Merge pull request #634 from h0x0er/jatin/winmac

Add combined windows and macos changes
wait for done.json only if agent is installed
2026-06-05 15:58:19 +00:00 · 2026-02-07 22:10:19 -08:00 · 2026-02-03 17:59:09 +05:30 · 2026-02-03 16:06:10 +05:30 · 2026-02-03 15:33:26 +05:30 · 2026-02-03 12:04:06 +05:30
29 changed files with 129729 additions and 123672 deletions
--- a/README.md
+++ b/README.md
@ -19,22 +19,19 @@ Corporate laptops and production servers typically have robust security monitori
 Traditional security monitoring and EDR solutions are ineffective for CI/CD runners due to their ephemeral nature. These tools also lack the necessary context to correlate events with specific workflow runs in a CI/CD environment.
-StepSecurity Harden-Runner addresses this gap by providing security monitoring tailored for CI/CD runners, with support for Linux, Windows, and macOS runners. This approach brings CI/CD runners under the same level of security scrutiny as other critical systems, addressing a significant gap in the software supply chain.
+StepSecurity Harden-Runner addresses this gap by providing security monitoring tailored for CI/CD runners. This approach brings CI/CD runners under the same level of security scrutiny as other critical systems, addressing a significant gap in the software supply chain.
 ### Harden-Runner: Security Incidents Detected
 - [Harden-Runner Detected the Compromised axios npm Package Dropping a Remote Access Trojan](https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan) ([backstage/backstage#33693](https://github.com/backstage/backstage/issues/33693), [block/elasticgraph#1103](https://github.com/block/elasticgraph/issues/1103))
 - [Harden-Runner Detected the Trivy Compromise with Malicious v0.69.4 Release](https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release) ([k8gb-io/k8gb#2294](https://github.com/k8gb-io/k8gb/issues/2294))
 - [Harden-Runner Detected the tj-actions/changed-files compromise](https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised) ([CVE-2025-30066](https://github.com/advisories/GHSA-mrrh-fwg8-r2c3))
 - [Harden Runner Detected the Sha1-Hulud Supply Chain Attack in CNCF’s Backstage Repository](https://www.stepsecurity.io/blog/how-harden-runner-detected-the-sha1-hulud-supply-chain-attack-in-cncfs-backstage-repository)
 - [Harden-Runner Detected the NX Build System compromise](https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware)
 - [Harden-Runner Detected a CI/CD Supply Chain Attack in Google’s Open-Source Project Flank](https://www.stepsecurity.io/case-studies/flank)
 - [Harden-Runner Detected the NX Build System compromise](https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware)
 - [Harden-Runner Detected a CI/CD Supply Chain Attack in Microsoft’s Open-Source Project Azure Karpenter Provider in Real-Time](https://www.stepsecurity.io/case-studies/azure-karpenter-provider)
 - [Harden-Runner Detected Anomalous Traffic to api.ipify.org Across Multiple Customers](https://www.stepsecurity.io/blog/harden-runner-detects-anomalous-traffic-to-api-ipify-org-across-multiple-customers)  
 - [Harden-Runner Detected an Unexpected Microsoft Defender Installation on GitHub-Hosted Ubuntu Runners](https://www.stepsecurity.io/blog/how-stepsecurity-harden-runner-detected-unexpected-microsoft-defender-installation-on-github-hosted-ubuntu-runners)
 - [Harden-Runner Flagged an Anomalous Outbound Call, Leading to a Docker Documentation Update](https://www.stepsecurity.io/blog/harden-runner-flags-anomalous-outbound-call-leading-to-docker-documentation-update)
 ### See It in Action
-Harden-Runner secures over **25 million CI/CD workflow runs every week**, protecting thousands of pipelines, including those from popular open-source projects by **Microsoft, Google, and CISA**. See how top projects are using Harden-Runner and explore the insights:  
+Harden-Runner secures over **8 million CI/CD workflow runs every week**, protecting thousands of pipelines, including those from popular open-source projects by **Microsoft, Google, and CISA**. See how top projects are using Harden-Runner and explore the insights:  
 ➡️ [Who's using Harden-Runner?](https://docs.stepsecurity.io/whos-using-harden-runner)
 ## Quick Links
@ -72,7 +69,7 @@ To integrate Harden-Runner, follow these steps:
   ```yaml
   steps:
     - name: Harden Runner
-       uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
+       uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
       with:
         egress-policy: audit
@ -140,7 +137,7 @@ Explore the full feature set in the [Features Documentation](https://docs.stepse
 ## Trusted By and Case Studies
-Harden-Runner is trusted by over 11,000 leading open-source projects and enterprises, including Microsoft, Google, Kubernetes, and more.
+Harden-Runner is trusted by over 8000 leading open-source projects and enterprises, including Microsoft, Google, Kubernetes, and more.
 ### Trusted by
@ -151,11 +148,11 @@ Harden-Runner is trusted by over 11,000 leading open-source projects and enterpr
 ### Enterprise Case Studies
 - [How Mercari Secures GitHub Actions with StepSecurity](https://www.stepsecurity.io/case-studies/mercari)
 - [How Omnissa Secures GitHub Actions with StepSecurity](https://www.stepsecurity.io/case-studies/omnissa)
 - [Chainguard Secures GitHub Actions with StepSecurity](https://www.stepsecurity.io/case-studies/chainguard)
 - [How Coveo Strengthened GitHub Actions Security with StepSecurity](https://www.stepsecurity.io/case-studies/coveo)
 - [Hashgraph Achieves Comprehensive CI/CD Security Without Compromising Development Speed](https://www.stepsecurity.io/case-studies/hashgraph)
 - [Chainguard Secures GitHub Actions with StepSecurity](https://www.stepsecurity.io/case-studies/chainguard)
 - [Kapiche secures their GitHub Actions software supply chain with Harden-Runner](https://www.stepsecurity.io/case-studies/kapiche)
 - [Arcjet Enhances CI/CD Security with Harden-Runner](https://www.stepsecurity.io/case-studies/arcjet)
 ---
@ -163,10 +160,9 @@ Harden-Runner is trusted by over 11,000 leading open-source projects and enterpr
 Harden-Runner is designed to work seamlessly across a variety of runner environments, providing consistent security insights and protections regardless of where your workflows execute. For self-hosted runners, audit mode is deployed directly to the runner infrastructure without requiring any changes to your existing workflows. For more details, refer to the [official documentation](https://docs.stepsecurity.io/harden-runner).
-| Environment Type | Compatibility | Audit Mode Deployment | Workflow Changes for Audit/Block Mode |
+| Environment Type | Compatibility | Audit Mode Deployment | Workflow Changes for Audit Mode |
 |------------------|---------------|--------------------------|-------------------|
-| GitHub-hosted runners (Linux) | ✅ Full support | Add Harden-Runner Action to workflow | Yes |
+| GitHub-hosted runners | ✅ Full support | Add Harden-Runner Action to workflow | Yes |
 | GitHub-hosted runners (Windows, macOS) | ✅ Audit mode only | Add Harden-Runner Action to workflow | Yes |
 | Self-hosted VM runners | ✅ Full support | Include agent in runner image | No |
 | Self-hosted bare-metal runners | ✅ Full support | Install agent as a service | No |
 | Actions Runner Controller (ARC) | ✅ Full support | Deploy as DaemonSet | No |
@ -180,7 +176,7 @@ Want to know the technical details? Dive into the architecture of Harden-Runner
 ## Limitations
-While Harden-Runner offers powerful features, there are certain limitations. See the complete list in [Known Limitations](docs/limitations.md).
+While Harden-Runner offers powerful features, there are certain limitations based on the environment, such as OS support. See the complete list in [Known Limitations](docs/limitations.md).
 ---
--- a/action.yml
+++ b/action.yml
@ -29,27 +29,15 @@ inputs:
    required: false
    default: "false"
  policy:
-    description: "Policy name to be used from the policy store. Requires id-token: write permission."
