSync(cmd, args);
@@ -85576,6 +85586,59 @@ function installAgent(isTLS, configStr) {
         return true;
     });
 }
+function installWindowsAgent(configStr) {
+    return install_agent_awaiter(this, void 0, void 0, function* () {
+        const token = lib_core.getInput("token", { required: true });
+        const auth = `token ${token}`;
+        const variant = process.arch === "x64" ? "amd64" : "arm64";
+        if (variant === "arm64") {
+            console.log(ARM64_RUNNER_MESSAGE);
+            return false;
+        }
+        const agentDir = "C:\\agent";
+        lib_core.info(`Creating agent directory: ${agentDir}`);
+        if (!external_fs_.existsSync(agentDir)) {
+            external_fs_.mkdirSync(agentDir, { recursive: true });
+        }
+        external_fs_.appendFileSync(process.env.GITHUB_STATE, `agentDir=${agentDir}${external_os_.EOL}`, {
+            encoding: "utf8",
+        });
+        const agentExePath = external_path_.join(agentDir, "agent.exe");
+        const downloadPath = yield tool_cache.downloadTool(`https://github.com/step-security/agent-releases/releases/download/v1.0.0-int/harden-runner-agent-windows_int_windows_amd64.tar.gz `, undefined, auth);
+        verifyChecksum(downloadPath, false, variant, process.platform);
+        const extractPath = yield tool_cache.extractTar(downloadPath);
+        const extractedAgentPath = external_path_.join(extractPath, "agent.exe");
+        external_fs_.copyFileSync(extractedAgentPath, agentExePath);
+        lib_core.info(`Copied agent from ${extractedAgentPath} to ${agentExePath}`);
+        const configPath = external_path_.join(agentDir, "config.json");
+        external_fs_.writeFileSync(configPath, configStr);
+        lib_core.info(`Created config file: ${configPath}`);
+        lib_core.info("Starting Windows Agent...");
+        try {
+            const logPath = external_path_.join(agentDir, "agent.log");
+            const logStream = external_fs_.openSync(logPath, 'a');
+            lib_core.info(`Agent logs will be written to: ${logPath}`);
+            const agentProcess = external_child_process_.spawn(agentExePath, [], {
+                cwd: agentDir,
+                detached: true,
+                stdio: ['ignore', logStream, logStream],
+                windowsHide: false,
+                shell: false
+            });
+            const pidFile = external_path_.join(agentDir, "agent.pid");
+            external_fs_.writeFileSync(pidFile, agentProcess.pid.toString());
+            lib_core.info(`Agent process started with PID: ${agentProcess.pid}`);
+            lib_core.info(`PID saved to: ${pidFile}`);
+            agentProcess.unref();
+            lib_core.info("Windows Agent process started successfully");
+            return true;
+        }
+        catch (error) {
+            lib_core.setFailed(`Failed to start Windows agent process: ${error.message}`);
+            return false;
+        }
+    });
+}
 
 ;// CONCATENATED MODULE: ./src/setup.ts
 var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
@@ -85617,8 +85680,8 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
             console.log("Skipping harden-runner: custom property 'skip-harden-runner' is set to 'true'");
             return;
         }
-        if (process.platform !== "linux") {
+        if (process.platform !== "linux" && process.platform !== "win32") {
-            console.log(UBUNTU_MESSAGE);
+            console.log(UNSUPPORTED_PLATFORM_MESSAGE);
             return;
         }
         if (isGithubHosted() && isDocker()) {
@@ -85820,14 +85883,29 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
             return;
         }
         const confgStr = JSON.stringify(confg);
+        // install agent based on platform
+        let agentInstalled = false;
+        let statusFile;
+        let logFile;
+        if (process.platform === "win32") {
+            // Windows installation
+            lib_core.info("Installing Windows Agent...");
+            agentInstalled = yield installWindowsAgent(confgStr);
+            const agentDir = process.env.STATE_agentDir || "C:\\agent";
+            statusFile = external_path_.join(agentDir, "agent.status");
+            logFile = external_path_.join(agentDir, "agent.log");
+        }
+        else {
+            // Linux installation
             external_child_process_.execSync("sudo mkdir -p /home/agent");
             chownForFolder(process.env.USER, "/home/agent");
             let isTLS = yield isTLSEnabled(github.context.repo.owner);
-        const agentInstalled = yield installAgent(isTLS, confgStr);
+            agentInstalled = yield installAgent(isTLS, confgStr);
+            statusFile = "/home/agent/agent.status";
+            logFile = "/home/agent/agent.log";
+        }
         if (agentInstalled) {
             // Check that the file exists locally
-            var statusFile = "/home/agent/agent.status";
-            var logFile = "/home/agent/agent.log";
             var counter = 0;
             while (true) {
                 if (!external_fs_.existsSync(statusFile)) {

