bump agent versions: linux v1.8.2, non-tls v0.16.0, windows v1.0.2

Also export CHECKSUMS from checksum.ts and read expected values from it in checksum.test.ts so tests don't need updating on every version bump. Mocks the computed hash via crypto.createHash; expected hash comes from the module itself. Tests now validate branching/platform dispatch instead of hardcoded hex values. Added darwin and win32 coverage cases.
write GITHUB_STATE from bravo monitor call so addSummary renders
2026-06-06 03:17:07 +00:00 · 2026-04-19 09:55:27 -07:00 · 2026-04-19 08:19:17 -07:00 · 2026-04-19 08:06:45 -07:00 · 2026-04-19 08:05:09 -07:00 · 2026-04-19 07:50:11 -07:00
11 changed files with 17 additions and 45 deletions
--- a/dist/index.js
+++ b/dist/index.js
@ -32046,7 +32046,6 @@ const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing
 const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner.";
 const ARM64_RUNNER_MESSAGE = "ARM runners are not supported in the Harden-Runner community tier.";
 const ARM64_WINDOWS_RUNNER_MESSAGE = "Windows ARM runners are not yet supported by Harden-Runner.";
-const UBUNTU_SLIM_MESSAGE = "This job is running on an ubuntu-slim runner. Harden Runner is not supported on ubuntu-slim runners. This job will not be monitored.";

 ;// CONCATENATED MODULE: external "node:fs"
 const external_node_fs_namespaceObject = require("node:fs");
--- a/dist/index.js.map
+++ b/dist/index.js.map
--- a/dist/post/index.js
+++ b/dist/post/index.js
@ -32052,7 +32052,6 @@ const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing
 const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner.";
 const ARM64_RUNNER_MESSAGE = "ARM runners are not supported in the Harden-Runner community tier.";
 const ARM64_WINDOWS_RUNNER_MESSAGE = "Windows ARM runners are not yet supported by Harden-Runner.";
-const UBUNTU_SLIM_MESSAGE = "This job is running on an ubuntu-slim runner. Harden Runner is not supported on ubuntu-slim runners. This job will not be monitored.";

 // EXTERNAL MODULE: external "path"
 var external_path_ = __nccwpck_require__(6928);
@ -32215,10 +32214,6 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
        console.log(CONTAINER_MESSAGE);
        return;
    }
-    if (isGithubHosted() && process.platform === "linux" && !process.env.USER) {
-        console.log(UBUNTU_SLIM_MESSAGE);
-        return;
-    }
    if (isARCRunner()) {
        console.log(`[!] ${ARC_RUNNER_MESSAGE}`);
        return;
--- a/dist/post/index.js.map
+++ b/dist/post/index.js.map
--- a/dist/pre/index.js
+++ b/dist/pre/index.js
@ -85171,7 +85171,6 @@ const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing
 const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner.";
 const ARM64_RUNNER_MESSAGE = "ARM runners are not supported in the Harden-Runner community tier.";
 const ARM64_WINDOWS_RUNNER_MESSAGE = "Windows ARM runners are not yet supported by Harden-Runner.";
-const UBUNTU_SLIM_MESSAGE = "This job is running on an ubuntu-slim runner. Harden Runner is not supported on ubuntu-slim runners. This job will not be monitored.";

 ;// CONCATENATED MODULE: external "node:fs"
 const external_node_fs_namespaceObject = require("node:fs");
@ -85456,15 +85455,15 @@ var external_crypto_ = __nccwpck_require__(6982);