+    description: "Policy name to be used from the policy store"
    required: false
    default: ""
  api-key:
    description: "StepSecurity API key for authenticating with the policy store. Required when use-policy-store is set to true."
    required: false
    default: ""
  use-policy-store:
    description: "Set to true to fetch policy from the policy store using the API key. This is the preferred method over the policy input which requires id-token: write permission. Policies can be defined and attached at workflow, repo, org, or cluster (for ARC) level in the policy store. The most granular policy will apply."
    required: false
    default: "false"
  deploy-on-self-hosted-vm:
    description: "Set to true to deploy the Harden Runner agent directly on a self-hosted runner VM (Linux only). The recommended approach for self-hosted VMs is to bake the agent into the VM image; see docs.stepsecurity.io. Use this option only if baking is not possible, and only for ephemeral runners."
    required: false
    default: "false"
 branding:
  icon: "check-square"
  color: "green"
 runs:
-  using: "node24"
+  using: "node20"
  pre: "dist/pre/index.js"
  main: "dist/index.js"
  post: "dist/post/index.js"
--- a/dist/index.js
+++ b/dist/index.js
--- a/dist/index.js.map
+++ b/dist/index.js.map
--- a/dist/post/index.js
+++ b/dist/post/index.js
--- a/dist/post/index.js.map
+++ b/dist/post/index.js.map
--- a/dist/post/sourcemap-register.js
+++ b/dist/post/sourcemap-register.js
--- a/dist/pre/index.js
+++ b/dist/pre/index.js
--- a/dist/pre/index.js.map
+++ b/dist/pre/index.js.map
--- a/dist/pre/sourcemap-register.js
+++ b/dist/pre/sourcemap-register.js
--- a/dist/sourcemap-register.js
+++ b/dist/sourcemap-register.js
--- a/docs/how-it-works.md
+++ b/docs/how-it-works.md
@ -5,7 +5,8 @@
 For GitHub-hosted runners, Harden-Runner GitHub Action downloads and installs the StepSecurity Agent.
 - The code to monitor file, process, and network activity is in the Agent.
- The community tier agent for Linux is open-source and can be found [here](https://github.com/step-security/agent). The enterprise agent for Linux and agents for Windows and macOS are closed-source.
+- The community tier agent is open-source and can be found [here](https://github.com/step-security/agent). The enterprise tier agent is closed-source. Both agents are written in Go.
 - The agent's build is reproducible. You can view the steps to reproduce the build [here](http://app.stepsecurity.io/github/step-security/agent/releases/latest)
 ### Self-Hosted Actions Runner Controller (ARC) Runners
--- a/docs/limitations.md
+++ b/docs/limitations.md
@ -1,8 +1,14 @@
 ## Limitations
 ### GitHub-Hosted Runners
 * Only Ubuntu VM is supported. Windows and MacOS GitHub-hosted runners are not supported. There is a discussion about that [here](https://github.com/step-security/harden-runner/discussions/121).
 * Harden-Runner is not supported when [job is run in a container](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container) with built-in labels such as `ubuntu-latest`, as it needs sudo access on the Ubuntu VM to run. The limitation is if the entire job is run in a container. However, such jobs can be monitored when using custom VM images with GitHub-hosted runners. This is also not a limitation for Self-Hosted runners.
 ### Self-Hosted Actions Runner Controller (ARC) Runners
 * Since ARC Harden Runner uses eBPF, only Linux jobs are supported. Windows and MacOS jobs are not supported.
 ### Self-Hosted VM (e.g. on EC2) and Bare-metal Runners 
 * Only Linux jobs are supported. Windows and MacOS jobs are not supported.
--- a/osv-scanner.toml
+++ b/osv-scanner.toml
@ -8,8 +8,4 @@ reason = "Untrusted headers are not processed"
 [[IgnoredVulns]]
 id = "GHSA-xx4v-prfh-6cgc"
-reason = "Untrusted headers are not processed"
+reason = "Untrusted headers are not processed"
 [[IgnoredVulns]]
 id = "GHSA-g9mf-h72j-4rw9"
 reason = "undici fetch() is only used to call GitHub API; exploitation requires a malicious server"
--- a/package-lock.json
+++ b/package-lock.json
@ -2673,11 +2673,10 @@
      }
    },
    "node_modules/ajv": {
-      "version": "6.14.0",
+      "version": "6.12.6",
-      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz",
-      "integrity": "sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==",
+      "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "fast-deep-equal": "^3.1.1",
        "fast-json-stable-stringify": "^2.0.0",
@ -2852,10 +2851,9 @@
      "integrity": "sha512-NzUnlZexiaH/46WDhANlyR2bXRopNg4F/zuSA3OpZnllCUgRaOF2znDioDWrmbNVsuZk6l9pMquQB38cfBZwkQ=="
    },
    "node_modules/brace-expansion": {
-      "version": "1.1.14",
+      "version": "1.1.12",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
-      "integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==",
+      "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
      "license": "MIT",
      "dependencies": {
        "balanced-match": "^1.0.0",
        "concat-map": "0.0.1"
@ -3748,53 +3746,18 @@
      "integrity": "sha1-PYpcZog6FqMMqGQ+hR8Zuqd5eRc=",
      "dev": true
    },
    "node_modules/fast-uri": {
      "version": "3.1.0",
      "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.0.tgz",
      "integrity": "sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA==",
      "dev": true,
      "funding": [
        {
          "type": "github",
          "url": "https://github.com/sponsors/fastify"
        },
        {
          "type": "opencollective",
          "url": "https://opencollective.com/fastify"
        }
      ],
      "license": "BSD-3-Clause"
    },
    "node_modules/fast-xml-builder": {
      "version": "1.1.4",
      "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.1.4.tgz",
      "integrity": "sha512-f2jhpN4Eccy0/Uz9csxh3Nu6q4ErKxf0XIsasomfOihuSUa3/xw6w8dnOtCDgEItQFJG8KyXPzQXzcODDrrbOg==",
      "funding": [
        {
          "type": "github",
          "url": "https://github.com/sponsors/NaturalIntelligence"
        }
      ],
      "license": "MIT",
      "dependencies": {
        "path-expression-matcher": "^1.1.3"
      }
    },
    "node_modules/fast-xml-parser": {
-      "version": "5.5.11",
+      "version": "5.0.9",
-      "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.5.11.tgz",
+      "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.0.9.tgz",
-      "integrity": "sha512-QL0eb0YbSTVWF6tTf1+LEMSgtCEjBYPpnAjoLC8SscESlAjXEIRJ7cHtLG0pLeDFaZLa4VKZLArtA/60ZS7vyA==",
+      "integrity": "sha512-2mBwCiuW3ycKQQ6SOesSB8WeF+fIGb6I/GG5vU5/XEptwFFhp9PE8b9O7fbs2dpq9fXn4ULR3UsfydNUCntf5A==",
      "funding": [
        {
          "type": "github",
          "url": "https://github.com/sponsors/NaturalIntelligence"
        }
      ],
      "license": "MIT",
      "dependencies": {
-        "fast-xml-builder": "^1.1.4",
+        "strnum": "^2.0.5"
        "path-expression-matcher": "^1.4.0",
        "strnum": "^2.2.3"
      },
      "bin": {
        "fxparser": "src/cli/cli.js"
@ -3891,11 +3854,10 @@
      }
    },
    "node_modules/flatted": {
-      "version": "3.4.2",
+      "version": "3.2.5",
-      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
+      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.2.5.tgz",
-      "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
+      "integrity": "sha512-WIWGi2L3DyTUvUrwRKgGi9TwxQMUEqPOPQBVi71R96jZXJdFskXEmf54BoZaS1kknGODoIGASGEzBUYdyMCBJg==",
-      "dev": true,
+      "dev": true
      "license": "ISC"
    },
    "node_modules/form-data": {
      "version": "2.5.5",
@ -6085,9 +6047,9 @@
      }
    },
    "node_modules/lodash": {
-      "version": "4.18.1",
+      "version": "4.17.23",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
-      "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
+      "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
      "dev": true,
      "license": "MIT"
    },
@ -6216,10 +6178,9 @@
      }
    },
    "node_modules/minimatch": {
-      "version": "3.1.5",
+      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