src/checksum.ts

@@ -10,12 +10,16 @@ const CHECKSUMS = {
   non_tls: {
     amd64: "336093af8ebe969567b66fd035af3bd4f7e1c723ce680d6b4b5b2a1f79bc329e", // v0.14.2
   },
+  windows: {
+    amd64: "9e4fde66331be3261ae6ff954e531e94335b5774ac7e105f0126b391ee1c6d66", // v1.0.0-int
+  },
 };
 
 export function verifyChecksum(
   downloadPath: string,
   isTLS: boolean,
-  variant: string
+  variant: string,
+  platform: string
 ) {
   const fileBuffer: Buffer = fs.readFileSync(downloadPath);
   const checksum: string = crypto
@@ -25,10 +29,17 @@ export function verifyChecksum(
 
   let expectedChecksum: string = "";
 
-  if (isTLS) {
+  switch (platform) {
-    expectedChecksum = CHECKSUMS["tls"][variant];
+    case "linux":
-  } else {
+      expectedChecksum = isTLS
-    expectedChecksum = CHECKSUMS["non_tls"][variant];
+        ? CHECKSUMS["tls"][variant]
+        : CHECKSUMS["non_tls"][variant];
+      break;
+    case "win32":
+      expectedChecksum = CHECKSUMS["windows"][variant];
+      break;
+    default:
+      throw new Error(`Unsupported platform: ${platform}`);
   }
 
   if (checksum !== expectedChecksum) {

src/cleanup.ts

@@ -1,5 +1,6 @@
 import * as fs from "fs";
 import * as cp from "child_process";
+import * as path from "path";
 import * as common from "./common";
 import isDocker from "is-docker";
 import { isARCRunner } from "./arc-runner";
@@ -14,8 +15,8 @@ import { context } from "@actions/github";
     return;
   }
 
-  if (process.platform !== "linux") {
+  if (process.platform !== "linux" && process.platform !== "win32") {
-    console.log(common.UBUNTU_MESSAGE);
+    console.log(common.UNSUPPORTED_PLATFORM_MESSAGE);
     return;
   }
   if (isGithubHosted() && isDocker()) {
@@ -36,7 +37,9 @@ import { context } from "@actions/github";
     return;
   }
 
-  if (process.env.STATE_isTLS === "false" && process.arch === "arm64") {
+  if (process.platform === "linux" && process.env.STATE_isTLS === "false" && process.arch === "arm64") {
+    return;
+  } else if (process.platform === "win32" && process.arch === "arm64") {
     return;
   }
 
@@ -48,6 +51,7 @@ import { context } from "@actions/github";
     return;
   }
   
+  if (process.platform === "linux") {
     if (isGithubHosted() && fs.existsSync("/home/agent/post_event.json")) {
       console.log("Post step already executed, skipping");
       return;
@@ -78,30 +82,30 @@ import { context } from "@actions/github";
     const log = "/home/agent/agent.log";
     if (fs.existsSync(log)) {
       console.log("log:");
-    var content = fs.readFileSync(log, "utf-8");
+      const content = fs.readFileSync(log, "utf-8");
       console.log(content);
     }
 
     const daemonLog = "/home/agent/daemon.log";
     if (fs.existsSync(daemonLog)) {
       console.log("daemonLog:");
-    var content = fs.readFileSync(daemonLog, "utf-8");
+      const content = fs.readFileSync(daemonLog, "utf-8");
       console.log(content);
     }
 
-  var status = "/home/agent/agent.status";
+    const status = "/home/agent/agent.status";
     if (fs.existsSync(status)) {
       console.log("status:");
-    var content = fs.readFileSync(status, "utf-8");
+      const content = fs.readFileSync(status, "utf-8");
       console.log(content);
     }
 
-  var disable_sudo = process.env.STATE_disableSudo;
+    const disable_sudo = process.env.STATE_disableSudo;
-  var disable_sudo_and_containers = process.env.STATE_disableSudoAndContainers;
+    const disable_sudo_and_containers = process.env.STATE_disableSudoAndContainers;
 