 const CHECKSUMS = {
    tls: {
-        amd64: "d58a9c1c5245155ce4c71507a61e213a29925a7c39c0d20bfd00bef0d281bdbb",
-        arm64: "084fa95e74d17321dd1c37c93abeb8577e53ddf5266410e19f52aa79a02ae33e",
+        amd64: "713c91e921292027dacf446db44bafbc8e36a3f7f51dff664ba681c6e4398a05",
+        arm64: "2c1eb365d6d9ae4cd4b6632a5f833bcdb7e75d0d9604de3391ff22e4e28e8d42",
    },
    non_tls: {
        amd64: "e38de61e1afd98dd339bb9acce4996183875d482be1638fb198ab02b3e25bbef", // v0.16.0
    },
    bravo: {
-        amd64: "495f607a891d89f12214849301f247bdca565afe67deb170fe7e5d6d361852ca",
-        arm64: "f96f66ab946097aae1fc887e12fe1cefcc5d510bce179221c7185374e4adf538",
+        amd64: "8d002af0c1c4bb73eaef0f2b641f7aa353cc3f4da36a4e418b69895a2baa922c",
+        arm64: "1ce74a30d704c2e994246fc809d65af83e3f354aae7b9080b2c2eaee715cf005",
    },
    darwin: "fe26a1f6af4afe9f1a854d8633832f5d18ab542827003cae445b3a64021d612c",
    windows: {
@ -85537,7 +85536,7 @@ function installAgent(isTLS, configStr) {
            encoding: "utf8",
        });
        if (isTLS) {
-            downloadPath = yield tool_cache.downloadTool(`https://github.com/step-security/agent-ebpf/releases/download/v1.8.6/harden-runner_1.8.6_linux_${variant}.tar.gz`, undefined, auth);
+            downloadPath = yield tool_cache.downloadTool(`https://github.com/step-security/agent-ebpf/releases/download/v1.8.2/harden-runner_1.8.2_linux_${variant}.tar.gz`, undefined, auth);
        }
        else {
            if (variant === "arm64") {
@ -85572,7 +85571,7 @@ function installAgentBravo(configStr) {
        const token = lib_core.getInput("token", { required: true });
        const auth = `token ${token}`;
        const variant = process.arch === "x64" ? "amd64" : "arm64";
-        const downloadPath = yield tool_cache.downloadTool(`https://github.com/step-security/agent-ebpf/releases/download/v1.8.6/harden-runner-bravo_1.8.6_linux_${variant}.tar.gz`, undefined, auth);
+        const downloadPath = yield tool_cache.downloadTool(`https://github.com/step-security/agent-ebpf/releases/download/v1.8.2/harden-runner-bravo_1.8.2_linux_${variant}.tar.gz`, undefined, auth);
        if (!verifyChecksum(downloadPath, true, variant, "linux", "bravo")) {
            return false;
        }
@ -85813,10 +85812,6 @@ var __rest = (undefined && undefined.__rest) || function (s, e) {
            console.log(CONTAINER_MESSAGE);
            return;
        }
-        if (isGithubHosted() && process.platform === "linux" && !process.env.USER) {
-            console.log(UBUNTU_SLIM_MESSAGE);
-            return;
-        }
        var correlation_id = v4();
        var api_url = configs_STEPSECURITY_API_URL;
        var web_url = STEPSECURITY_WEB_URL;
@ -85848,8 +85843,7 @@ var __rest = (undefined && undefined.__rest) || function (s, e) {
        if (confg.use_policy_store) {
            console.log(`Fetching policy from policy store`);
            if (confg.api_key === "") {
-                lib_core.warning("api-key is not set while use-policy-store is true. Defaulting to audit mode.");
-                confg.egress_policy = "audit";
+                lib_core.setFailed("api-key is required when use-policy-store is set to true");
            }
            else {
                try {
--- a/dist/pre/index.js.map
+++ b/dist/pre/index.js.map
--- a/src/checksum.ts
+++ b/src/checksum.ts
@ -4,15 +4,15 @@ import * as fs from "fs";