-      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
+      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
      "license": "ISC",
      "dependencies": {
        "brace-expansion": "^1.1.7"
      },
@ -6454,21 +6415,6 @@
        "node": ">=8"
      }
    },
    "node_modules/path-expression-matcher": {
      "version": "1.5.0",
      "resolved": "https://registry.npmjs.org/path-expression-matcher/-/path-expression-matcher-1.5.0.tgz",
      "integrity": "sha512-cbrerZV+6rvdQrrD+iGMcZFEiiSrbv9Tfdkvnusy6y0x0GKBXREFg/Y65GhIfm0tnLntThhzCnfKwp1WRjeCyQ==",
      "funding": [
        {
          "type": "github",
          "url": "https://github.com/sponsors/NaturalIntelligence"
        }
      ],
      "license": "MIT",
      "engines": {
        "node": ">=14.0.0"
      }
    },
    "node_modules/path-is-absolute": {
      "version": "1.0.1",
      "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz",
@ -6508,11 +6454,10 @@
      "integrity": "sha512-1fygroTLlHu66zi26VoTDv8yRgm0Fccecssto+MhsZ0D/DGW2sm8E8AjW7NU5VVTRt5GxbeZ5qBuJr+HyLYkjQ=="
    },
    "node_modules/picomatch": {
-      "version": "2.3.2",
+      "version": "2.3.1",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-      "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
+      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
      "dev": true,
      "license": "MIT",
      "engines": {
        "node": ">=8.6"
      },
@ -6988,16 +6933,15 @@
      }
    },
    "node_modules/strnum": {
-      "version": "2.2.3",
+      "version": "2.0.5",
-      "resolved": "https://registry.npmjs.org/strnum/-/strnum-2.2.3.tgz",
+      "resolved": "https://registry.npmjs.org/strnum/-/strnum-2.0.5.tgz",
-      "integrity": "sha512-oKx6RUCuHfT3oyVjtnrmn19H1SiCqgJSg+54XqURKp5aCMbrXrhLjRN9TjuwMjiYstZ0MzDrHqkGZ5dFTKd+zg==",
+      "integrity": "sha512-YAT3K/sgpCUxhxNMrrdhtod3jckkpYwH6JAuwmUdXZsmzH1wUyzTMrrK2wYCEEqlKwrWDd35NeuUkbBy/1iK+Q==",
      "funding": [
        {
          "type": "github",
          "url": "https://github.com/sponsors/NaturalIntelligence"
        }
-      ],
+      ]
      "license": "MIT"
    },
    "node_modules/supports-color": {
      "version": "7.2.0",
@ -7040,16 +6984,15 @@
      }
    },
    "node_modules/table/node_modules/ajv": {
-      "version": "8.18.0",
+      "version": "8.11.0",
-      "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.18.0.tgz",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.11.0.tgz",
-      "integrity": "sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A==",
+      "integrity": "sha512-wGgprdCvMalC0BztXvitD2hC04YffAvtsUn93JbGXYLAtCUO4xd17mCCZQxUOItiBwZvJScWo8NIvQMQ71rdpg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "fast-deep-equal": "^3.1.3",
+        "fast-deep-equal": "^3.1.1",
        "fast-uri": "^3.0.1",
        "json-schema-traverse": "^1.0.0",
-        "require-from-string": "^2.0.2"
+        "require-from-string": "^2.0.2",
        "uri-js": "^4.2.2"
      },
      "funding": {
        "type": "github",
@ -9588,9 +9531,9 @@
      "integrity": "sha512-jRR5wdylq8CkOe6hei19GGZnxM6rBGwFl3Bg0YItGDimvjGtAvdZk4Pu6Cl4u4Igsws4a1fd1Vq3ezrhn4KmFw=="
    },
    "ajv": {
-      "version": "6.14.0",
+      "version": "6.12.6",
-      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz",
-      "integrity": "sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==",
+      "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==",
      "dev": true,
      "requires": {
        "fast-deep-equal": "^3.1.1",
@ -9722,9 +9665,9 @@
      "integrity": "sha512-NzUnlZexiaH/46WDhANlyR2bXRopNg4F/zuSA3OpZnllCUgRaOF2znDioDWrmbNVsuZk6l9pMquQB38cfBZwkQ=="
    },
    "brace-expansion": {
-      "version": "1.1.14",
+      "version": "1.1.12",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
-      "integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==",
+      "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
      "requires": {
        "balanced-match": "^1.0.0",
        "concat-map": "0.0.1"
@ -10386,28 +10329,12 @@
      "integrity": "sha1-PYpcZog6FqMMqGQ+hR8Zuqd5eRc=",
      "dev": true
    },
    "fast-uri": {
      "version": "3.1.0",
      "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.0.tgz",
      "integrity": "sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA==",
      "dev": true
    },
    "fast-xml-builder": {
      "version": "1.1.4",
      "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.1.4.tgz",
      "integrity": "sha512-f2jhpN4Eccy0/Uz9csxh3Nu6q4ErKxf0XIsasomfOihuSUa3/xw6w8dnOtCDgEItQFJG8KyXPzQXzcODDrrbOg==",
      "requires": {
        "path-expression-matcher": "^1.1.3"
      }
    },
    "fast-xml-parser": {
-      "version": "5.5.11",
+      "version": "5.0.9",
-      "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.5.11.tgz",
+      "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.0.9.tgz",
-      "integrity": "sha512-QL0eb0YbSTVWF6tTf1+LEMSgtCEjBYPpnAjoLC8SscESlAjXEIRJ7cHtLG0pLeDFaZLa4VKZLArtA/60ZS7vyA==",
+      "integrity": "sha512-2mBwCiuW3ycKQQ6SOesSB8WeF+fIGb6I/GG5vU5/XEptwFFhp9PE8b9O7fbs2dpq9fXn4ULR3UsfydNUCntf5A==",
      "requires": {
-        "fast-xml-builder": "^1.1.4",
+        "strnum": "^2.0.5"
        "path-expression-matcher": "^1.4.0",
        "strnum": "^2.2.3"
      }
    },
    "fastq": {
@ -10476,9 +10403,9 @@
      }
    },
    "flatted": {
-      "version": "3.4.2",
+      "version": "3.2.5",
-      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
+      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.2.5.tgz",
-      "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
+      "integrity": "sha512-WIWGi2L3DyTUvUrwRKgGi9TwxQMUEqPOPQBVi71R96jZXJdFskXEmf54BoZaS1kknGODoIGASGEzBUYdyMCBJg==",
      "dev": true
    },
    "form-data": {
@ -12115,9 +12042,9 @@
      }
    },
    "lodash": {
-      "version": "4.18.1",
+      "version": "4.17.23",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
-      "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
+      "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
      "dev": true
    },
    "lodash.memoize": {
@ -12218,9 +12145,9 @@
      "dev": true
    },
    "minimatch": {
-      "version": "3.1.5",
+      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
-      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
+      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
      "requires": {
        "brace-expansion": "^1.1.7"
      }
@ -12384,11 +12311,6 @@
      "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==",
      "dev": true
    },
    "path-expression-matcher": {
      "version": "1.5.0",
      "resolved": "https://registry.npmjs.org/path-expression-matcher/-/path-expression-matcher-1.5.0.tgz",
      "integrity": "sha512-cbrerZV+6rvdQrrD+iGMcZFEiiSrbv9Tfdkvnusy6y0x0GKBXREFg/Y65GhIfm0tnLntThhzCnfKwp1WRjeCyQ=="
    },
    "path-is-absolute": {
      "version": "1.0.1",
      "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz",
@ -12419,9 +12341,9 @@
      "integrity": "sha512-1fygroTLlHu66zi26VoTDv8yRgm0Fccecssto+MhsZ0D/DGW2sm8E8AjW7NU5VVTRt5GxbeZ5qBuJr+HyLYkjQ=="
    },
    "picomatch": {
-      "version": "2.3.2",
+      "version": "2.3.1",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-      "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
+      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
      "dev": true
    },
    "pirates": {
@ -12748,9 +12670,9 @@
      "dev": true
    },
    "strnum": {
-      "version": "2.2.3",
+      "version": "2.0.5",
-      "resolved": "https://registry.npmjs.org/strnum/-/strnum-2.2.3.tgz",
+      "resolved": "https://registry.npmjs.org/strnum/-/strnum-2.0.5.tgz",
-      "integrity": "sha512-oKx6RUCuHfT3oyVjtnrmn19H1SiCqgJSg+54XqURKp5aCMbrXrhLjRN9TjuwMjiYstZ0MzDrHqkGZ5dFTKd+zg=="
+      "integrity": "sha512-YAT3K/sgpCUxhxNMrrdhtod3jckkpYwH6JAuwmUdXZsmzH1wUyzTMrrK2wYCEEqlKwrWDd35NeuUkbBy/1iK+Q=="
    },
    "supports-color": {
      "version": "7.2.0",
@ -12781,15 +12703,15 @@
      },
      "dependencies": {
        "ajv": {
-          "version": "8.18.0",
+          "version": "8.11.0",