     if (disable_sudo !== "true" && disable_sudo_and_containers !== "true") {
       try {
-      var journalLog = cp.execSync(
+        const journalLog = cp.execSync(
           "sudo journalctl -u agent.service --lines=1000",
           {
             encoding: "utf8",
@@ -114,6 +118,97 @@ import { context } from "@actions/github";
         console.log("Warning: Could not fetch service logs:", error.message);
       }
     }
+  } else if (process.platform === "win32") {
+    // windows cleanup
+    const agentDir = process.env.STATE_agentDir || "C:\\agent";
+    const postEventFile = path.join(agentDir, "post_event.json");
+
+    if (isGithubHosted() && fs.existsSync(postEventFile)) {
+      console.log("Windows post step already executed, skipping");
+      return;
+    }
+
+    const p = cp.spawn(
+      "powershell.exe",
+      ["-NoProfile", "-NonInteractive", "-Command", "query user; exit $LASTEXITCODE"],
+      { stdio: ["ignore", "pipe", "pipe"], shell: false, windowsHide: true }
+    );
+    p.unref();
+
+    fs.writeFileSync(postEventFile, JSON.stringify({ event: "post" }));
+
+    const doneFile = path.join(agentDir, "done.json");
+    let counter = 0;
+    while (true) {
+      if (!fs.existsSync(doneFile)) {
+        counter++;
+        if (counter > 10) {
+          console.log("timed out");
+          break;
+        }
+        await sleep(1000);
+      } else {
+        break;
+      }
+    }
+
+    console.log("stopping windows agent process...");
+    const pidFile = path.join(agentDir, "agent.pid");
+
+    try {
+      if (!fs.existsSync(pidFile)) {
+        console.log("PID file not found. Agent may not be running.");
+        return;
+      }
+
+      const pid = parseInt(fs.readFileSync(pidFile, "utf8").trim());
+      console.log(`agent PID from file: ${pid}`);
+
+      try {
+        process.kill(pid, 0); // signal 0 just checks if process exists
+      } catch {
+        console.log("agent process not running.");
+        fs.unlinkSync(pidFile);
+        return;
+      }
+
+      console.log(`stopping agent process (PID: ${pid})...`);
+      process.kill(pid, 'SIGINT');
+
+      let gracefulShutdown = false;
+      for (let i = 0; i < 10; i++) {
+        await sleep(1000);
+
+        try {
+          process.kill(pid, 0); // check if still exists
+        } catch {
+          gracefulShutdown = true;
+          console.log("agent process stopped gracefully");
+          break;
+        }
+      }
+
+      if (!gracefulShutdown) {
+        console.log("graceful shutdown timeout (10s), forcing termination...");
+        process.kill(pid, 'SIGKILL');
+        console.log("agent process terminated forcefully");
+      }
+
+      if (fs.existsSync(pidFile)) {
+        fs.unlinkSync(pidFile);
+        console.log("PID file cleaned up");
+      }
+    } catch (error) {
+      console.log("warning: error stopping agent process:", error.message);
+    }
+
+    const log = path.join(agentDir, "agent.log");
+    if (fs.existsSync(log)) {
+      console.log("agent log:");
+      const content = fs.readFileSync(log, "utf-8");
+      console.log(content);
+    }
+  }
 
   try {
     await common.addSummary();

src/common.ts

@@ -131,6 +131,9 @@ export const CONTAINER_MESSAGE =
 export const UBUNTU_MESSAGE =
   "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
 
+export const UNSUPPORTED_PLATFORM_MESSAGE =
+  "This job is not running on a supported platform. Harden Runner supports Linux (Ubuntu) and Windows runners. This job will not be monitored.";
+
 export const SELF_HOSTED_RUNNER_MESSAGE =
   "This job is running on a self-hosted runner.";
 

src/index.ts

@@ -13,8 +13,8 @@ import { context } from "@actions/github";
     return;
   }
 
-  if (process.platform !== "linux") {
+  if (process.platform !== "linux" && process.platform !== "win32") {
-    console.log(common.UBUNTU_MESSAGE);
+    console.log(common.UNSUPPORTED_PLATFORM_MESSAGE);
     return;
   }
   if (isGithubHosted() && isDocker()) {

src/install-agent.ts

@@ -41,7 +41,7 @@ export async function installAgent(
     );
   }
 
-  verifyChecksum(downloadPath, isTLS, variant);
+  verifyChecksum(downloadPath, isTLS, variant, process.platform);
 
   const extractPath = await tc.extractTar(downloadPath);
 