 export const CHECKSUMS = {
  tls: {
-    amd64: "d58a9c1c5245155ce4c71507a61e213a29925a7c39c0d20bfd00bef0d281bdbb", // v1.8.6
-    arm64: "084fa95e74d17321dd1c37c93abeb8577e53ddf5266410e19f52aa79a02ae33e",
+    amd64: "713c91e921292027dacf446db44bafbc8e36a3f7f51dff664ba681c6e4398a05", // v1.8.2
+    arm64: "2c1eb365d6d9ae4cd4b6632a5f833bcdb7e75d0d9604de3391ff22e4e28e8d42",
  },
  non_tls: {
    amd64: "e38de61e1afd98dd339bb9acce4996183875d482be1638fb198ab02b3e25bbef", // v0.16.0
  },
  bravo: {
-    amd64: "495f607a891d89f12214849301f247bdca565afe67deb170fe7e5d6d361852ca", // v1.8.6
-    arm64: "f96f66ab946097aae1fc887e12fe1cefcc5d510bce179221c7185374e4adf538",
+    amd64: "8d002af0c1c4bb73eaef0f2b641f7aa353cc3f4da36a4e418b69895a2baa922c", // v1.8.2
+    arm64: "1ce74a30d704c2e994246fc809d65af83e3f354aae7b9080b2c2eaee715cf005",
  },
  darwin: "fe26a1f6af4afe9f1a854d8633832f5d18ab542827003cae445b3a64021d612c", // v0.0.5
  windows: {
--- a/src/cleanup.ts
+++ b/src/cleanup.ts
@ -26,11 +26,6 @@ import { isPlatformSupported, isAgentInstalled, detectThirdPartyRunnerProvider }
    return;
  }

-  if (isGithubHosted() && process.platform === "linux" && !process.env.USER) {
-    console.log(common.UBUNTU_SLIM_MESSAGE);
-    return;
-  }
-
  if (isARCRunner()) {
    console.log(`[!] ${common.ARC_RUNNER_MESSAGE}`);
    return;
--- a/src/common.ts
+++ b/src/common.ts
@ -148,6 +148,3 @@ export const ARM64_RUNNER_MESSAGE =

 export const ARM64_WINDOWS_RUNNER_MESSAGE =
  "Windows ARM runners are not yet supported by Harden-Runner.";
-
-export const UBUNTU_SLIM_MESSAGE =
-  "This job is running on an ubuntu-slim runner. Harden Runner is not supported on ubuntu-slim runners. This job will not be monitored.";
--- a/src/install-agent.ts
+++ b/src/install-agent.ts
@ -26,7 +26,7 @@ export async function installAgent(

  if (isTLS) {
    downloadPath = await tc.downloadTool(
-      `https://github.com/step-security/agent-ebpf/releases/download/v1.8.6/harden-runner_1.8.6_linux_${variant}.tar.gz`,
+      `https://github.com/step-security/agent-ebpf/releases/download/v1.8.2/harden-runner_1.8.2_linux_${variant}.tar.gz`,
      undefined,
      auth
    );
@ -76,7 +76,7 @@ export async function installAgentBravo(configStr: string): Promise<boolean> {

  const variant = process.arch === "x64" ? "amd64" : "arm64";
  const downloadPath = await tc.downloadTool(
-    `https://github.com/step-security/agent-ebpf/releases/download/v1.8.6/harden-runner-bravo_1.8.6_linux_${variant}.tar.gz`,
+    `https://github.com/step-security/agent-ebpf/releases/download/v1.8.2/harden-runner-bravo_1.8.2_linux_${variant}.tar.gz`,
    undefined,
    auth
  );
--- a/src/setup.ts
+++ b/src/setup.ts
@ -66,11 +66,6 @@ interface MonitorResponse {
      return;
    }