-          "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.18.0.tgz",
+          "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.11.0.tgz",
-          "integrity": "sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A==",
+          "integrity": "sha512-wGgprdCvMalC0BztXvitD2hC04YffAvtsUn93JbGXYLAtCUO4xd17mCCZQxUOItiBwZvJScWo8NIvQMQ71rdpg==",
          "dev": true,
          "requires": {
-            "fast-deep-equal": "^3.1.3",
+            "fast-deep-equal": "^3.1.1",
            "fast-uri": "^3.0.1",
            "json-schema-traverse": "^1.0.0",
-            "require-from-string": "^2.0.2"
+            "require-from-string": "^2.0.2",
            "uri-js": "^4.2.2"
          }
        },
        "json-schema-traverse": {
--- a/src/bravo-config.test.ts
+++ b/src/bravo-config.test.ts
@ -1,81 +0,0 @@
 import { buildBravoConfig } from "./bravo-config";
 import { Configuration } from "./interfaces";
 const base: Configuration = {
  repo: "org/repo",
  run_id: "123",
  correlation_id: "depot-abc",
  working_directory: "/w",
  api_url: "https://int.api.stepsecurity.io/v1",
  telemetry_url: "https://int.app-api.stepsecurity.io/v1",
  allowed_endpoints: "github.com:443",
  egress_policy: "audit",
  disable_telemetry: false,
  disable_sudo: false,
  disable_sudo_and_containers: false,
  disable_file_monitoring: false,
  is_github_hosted: false,
  private: "true" as unknown as string,
  is_debug: false,
  one_time_key: "otk-xyz",
  api_key: "tenant-key",
  use_policy_store: false,
  deploy_on_self_hosted_vm: false,
 };
 describe("buildBravoConfig", () => {
  test("forces is_github_hosted=true so agent honors passed correlation_id", () => {
    expect(buildBravoConfig(base).is_github_hosted).toBe(true);
  });
  test("omits api_key (agent authenticates via one_time_key, not vm-api-key)", () => {
    expect(buildBravoConfig(base)).not.toHaveProperty("api_key");
  });
  test("omits customer (server infers tenant from repo)", () => {
    expect(buildBravoConfig(base)).not.toHaveProperty("customer");
  });
  test("omits use_policy_store (action-side concern, not agent)", () => {
    expect(buildBravoConfig(base)).not.toHaveProperty("use_policy_store");
  });
  test("forwards telemetry_url so network events hit configured env", () => {
    expect(buildBravoConfig(base).telemetry_url).toBe(base.telemetry_url);
  });
  test("forwards one_time_key so agent can auth to presigned URL endpoint", () => {
    expect(buildBravoConfig(base).one_time_key).toBe("otk-xyz");
  });
  test("forwards repo, run_id, correlation_id so server can attribute events", () => {
    const cfg = buildBravoConfig(base);
    expect(cfg.repo).toBe("org/repo");
    expect(cfg.run_id).toBe("123");
    expect(cfg.correlation_id).toBe("depot-abc");
  });
  test("forwards private flag", () => {
    expect(buildBravoConfig(base).private).toBe(base.private);
  });
  test("forwards egress_policy and allowed_endpoints", () => {
    const cfg = buildBravoConfig(base);
    expect(cfg.egress_policy).toBe("audit");
    expect(cfg.allowed_endpoints).toBe("github.com:443");
  });
  test("forwards disable_* flags", () => {
    const cfg = buildBravoConfig({
      ...base,
      disable_telemetry: true,
      disable_sudo: true,
      disable_sudo_and_containers: true,
      disable_file_monitoring: true,
    });
    expect(cfg.disable_telemetry).toBe(true);
    expect(cfg.disable_sudo).toBe(true);
    expect(cfg.disable_sudo_and_containers).toBe(true);
    expect(cfg.disable_file_monitoring).toBe(true);
  });
 });
--- a/src/bravo-config.ts
+++ b/src/bravo-config.ts
@ -1,21 +0,0 @@
 import { Configuration } from "./interfaces";
 export function buildBravoConfig(confg: Configuration) {
  return {
    repo: confg.repo,
    run_id: confg.run_id,
    correlation_id: confg.correlation_id,
    working_directory: confg.working_directory,
    api_url: confg.api_url,
    telemetry_url: confg.telemetry_url,
    one_time_key: confg.one_time_key,
    allowed_endpoints: confg.allowed_endpoints,
    egress_policy: confg.egress_policy,
    disable_telemetry: confg.disable_telemetry,
    disable_sudo: confg.disable_sudo,
    disable_sudo_and_containers: confg.disable_sudo_and_containers,
    disable_file_monitoring: confg.disable_file_monitoring,
    private: confg.private,
    is_github_hosted: true,
  };
 }
--- a/src/checksum.test.ts
+++ b/src/checksum.test.ts
@ -1,98 +0,0 @@
 import * as fs from "fs";
 import * as crypto from "crypto";
 import * as core from "@actions/core";
 import { verifyChecksum, CHECKSUMS } from "./checksum";
 jest.mock("fs", () => ({
  ...jest.requireActual("fs"),
  readFileSync: jest.fn(),
 }));
 jest.mock("crypto", () => ({
  ...jest.requireActual("crypto"),
  createHash: jest.fn(),
 }));
 jest.mock("@actions/core");
 const mockReadFile = fs.readFileSync as jest.MockedFunction<typeof fs.readFileSync>;
 const mockSetFailed = core.setFailed as jest.MockedFunction<typeof core.setFailed>;
 const mockCreateHash = crypto.createHash as jest.MockedFunction<typeof crypto.createHash>;
 function stubHash(hash: string) {
  mockCreateHash.mockReturnValue({
    update: jest.fn().mockReturnThis(),
    digest: jest.fn().mockReturnValue(hash),
  } as unknown as crypto.Hash);
 }
 const WRONG_HASH = "0".repeat(64);
 describe("verifyChecksum", () => {
  beforeEach(() => {
    jest.clearAllMocks();
    mockReadFile.mockReturnValue(Buffer.from("test-payload"));
  });
  describe("agentType=bravo", () => {
    test("passes with matching bravo amd64 checksum", () => {
      stubHash(CHECKSUMS.bravo.amd64);
      expect(verifyChecksum("/tmp/f", true, "amd64", "linux", "bravo")).toBe(true);
      expect(mockSetFailed).not.toHaveBeenCalled();
    });
    test("passes with matching bravo arm64 checksum", () => {
      stubHash(CHECKSUMS.bravo.arm64);
      expect(verifyChecksum("/tmp/f", true, "arm64", "linux", "bravo")).toBe(true);
    });
    test("uses bravo checksum even when isTLS=false", () => {
      stubHash(CHECKSUMS.bravo.amd64);
      expect(verifyChecksum("/tmp/f", false, "amd64", "linux", "bravo")).toBe(true);
    });
    test("fails on mismatched bravo checksum", () => {
      stubHash(WRONG_HASH);
      expect(verifyChecksum("/tmp/f", true, "amd64", "linux", "bravo")).toBe(false);
      expect(mockSetFailed).toHaveBeenCalled();
    });
  });
  describe("agentType default (omitted)", () => {
    test("uses TLS checksum when isTLS=true", () => {
      stubHash(CHECKSUMS.tls.amd64);
      expect(verifyChecksum("/tmp/f", true, "amd64", "linux")).toBe(true);
    });
    test("uses non_tls checksum when isTLS=false", () => {
      stubHash(CHECKSUMS.non_tls.amd64);
      expect(verifyChecksum("/tmp/f", false, "amd64", "linux")).toBe(true);
    });
    test("TLS mismatch fails", () => {
      stubHash(CHECKSUMS.bravo.amd64);
      expect(verifyChecksum("/tmp/f", true, "amd64", "linux")).toBe(false);
      expect(mockSetFailed).toHaveBeenCalled();
    });
  });
  describe("darwin", () => {
    test("passes with matching darwin checksum", () => {
      stubHash(CHECKSUMS.darwin);
      expect(verifyChecksum("/tmp/f", false, "", "darwin")).toBe(true);
    });
  });
  describe("win32", () => {
    test("passes with matching windows amd64 checksum", () => {
      stubHash(CHECKSUMS.windows.amd64);
      expect(verifyChecksum("/tmp/f", false, "amd64", "win32")).toBe(true);
    });
  });
  describe("unsupported platform", () => {
    test("returns false without calling setFailed", () => {
      stubHash(CHECKSUMS.bravo.amd64);
      expect(verifyChecksum("/tmp/f", true, "amd64", "freebsd")).toBe(false);
      expect(mockSetFailed).not.toHaveBeenCalled();
    });
  });
 });
--- a/src/checksum.ts
+++ b/src/checksum.ts
@ -2,21 +2,17 @@ import * as core from "@actions/core";
 import * as crypto from "crypto";
 import * as fs from "fs";
-export const CHECKSUMS = {
+const CHECKSUMS = {
  tls: {
-    amd64: "d58a9c1c5245155ce4c71507a61e213a29925a7c39c0d20bfd00bef0d281bdbb", // v1.8.6
+    amd64: "19c35eee1347077eb71306b122ad4a1cf83f36ef0f69fd91b0c0d79ffd0eabdd", // v1.7.10