@@ -65,3 +65,78 @@ export async function installAgent(
   cp.execSync("sudo service agent start", { timeout: 15000 });
   return true;
 }
+
+export async function installWindowsAgent(
+  configStr: string
+): Promise<boolean> {
+  const token = core.getInput("token", { required: true });
+  const auth = `token ${token}`;
+
+  const variant = process.arch === "x64" ? "amd64" : "arm64";
+  if (variant === "arm64") {
+    console.log(ARM64_RUNNER_MESSAGE);
+    return false;
+  }
+
+  const agentDir = "C:\\agent";
+  core.info(`Creating agent directory: ${agentDir}`);
+  if (!fs.existsSync(agentDir)) {
+    fs.mkdirSync(agentDir, { recursive: true });
+  }
+  fs.appendFileSync(
+    process.env.GITHUB_STATE,
+    `agentDir=${agentDir}${EOL}`,
+    {
+      encoding: "utf8",
+    }
+  );
+  const agentExePath = path.join(agentDir, "agent.exe");
+
+  const downloadPath = await tc.downloadTool(
+    `https://github.com/step-security/agent-releases/releases/download/v1.0.0-int/harden-runner-agent-windows_int_windows_amd64.tar.gz `,
+    undefined,
+    auth
+  );
+  verifyChecksum(downloadPath, false, variant, process.platform);
+
+  const extractPath = await tc.extractTar(downloadPath);
+
+  const extractedAgentPath = path.join(extractPath, "agent.exe");
+  fs.copyFileSync(extractedAgentPath, agentExePath);
+  core.info(`Copied agent from ${extractedAgentPath} to ${agentExePath}`);
+
+  const configPath = path.join(agentDir, "config.json");
+  fs.writeFileSync(configPath, configStr);
+  core.info(`Created config file: ${configPath}`);
+
+  core.info("Starting Windows Agent...");
+
+  try {
+    const logPath = path.join(agentDir, "agent.log");
+    const logStream = fs.openSync(logPath, 'a');
+    core.info(`Agent logs will be written to: ${logPath}`);
+
+    const agentProcess = cp.spawn(agentExePath, [], {
+      cwd: agentDir,
+      detached: true,
+      stdio: ['ignore', logStream, logStream],
+      windowsHide: false,
+      shell: false
+    });
+
+    const pidFile = path.join(agentDir, "agent.pid");
+    fs.writeFileSync(pidFile, agentProcess.pid.toString());
+    core.info(`Agent process started with PID: ${agentProcess.pid}`);
+    core.info(`PID saved to: ${pidFile}`);
+
+    agentProcess.unref();
+
+    core.info("Windows Agent process started successfully");
+    return true;
+  } catch (error) {
+    core.setFailed(
+      `Failed to start Windows agent process: ${error.message}`
+    );
+    return false;
+  }
+}

src/setup.ts

@@ -27,7 +27,7 @@ import * as utils from "@actions/cache/lib/internal/cacheUtils";
 import { isARCRunner, sendAllowedEndpoints } from "./arc-runner";
 import { STEPSECURITY_API_URL, STEPSECURITY_WEB_URL } from "./configs";
 import { isGithubHosted, isTLSEnabled } from "./tls-inspect";
-import { installAgent } from "./install-agent";
+import { installAgent, installWindowsAgent } from "./install-agent";
 
 interface MonitorResponse {
   runner_ip_address?: string;
@@ -45,8 +45,8 @@ interface MonitorResponse {
       return;
     }
 
-    if (process.platform !== "linux") {
+    if (process.platform !== "linux" && process.platform !== "win32") {
-      console.log(common.UBUNTU_MESSAGE);
+      console.log(common.UNSUPPORTED_PLATFORM_MESSAGE);
       return;
     }
     if (isGithubHosted() && isDocker()) {
@@ -322,17 +322,34 @@ interface MonitorResponse {
     }
 
     const confgStr = JSON.stringify(confg);
+    
+    // install agent based on platform
+    let agentInstalled = false;
+    let statusFile: string;
+    let logFile: string;
+
+    if (process.platform === "win32") {
+      // Windows installation
+      core.info("Installing Windows Agent...");
+      agentInstalled = await installWindowsAgent(confgStr);
+
+      const agentDir = process.env.STATE_agentDir || "C:\\agent";
+      statusFile = path.join(agentDir, "agent.status");
+      logFile = path.join(agentDir, "agent.log");
+    } else {
+      // Linux installation
       cp.execSync("sudo mkdir -p /home/agent");
       chownForFolder(process.env.USER, "/home/agent");
 
       let isTLS = await isTLSEnabled(context.repo.owner);
+      agentInstalled = await installAgent(isTLS, confgStr);
 
-    const agentInstalled = await installAgent(isTLS, confgStr);
+      statusFile = "/home/agent/agent.status";
+      logFile = "/home/agent/agent.log";
+    }
 
     if (agentInstalled) {
       // Check that the file exists locally
-      var statusFile = "/home/agent/agent.status";
-      var logFile = "/home/agent/agent.log";
       var counter = 0;
       while (true) {
         if (!fs.existsSync(statusFile)) {