-    if (isGithubHosted() && process.platform === "linux" && !process.env.USER) {
-      console.log(common.UBUNTU_SLIM_MESSAGE);
-      return;
-    }
-
    var correlation_id = uuidv4();
    var api_url = STEPSECURITY_API_URL;
    var web_url = STEPSECURITY_WEB_URL;
@ -107,10 +102,7 @@ interface MonitorResponse {
    if (confg.use_policy_store) {
      console.log(`Fetching policy from policy store`);
      if (confg.api_key === "") {
-        core.warning(
-          "api-key is not set while use-policy-store is true. Defaulting to audit mode."
-        );
-        confg.egress_policy = "audit";
+        core.setFailed("api-key is required when use-policy-store is set to true");
      } else {
        try {
          const repoName = (process.env["GITHUB_REPOSITORY"] || "").split("/")[1] || "";
Author	SHA1	Message	Date
Varun Sharma	1b9c34e9f9	bump agent versions: linux v1.8.2, non-tls v0.16.0, windows v1.0.2 Also export CHECKSUMS from checksum.ts and read expected values from it in checksum.test.ts so tests don't need updating on every version bump. Mocks the computed hash via crypto.createHash; expected hash comes from the module itself. Tests now validate branching/platform dispatch instead of hardcoded hex values. Added darwin and win32 coverage cases.	2026-04-19 09:55:27 -07:00
Varun Sharma	02e8ea858c	write GITHUB_STATE from bravo monitor call so addSummary renders Post-step common.addSummary() early-returns unless STATE_addSummary is 'true' and STATE_correlation_id is set. The main github-hosted monitor block writes those alongside monitorStatusCode; the bravo helper was skipping them, so the job-summary markdown never rendered for third-party runs.	2026-04-19 08:19:17 -07:00
Varun Sharma	e871c3595b	revert telemetry endpoints to prod The int switch was only for testing against agent-api's int branch where the third-party correlation logic lives. Once that logic lands on main/prod, this is safe.	2026-04-19 08:06:45 -07:00
Varun Sharma	e17c10bfac	guard bravo install on linux only Bravo tarballs and agent paths are Linux-only (/home/agent, no darwin or win32 binaries in CHECKSUMS.bravo). Without this guard, a third-party runner on macOS or Windows would try to download a Linux tarball and fail. Skip with an info message and return instead.	2026-04-19 08:05:09 -07:00
Varun Sharma	a480e0054e	add unit tests for third-party runner support - detectThirdPartyRunnerProvider: env-var matrix + precedence ordering - verifyChecksum: bravo agentType branch, default branch, mismatches - buildBravoConfig: extracted as pure function; tests lock in the shape (no api_key, no customer, is_github_hosted=true, telemetry_url forwarded, one_time_key forwarded) that the server-side auth and correlation paths depend on Also capitalize the third-party provider name in the "Detected <X> runner environment" log line.	2026-04-19 07:50:11 -07:00
Varun Sharma	7b9fcb2585	forward telemetry_url to bravo agent config Without it the agent falls back to the hardcoded prod default at config.go:150, sending network/DNS/HTTPS events to prod while process events (via S3 presigned URL) correctly go to the configured api_url. Match Jatin's spread behavior so both channels hit the same env.	2026-04-19 07:27:33 -07:00
Varun Sharma	7e1533e993	point telemetry to int env for third-party runner testing Third-party runner correlation logic in agent-api only exists on the int branch (commit 3d0c1c7 adding IsThirdPartyHostedRunner/ShouldUseRunnerNameAsCorrelationID). Prod/main doesn't have it yet, so bravo events uploaded to prod don't correlate to a run. Match Jatin's fork and point to int endpoints.	2026-04-19 07:23:21 -07:00
Varun Sharma	2f199dceb1	add monitor call for bravo to populate one_time_key The bravo agent authenticates to the backend using a per-job one_time_key issued by the /monitor endpoint and stored in DynamoDB keyed by correlation_id. Without it the presigned-URL request (and all telemetry endpoints via sendApiRequest) get rejected, so detection events never upload and insights never appear. For third-party runners, override correlation_id to RUNNER_NAME before the monitor call so the key stored in DDB matches the one the bravo agent will use when requesting presigned URLs. Drop the random api_key and customer field — when OneTimeKey is present the agent uses x-one-time-key header, not vm-api-key.	2026-04-19 07:10:45 -07:00
Varun Sharma	fd9b4982b0	forward repo, run_id, private to bravo agent config Without these the bravo agent can't attribute detection events to the correct workflow run, so insights don't get generated on the server side. Matches the set of fields propagated on the original spread-based bravo config.	2026-04-19 06:46:33 -07:00
Varun Sharma	20c37511ec	add third-party runner support via bravo agent Detect Depot/Namespace/Warp/Blacksmith runners and install the bravo agent variant. Bravo install mirrors installAgentForSelfHosted: TLS gate via isTLSEnabled, hand-picked config literal with random api_key, correlation_id set to RUNNER_NAME so it matches server-side correlation derived from job logs (is_github_hosted=true keeps the agent from overriding correlation_id to customer-hostname). Bumps agent-ebpf to v1.8.1 and macOS installer to v0.0.5.	2026-04-19 06:29:19 -07:00