-    arm64: "084fa95e74d17321dd1c37c93abeb8577e53ddf5266410e19f52aa79a02ae33e",
+    arm64: "f9192788e86b2e44b795f072e8cc03eec9852649609aeedac0761d3b67c991fa",
  },
  non_tls: {
-    amd64: "e38de61e1afd98dd339bb9acce4996183875d482be1638fb198ab02b3e25bbef", // v0.16.0
+    amd64: "336093af8ebe969567b66fd035af3bd4f7e1c723ce680d6b4b5b2a1f79bc329e", // v0.14.2
  },
-  bravo: {
+  darwin: "eefb162810c378653c16e122e024314a2e47592dc98b295433b26ad1a4f28590", // v0.0.2
    amd64: "495f607a891d89f12214849301f247bdca565afe67deb170fe7e5d6d361852ca", // v1.8.6
    arm64: "f96f66ab946097aae1fc887e12fe1cefcc5d510bce179221c7185374e4adf538",
  },
  darwin: "fe26a1f6af4afe9f1a854d8633832f5d18ab542827003cae445b3a64021d612c", // v0.0.5
  windows: {
-    amd64: "93f1e5d87c6647e6eca7963d5f4b4bd73107029430f8e6945ffece93007a89f5", // v1.0.2
+    amd64: "9e4fde66331be3261ae6ff954e531e94335b5774ac7e105f0126b391ee1c6d66", // v1.0.0-int
  },
 };
@ -25,8 +21,7 @@ export function verifyChecksum(
  downloadPath: string,
  isTLS: boolean,
  variant: string,
-  platform: string,
+  platform: string
  agentType: "default" | "bravo" = "default"
 ) {
  const fileBuffer: Buffer = fs.readFileSync(downloadPath);
  const checksum: string = crypto
@ -38,13 +33,9 @@ export function verifyChecksum(
  switch (platform) {
    case "linux":
-      if (agentType === "bravo") {
+      expectedChecksum = isTLS
-        expectedChecksum = CHECKSUMS["bravo"][variant];
+        ? CHECKSUMS["tls"][variant]
-      } else {
+        : CHECKSUMS["non_tls"][variant];
        expectedChecksum = isTLS
          ? CHECKSUMS["tls"][variant]
          : CHECKSUMS["non_tls"][variant];
      }
      break;
    case "darwin":
      expectedChecksum = CHECKSUMS["darwin"];
--- a/src/cleanup.ts
+++ b/src/cleanup.ts
@ -6,7 +6,7 @@ import isDocker from "is-docker";
 import { isARCRunner } from "./arc-runner";
 import { isGithubHosted } from "./tls-inspect";
 import { context } from "@actions/github";
-import { isPlatformSupported, isAgentInstalled, detectThirdPartyRunnerProvider } from "./utils";
+import { isPlatformSupported, isAgentInstalled } from "./utils";
 (async () => {
  console.log("[harden-runner] post-step");
@ -26,18 +26,11 @@ import { isPlatformSupported, isAgentInstalled, detectThirdPartyRunnerProvider }
    return;
  }
  if (isGithubHosted() && process.platform === "linux" && !process.env.USER) {
    console.log(common.UBUNTU_SLIM_MESSAGE);
    return;
  }
  if (isARCRunner()) {
    console.log(`[!] ${common.ARC_RUNNER_MESSAGE}`);
    return;
  }
  const thirdPartyProvider = detectThirdPartyRunnerProvider();
  if (process.env.STATE_selfHosted === "true") {
    return;
  }
@ -56,11 +49,7 @@ import { isPlatformSupported, isAgentInstalled, detectThirdPartyRunnerProvider }
  switch (process.platform) {
    case "linux":
-      if (thirdPartyProvider) {
+      await handleLinuxCleanup();
        await handleAgentBravoCleanup();
      } else {
        await handleLinuxCleanup();
      }
      break;
    case "win32":
      await handleWindowsCleanup();
@ -77,38 +66,6 @@ import { isPlatformSupported, isAgentInstalled, detectThirdPartyRunnerProvider }
  }
 })();
 async function handleAgentBravoCleanup() {
  cp.execFileSync("/usr/bin/echo", ["step_policy_jobend"]);
  const doneFile = "/home/agent/done.json";
  let counter = 0;
  while (true) {
    if (!fs.existsSync(doneFile)) {
      counter++;
      if (counter > 10) {
        console.log("timed out");
        break;
      }
      await sleep(1000);
    } else {
      console.log(fs.readFileSync(doneFile, "utf-8"));
      break;
    }
  }
  const log = "/home/agent/agent.log";
  if (fs.existsSync(log)) {
    console.log("log:");
    console.log(fs.readFileSync(log, "utf-8"));
  }
  const status = "/home/agent/agent.status";
  if (fs.existsSync(status)) {
    console.log("status:");
    console.log(fs.readFileSync(status, "utf-8"));
  }
 }
 async function handleLinuxCleanup() {
  if (process.env.STATE_isTLS === "false" && process.arch === "arm64") {
    return;
@ -247,11 +204,6 @@ async function handleWindowsCleanup() {
    return;
  }
  if (process.arch === "arm64") {
    console.log(common.ARM64_WINDOWS_RUNNER_MESSAGE);
    return;
  }
  const p = cp.spawn(
    "powershell.exe",
    [
--- a/src/common.ts
+++ b/src/common.ts
@ -145,9 +145,3 @@ export const ARC_RUNNER_MESSAGE =
 export const ARM64_RUNNER_MESSAGE =
  "ARM runners are not supported in the Harden-Runner community tier.";
 export const ARM64_WINDOWS_RUNNER_MESSAGE =
  "Windows ARM runners are not yet supported by Harden-Runner.";
 export const UBUNTU_SLIM_MESSAGE =
  "This job is running on an ubuntu-slim runner. Harden Runner is not supported on ubuntu-slim runners. This job will not be monitored.";
--- a/src/configs.ts
+++ b/src/configs.ts
@ -2,7 +2,4 @@ export const STEPSECURITY_ENV = "agent"; // agent or int
 export const STEPSECURITY_API_URL = `https://${STEPSECURITY_ENV}.api.stepsecurity.io/v1`;
 export const STEPSECURITY_TELEMETRY_URL =
  "https://prod.app-api.stepsecurity.io/v1";
 export const STEPSECURITY_WEB_URL = "https://app.stepsecurity.io";
--- a/src/install-agent.ts
+++ b/src/install-agent.ts
@ -5,7 +5,7 @@ import * as path from "path";
 import * as fs from "fs";
 import { verifyChecksum } from "./checksum";
 import { EOL } from "os";
-import { ARM64_RUNNER_MESSAGE, ARM64_WINDOWS_RUNNER_MESSAGE } from "./common";
+import { ARM64_RUNNER_MESSAGE } from "./common";
 import { chownForFolder } from "./utils";
 export async function installAgent(
@ -26,7 +26,7 @@ export async function installAgent(
  if (isTLS) {
    downloadPath = await tc.downloadTool(
-      `https://github.com/step-security/agent-ebpf/releases/download/v1.8.6/harden-runner_1.8.6_linux_${variant}.tar.gz`,
+      `https://github.com/step-security/agent-ebpf/releases/download/v1.7.10/harden-runner_1.7.10_linux_${variant}.tar.gz`,
      undefined,
      auth
    );
@ -36,7 +36,7 @@ export async function installAgent(
      return false;
    }
    downloadPath = await tc.downloadTool(
-      "https://github.com/step-security/agent/releases/download/v0.16.0/agent_0.16.0_linux_amd64.tar.gz",
+      "https://github.com/step-security/agent/releases/download/v0.14.2/agent_0.14.2_linux_amd64.tar.gz",
      undefined,
      auth
    );
@ -69,60 +69,6 @@ export async function installAgent(
  return true;
 }
 export async function installAgentBravo(configStr: string): Promise<boolean> {
  // Note: to avoid github rate limiting
  const token = core.getInput("token", { required: true });
  const auth = `token ${token}`;
  const variant = process.arch === "x64" ? "amd64" : "arm64";
  const downloadPath = await tc.downloadTool(
    `https://github.com/step-security/agent-ebpf/releases/download/v1.8.6/harden-runner-bravo_1.8.6_linux_${variant}.tar.gz`,
    undefined,
    auth
  );
  if (!verifyChecksum(downloadPath, true, variant, "linux", "bravo")) {
    return false;
  }
  const extractPath = await tc.extractTar(downloadPath);
  cp.execFileSync("cp", [path.join(extractPath, "agent"), "/home/agent/agent"]);
  cp.execSync("chmod +x /home/agent/agent");
  fs.writeFileSync("/home/agent/agent.json", configStr);
  const logStream = fs.openSync("/home/agent/agent.stdout", "a");
  const agentProcess = cp.spawn("sudo", ["/home/agent/agent"], {
    cwd: "/home/agent",
    detached: true,
    stdio: ["ignore", logStream, logStream],
  });
  agentProcess.unref();
  const agentStatus = "/home/agent/agent.status";
  const deadline = Date.now() + 10000;
  while (true) {
    if (!fs.existsSync(agentStatus)) {
      if (Date.now() >= deadline) {
        console.log("timed out waiting for bravo agent");
        if (fs.existsSync("/home/agent/agent.stdout")) {
          console.log(fs.readFileSync("/home/agent/agent.stdout", "utf-8"));
        }
        if (fs.existsSync("/home/agent/agent.log")) {
          console.log(fs.readFileSync("/home/agent/agent.log", "utf-8"));
        }
        break;
      }
      await new Promise((resolve) => setTimeout(resolve, 300));
    } else {
      console.log(fs.readFileSync(agentStatus, "utf-8"));
      break;
    }
  }
  return true;
 }
 export async function installMacosAgent(configStr: string): Promise<boolean> {
  const token = core.getInput("token", { required: true });
  const auth = `token ${token}`;
@ -143,7 +89,7 @@ export async function installMacosAgent(configStr: string): Promise<boolean> {
    // Download installer package
    const downloadUrl =
-      "https://github.com/step-security/agent-releases/releases/download/v0.0.5-mac/macos-installer-0.0.5.tar.gz";
+      "https://github.com/step-security/agent-int-releases/releases/download/v0.0.2-mac/macos-installer-0.0.2.tar.gz";
    core.info(`Downloading macOS installer.. : ${downloadUrl}`);
    const downloadPath = await tc.downloadTool(downloadUrl, undefined, auth);
    core.info(`✓ Successfully downloaded installer to: ${downloadPath}`);
@ -161,14 +107,13 @@ export async function installMacosAgent(configStr: string): Promise<boolean> {
    // Copy Installer binary to /opt/step-security
    const installerSourcePath = path.join(extractPath, "Installer");
    const installerBinaryPath = "/opt/step-security/Installer";
    core.info(
      `Copying Installer from ${installerSourcePath} to /opt/step-security...`
    );
-    cp.execFileSync("cp", [installerSourcePath, installerBinaryPath]);
+    cp.execSync(`cp "${installerSourcePath}" /opt/step-security/`);
    core.info("✓ Successfully copied Installer to /opt/step-security");
    const installerBinaryPath = "/opt/step-security/Installer";
    // Verify installer binary exists
    if (!fs.existsSync(installerBinaryPath)) {
@ -211,7 +156,7 @@ export async function installWindowsAgent(configStr: string): Promise<boolean> {
  const variant = process.arch === "x64" ? "amd64" : "arm64";
  if (variant === "arm64") {
-    console.log(ARM64_WINDOWS_RUNNER_MESSAGE);
+    console.log(ARM64_RUNNER_MESSAGE);
    return false;
  }
@ -226,7 +171,7 @@ export async function installWindowsAgent(configStr: string): Promise<boolean> {
  const agentExePath = path.join(agentDir, "agent.exe");
  const downloadPath = await tc.downloadTool(
-    `https://github.com/step-security/agent-releases/releases/download/v1.0.2-win/harden-runner-agent-windows_1.0.2_windows_amd64.tar.gz`,
+    `https://github.com/step-security/agent-releases/releases/download/v1.0.0-int/harden-runner-agent-windows_int_windows_amd64.tar.gz`,
    undefined,
    auth
  );
--- a/src/interfaces.ts
+++ b/src/interfaces.ts
@ -4,7 +4,6 @@ export interface Configuration {
  correlation_id: string;
  working_directory: string;
  api_url: string;
  telemetry_url: string;
  allowed_endpoints: string;
  egress_policy: string;
  disable_telemetry: boolean;
@ -15,9 +14,6 @@ export interface Configuration {
  private: string;
  is_debug: boolean;
  one_time_key: string;
  api_key: string;
  use_policy_store: boolean;
  deploy_on_self_hosted_vm: boolean;
 }
 export interface PolicyResponse {
@ -29,5 +25,4 @@ export interface PolicyResponse {
  disable_file_monitoring?: boolean;
  disable_telemetry?: boolean;
  egress_policy?: string;
  policy_name?: string;
 }
--- a/src/policy-utils.test.ts
+++ b/src/policy-utils.test.ts
@ -32,7 +32,6 @@ test("merge configs", async () => {
    correlation_id: "aaaaa",
    working_directory: "/xyz",
    api_url: "xyz",
    telemetry_url: "xyz",
    allowed_endpoints: "",
    egress_policy: "audit",
    disable_telemetry: false,
@ -43,9 +42,6 @@ test("merge configs", async () => {
    is_github_hosted: true,
    is_debug: false,
    one_time_key: "",
    api_key: "",
    use_policy_store: false,
    deploy_on_self_hosted_vm: false,
  };
  let policyResponse: PolicyResponse = {
    owner: "h0x0er",
@ -63,7 +59,6 @@ test("merge configs", async () => {
    correlation_id: "aaaaa",
    working_directory: "/xyz",
    api_url: "xyz",
    telemetry_url: "xyz",
    allowed_endpoints: "github.com:443 google.com:443",
    egress_policy: "audit",
    disable_telemetry: false,
@ -74,320 +69,8 @@ test("merge configs", async () => {
    is_github_hosted: true,
    is_debug: false,
    one_time_key: "",
    api_key: "",
    use_policy_store: false,
    deploy_on_self_hosted_vm: false,
  };
  localConfig = mergeConfigs(localConfig, policyResponse);
  expect(localConfig).toStrictEqual(expectedConfiguration);
 });
 // ==================== additional fetchPolicy tests ====================
 test("fetchPolicy throws when idToken is empty", async () => {
  await expect(fetchPolicy("owner", "policy1", "")).rejects.toThrow(
    "[PolicyFetch]: id-token in empty"
  );
 });
 test("fetchPolicy retries on failure and succeeds", async () => {
  const owner = "test-owner";
  const policyName = "test-policy";
  const response = {
    allowed_endpoints: ["example.com:443"],
    egress_policy: "block",
  };
  nock(`${STEPSECURITY_API_URL}`)
    .get(`/github/${owner}/actions/policies/${policyName}`)
    .replyWithError("connection timeout");
  nock(`${STEPSECURITY_API_URL}`)
    .get(`/github/${owner}/actions/policies/${policyName}`)
    .reply(200, response);
  const policy = await fetchPolicy(owner, policyName, "token123");
  expect(policy).toStrictEqual(response);
 });
 test("fetchPolicy throws after all retries exhausted", async () => {
  const owner = "test-owner";
  const policyName = "test-policy";
  nock(`${STEPSECURITY_API_URL}`)
    .get(`/github/${owner}/actions/policies/${policyName}`)
    .times(3)
    .replyWithError("connection timeout");
  await expect(
    fetchPolicy(owner, policyName, "token123")
  ).rejects.toThrow("[Policy Fetch]");
 });
 test("fetchPolicy preserves statusCode from error", async () => {
  const owner = "test-owner";
  const policyName = "test-policy";
  const errorWithStatus = new Error("Not Found");
  (errorWithStatus as any).statusCode = 404;
  nock(`${STEPSECURITY_API_URL}`)
    .get(`/github/${owner}/actions/policies/${policyName}`)
    .times(3)
    .replyWithError(errorWithStatus);
  try {
    await fetchPolicy(owner, policyName, "token123");
    fail("should have thrown");
  } catch (err) {
    expect(err.message).toContain("[Policy Fetch]");
  }
 });
 // ==================== fetchPolicyFromStore ====================
 import { fetchPolicyFromStore } from "./policy-utils";
 const policyStoreQueryString = (workflow: string, runId: string, correlationId: string) =>
  `workflow=${encodeURIComponent(workflow)}&run_id=${encodeURIComponent(runId)}&correlationId=${encodeURIComponent(correlationId)}`;
 test("success: fetches policy from store", async () => {
  const owner = "test-owner";
  const repo = "test-repo";
  const workflow = "ci.yml";
  const runId = "12345";
  const correlationId = "abc-def";
  const response = {
    allowed_endpoints: ["registry.npmjs.org:443", "github.com:443"],
    egress_policy: "block",
    disable_sudo: true,
    disable_file_monitoring: false,
  };
  nock(`${STEPSECURITY_API_URL}`)
    .get(`/github/${owner}/${repo}/actions/policies/workflow-policy?${policyStoreQueryString(workflow, runId, correlationId)}`)
    .reply(200, response);
  const result = await fetchPolicyFromStore(owner, repo, "my-api-key", workflow, runId, correlationId);
  expect(result).toStrictEqual(response);
 });
 test("fetchPolicyFromStore throws when apiKey is empty", async () => {
  await expect(
    fetchPolicyFromStore("owner", "repo", "", "ci.yml", "123", "abc")
  ).rejects.toThrow("[PolicyStoreFetch]: api-key is empty");
 });
 test("fetchPolicyFromStore returns null when policy not found (404)", async () => {
  const owner = "test-owner";
  const repo = "test-repo";
  const workflow = "ci.yml";
  const runId = "12345";
  const correlationId = "abc-def";
  nock(`${STEPSECURITY_API_URL}`)
    .get(`/github/${owner}/${repo}/actions/policies/workflow-policy?${policyStoreQueryString(workflow, runId, correlationId)}`)
    .reply(404, { message: "not found" });
  const result = await fetchPolicyFromStore(owner, repo, "my-api-key", workflow, runId, correlationId);
  expect(result).toBeNull();
 });
 test("fetchPolicyFromStore returns null when API returns empty policy", async () => {
  const owner = "test-owner";
  const repo = "nonexistent-repo";
  const workflow = "ci.yml";
  const runId = "12345";
  const correlationId = "abc-def";
  nock(`${STEPSECURITY_API_URL}`)
    .get(`/github/${owner}/${repo}/actions/policies/workflow-policy?${policyStoreQueryString(workflow, runId, correlationId)}`)
    .reply(200, { allowed_endpoints: [], egress_policy: "", policy_name: "" });
  const result = await fetchPolicyFromStore(owner, repo, "my-api-key", workflow, runId, correlationId);
  expect(result).toBeNull();
 });
 test("fetchPolicyFromStore retries on failure and succeeds", async () => {
  const owner = "test-owner";
  const repo = "test-repo";
  const workflow = "ci.yml";
  const runId = "12345";
  const correlationId = "abc-def";
  const response = {
    allowed_endpoints: ["example.com:443"],
    egress_policy: "audit",
  };
  nock(`${STEPSECURITY_API_URL}`)
    .get(`/github/${owner}/${repo}/actions/policies/workflow-policy?${policyStoreQueryString(workflow, runId, correlationId)}`)
    .replyWithError("timeout");
  nock(`${STEPSECURITY_API_URL}`)
    .get(`/github/${owner}/${repo}/actions/policies/workflow-policy?${policyStoreQueryString(workflow, runId, correlationId)}`)
    .reply(200, response);
  const result = await fetchPolicyFromStore(owner, repo, "my-api-key", workflow, runId, correlationId);
  expect(result).toStrictEqual(response);
 });
 test("fetchPolicyFromStore throws after all retries exhausted", async () => {
  const owner = "test-owner";
  const repo = "test-repo";
  const workflow = "ci.yml";
  const runId = "12345";
  const correlationId = "abc-def";
  nock(`${STEPSECURITY_API_URL}`)
    .get(`/github/${owner}/${repo}/actions/policies/workflow-policy?${policyStoreQueryString(workflow, runId, correlationId)}`)
    .times(3)
    .replyWithError("connection refused");
  await expect(
    fetchPolicyFromStore(owner, repo, "my-api-key", workflow, runId, correlationId)
  ).rejects.toThrow("[Policy Store Fetch]");
 });
 test("fetchPolicyFromStore preserves statusCode from error", async () => {
  const owner = "test-owner";
  const repo = "test-repo";
  const workflow = "ci.yml";
  const runId = "12345";
  const correlationId = "abc-def";
  const errorWithStatus = new Error("Unauthorized");
  (errorWithStatus as any).statusCode = 401;
  nock(`${STEPSECURITY_API_URL}`)
    .get(`/github/${owner}/${repo}/actions/policies/workflow-policy?${policyStoreQueryString(workflow, runId, correlationId)}`)
    .times(3)
    .replyWithError(errorWithStatus);
  try {
    await fetchPolicyFromStore(owner, repo, "my-api-key", workflow, runId, correlationId);
    fail("should have thrown");
  } catch (err) {
    expect(err.message).toContain("[Policy Store Fetch]");
  }
 });
 test("fetchPolicyFromStore sends correct authorization header", async () => {
  const owner = "test-owner";
  const repo = "test-repo";
  const apiKey = "secret-key-123";
  const workflow = "ci.yml";
  const runId = "12345";
  const correlationId = "abc-def";
  nock(`${STEPSECURITY_API_URL}`, {
    reqheaders: {
      Authorization: `vm-api-key ${apiKey}`,
      Source: "github-actions",
    },
  })
    .get(`/github/${owner}/${repo}/actions/policies/workflow-policy?${policyStoreQueryString(workflow, runId, correlationId)}`)
    .reply(200, { allowed_endpoints: [], egress_policy: "audit" });
  const result = await fetchPolicyFromStore(owner, repo, apiKey, workflow, runId, correlationId);
  expect(result).toStrictEqual({
    allowed_endpoints: [],
    egress_policy: "audit",
  });
 });
 // ==================== additional mergeConfigs tests ====================
 test("mergeConfigs does not override local allowed_endpoints if not empty", () => {
  let localConfig: Configuration = {
    repo: "test/repo",
    run_id: "xyx",
    correlation_id: "aaaaa",
    working_directory: "/xyz",
    api_url: "xyz",
    telemetry_url: "xyz",
    allowed_endpoints: "local.endpoint:443",
    egress_policy: "audit",
    disable_telemetry: false,
    disable_sudo: false,
    disable_sudo_and_containers: false,
    disable_file_monitoring: false,
    private: "true",
    is_github_hosted: true,
    is_debug: false,
    one_time_key: "",
    api_key: "",
    use_policy_store: false,
    deploy_on_self_hosted_vm: false,
  };
  let policyResponse: PolicyResponse = {
    allowed_endpoints: ["remote.endpoint:443"],
    egress_policy: "block",
  };
  localConfig = mergeConfigs(localConfig, policyResponse);
  expect(localConfig.allowed_endpoints).toBe("local.endpoint:443");
  expect(localConfig.egress_policy).toBe("block");
 });
 test("mergeConfigs overrides disable_sudo_and_containers from remote", () => {
  let localConfig: Configuration = {
    repo: "test/repo",
    run_id: "xyx",
    correlation_id: "aaaaa",
    working_directory: "/xyz",
    api_url: "xyz",
    telemetry_url: "xyz",
    allowed_endpoints: "",
    egress_policy: "audit",
    disable_telemetry: false,
    disable_sudo: false,
    disable_sudo_and_containers: false,
    disable_file_monitoring: false,
    private: "true",
    is_github_hosted: true,
    is_debug: false,
    one_time_key: "",
    api_key: "",
    use_policy_store: false,
    deploy_on_self_hosted_vm: false,
  };
  let policyResponse: PolicyResponse = {
    allowed_endpoints: [],
    disable_sudo_and_containers: true,
  };
  localConfig = mergeConfigs(localConfig, policyResponse);
  expect(localConfig.disable_sudo_and_containers).toBe(true);
 });
 test("mergeConfigs does not override fields when remote values are undefined", () => {
  let localConfig: Configuration = {
    repo: "test/repo",
    run_id: "xyx",
    correlation_id: "aaaaa",
    working_directory: "/xyz",
    api_url: "xyz",
    telemetry_url: "xyz",
    allowed_endpoints: "",
    egress_policy: "block",
    disable_telemetry: false,
    disable_sudo: true,
    disable_sudo_and_containers: true,
    disable_file_monitoring: true,
    private: "true",
    is_github_hosted: true,
    is_debug: false,
    one_time_key: "",
    api_key: "",
    use_policy_store: false,
    deploy_on_self_hosted_vm: false,
  };
  let policyResponse: PolicyResponse = {
    allowed_endpoints: [],
  };
  localConfig = mergeConfigs(localConfig, policyResponse);
  expect(localConfig.disable_sudo).toBe(true);
  expect(localConfig.disable_sudo_and_containers).toBe(true);
  expect(localConfig.disable_file_monitoring).toBe(true);
  expect(localConfig.egress_policy).toBe("block");
 });
--- a/src/policy-utils.ts
+++ b/src/policy-utils.ts
@ -50,65 +50,6 @@ export async function fetchPolicy(
  }
 }
 export async function fetchPolicyFromStore(
  owner: string,
  repo: string,
  apiKey: string,
  workflow: string,
  runId: string,
  correlationId: string
 ): Promise<PolicyResponse | null> {
  if (apiKey === "") {
    throw new Error("[PolicyStoreFetch]: api-key is empty");
  }
  let policyEndpoint = `${STEPSECURITY_API_URL}/github/${owner}/${repo}/actions/policies/workflow-policy?workflow=${encodeURIComponent(workflow)}&run_id=${encodeURIComponent(runId)}&correlationId=${encodeURIComponent(correlationId)}`;
  let httpClient = new HttpClient();
  let headers = {};
  headers["Authorization"] = `vm-api-key ${apiKey}`;
  headers["Source"] = "github-actions";
  let response = undefined;
  let err = undefined;
  let retry = 0;
  while (retry < 3) {
    try {
      console.log(`Attempt: ${retry + 1}`);
      response = await httpClient.getJson<PolicyResponse>(
        policyEndpoint,
        headers
      );
      break;
    } catch (e) {
      err = e;
    }
    retry += 1;
    await sleep(1000);
  }
  if (response === undefined && err !== undefined) {
    const error = new Error(`[Policy Store Fetch] ${err}`);
    if (err.statusCode !== undefined) {
      (error as any).statusCode = err.statusCode;
    }
    throw error;
  }
  if (response.statusCode === 404) {
    return null;
  }
  const result = response.result;
  if (!result || (!result.egress_policy && (!result.allowed_endpoints || result.allowed_endpoints.length === 0))) {
    return null;
  }
  return result;
 }
 export function mergeConfigs(
  localConfig: Configuration,
  remoteConfig: PolicyResponse
--- a/src/setup.ts
+++ b/src/setup.ts
@ -16,7 +16,7 @@ import {
  isValidEvent,
 } from "./cache";
 import { Configuration, PolicyResponse } from "./interfaces";
-import { fetchPolicy, fetchPolicyFromStore, mergeConfigs } from "./policy-utils";
+import { fetchPolicy, mergeConfigs } from "./policy-utils";
 import * as cache from "@actions/cache";
 import { getCacheEntry } from "@actions/cache/lib/internal/cacheHttpClient";
 import * as cacheTwirpClient from "@actions/cache/lib/internal/shared/cacheTwirpClient";
@ -25,21 +25,15 @@ import { getCacheServiceVersion } from "@actions/cache/lib/internal/config";
 import * as utils from "@actions/cache/lib/internal/cacheUtils";
 import { isARCRunner, sendAllowedEndpoints } from "./arc-runner";
-import {
+import { STEPSECURITY_API_URL, STEPSECURITY_WEB_URL } from "./configs";
  STEPSECURITY_API_URL,
  STEPSECURITY_TELEMETRY_URL,
  STEPSECURITY_WEB_URL,
 } from "./configs";
 import { isGithubHosted, isTLSEnabled } from "./tls-inspect";
 import {
  installAgent,
  installAgentBravo,
  installMacosAgent,
  installWindowsAgent,
 } from "./install-agent";
-import { chownForFolder, detectThirdPartyRunnerProvider, isAgentInstalled, isPlatformSupported, shouldDeployAgentOnSelfHosted } from "./utils";
+import { chownForFolder, isAgentInstalled, isPlatformSupported } from "./utils";
 import { buildBravoConfig } from "./bravo-config";
 interface MonitorResponse {
  runner_ip_address?: string;
@ -66,11 +60,6 @@ interface MonitorResponse {
      return;
    }
    if (isGithubHosted() && process.platform === "linux" && !process.env.USER) {
      console.log(common.UBUNTU_SLIM_MESSAGE);
      return;
    }
    var correlation_id = uuidv4();
    var api_url = STEPSECURITY_API_URL;
    var web_url = STEPSECURITY_WEB_URL;
@ -81,7 +70,6 @@ interface MonitorResponse {
      correlation_id: correlation_id,
      working_directory: process.env["GITHUB_WORKSPACE"],
      api_url: api_url,
      telemetry_url: STEPSECURITY_TELEMETRY_URL,
      allowed_endpoints: core.getInput("allowed-endpoints"),
      egress_policy: core.getInput("egress-policy"),
      disable_telemetry: core.getBooleanInput("disable-telemetry"),
@ -94,55 +82,10 @@ interface MonitorResponse {
      is_github_hosted: isGithubHosted(),
      is_debug: core.isDebug(),
      one_time_key: "",
      api_key: core.getInput("api-key"),
      use_policy_store: core.getBooleanInput("use-policy-store"),
      deploy_on_self_hosted_vm: core.getBooleanInput("deploy-on-self-hosted-vm"),
    };
    if (confg.api_key !== "") {
      core.setSecret(confg.api_key);
    }
    let policyName = core.getInput("policy");
-    if (confg.use_policy_store) {
+    if (policyName !== "") {
      console.log(`Fetching policy from policy store`);
      if (confg.api_key === "") {
        core.warning(
          "api-key is not set while use-policy-store is true. Defaulting to audit mode."
        );
        confg.egress_policy = "audit";
      } else {
        try {
          const repoName = (process.env["GITHUB_REPOSITORY"] || "").split("/")[1] || "";
          const workflowRef = process.env["GITHUB_WORKFLOW_REF"] || "";
          const workflow = workflowRef.replace(/.*\.github\/workflows\//, "").replace(/@.*/, "");
          let result: PolicyResponse | null = await fetchPolicyFromStore(
            context.repo.owner,
            repoName,
            confg.api_key,
            workflow,
            confg.run_id,
            confg.correlation_id
          );
          if (result !== null) {
            core.info(`Policy found: ${result.policy_name || "unnamed"}`);
            confg = mergeConfigs(confg, result);
          } else {
            core.info("No policy found in policy store. Defaulting to audit mode.");
            confg.egress_policy = "audit";
          }
        } catch (err) {
          core.info(`[!] ${err}`);
          if (err.statusCode >= 400 && err.statusCode < 500) {
            core.info("Policy not found in policy store. Defaulting to audit mode.");
            confg.egress_policy = "audit";
          } else {
            core.error(`Unexpected error fetching from policy store: ${err}. Falling back to audit mode.`);
            confg.egress_policy = "audit";
          }
        }
      }
    } else if (policyName !== "") {
      console.log(`Fetching policy from API with name: ${policyName}`);
      try {
        let idToken: string = await core.getIDToken();
@ -299,46 +242,13 @@ interface MonitorResponse {
    const runnerName = process.env.RUNNER_NAME || "";
    core.info(`RUNNER_NAME: ${runnerName}`);
    if (!isGithubHosted()) {
      const thirdPartyProvider = detectThirdPartyRunnerProvider();
      if (thirdPartyProvider) {
        const providerLabel = thirdPartyProvider.charAt(0).toUpperCase() + thirdPartyProvider.slice(1);
        if (process.platform !== "linux") {
          core.info(`Detected ${providerLabel} runner on ${process.platform}. Bravo agent is Linux-only, skipping install.`);
          return;
        }
        core.info(`Detected ${providerLabel} runner environment. Installing agent-bravo.`);
        confg.correlation_id = runnerName || confg.correlation_id;
        await callMonitorEndpoint(api_url, confg);
        await installAgentForBravo(context.repo.owner, confg);
        return;
      }
      fs.appendFileSync(process.env.GITHUB_STATE, `selfHosted=true${EOL}`, {
        encoding: "utf8",
      });
      core.info(common.SELF_HOSTED_RUNNER_MESSAGE);
-      const inContainer = isDocker();
+      if (confg.egress_policy === "block") {
      const alreadyInstalled = isAgentInstalled(process.platform);
      if (shouldDeployAgentOnSelfHosted(confg.deploy_on_self_hosted_vm, inContainer, alreadyInstalled)) {
        if (process.platform !== "linux") {
          core.info("deploy-on-self-hosted-vm is only supported on Linux. Skipping agent deployment.");
        } else {
          core.info("deploy-on-self-hosted-vm is enabled. Installing agent on self-hosted runner.");
          await installAgentForSelfHosted(context.repo.owner, confg);
        }
      } else {
        if (confg.deploy_on_self_hosted_vm && inContainer) {
          core.info("Skipping agent deployment: running inside a container.");
        }
        if (confg.deploy_on_self_hosted_vm && alreadyInstalled) {
          core.info("Agent already installed on self-hosted runner, skipping installation.");
        }
      }
      if (confg.egress_policy === "block" && !confg.deploy_on_self_hosted_vm) {
        sendAllowedEndpoints(confg.allowed_endpoints);
        await sleep(5000);
      }
@ -417,8 +327,7 @@ interface MonitorResponse {
      return;
    }
-    const { api_key, use_policy_store, ...agentConfig } = confg;
+    const configStr = JSON.stringify(confg);
    const configStr = JSON.stringify(agentConfig);
    // platform specific
    let statusFile = "";
@ -493,112 +402,3 @@ export function sleep(ms: number) {
    setTimeout(resolve, ms);
  });
 }
 async function callMonitorEndpoint(api_url: string, confg: Configuration) {
  const _http = new httpm.HttpClient();
  _http.requestOptions = { socketTimeout: 3 * 1000 };
  let statusCode: number | undefined;
  let addSummary = "false";
  try {
    const monitorRequestData = {
      correlation_id: confg.correlation_id,
      job: process.env["GITHUB_JOB"],
    };
    const resp = await _http.postJson<MonitorResponse>(
      `${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`,
      monitorRequestData
    );
    statusCode = resp.statusCode;
    if (resp.statusCode === 200 && resp.result) {
      console.log(`Runner IP Address: ${resp.result.runner_ip_address}`);
      confg.one_time_key = resp.result.one_time_key;
      addSummary = resp.result.monitoring_started ? "true" : "false";
    }
  } catch (e) {
    console.log(`error in connecting to ${api_url}: ${e}`);
  }
  fs.appendFileSync(process.env.GITHUB_STATE, `monitorStatusCode=${statusCode}${EOL}`, { encoding: "utf8" });
  fs.appendFileSync(process.env.GITHUB_STATE, `addSummary=${addSummary}${EOL}`, { encoding: "utf8" });
  fs.appendFileSync(process.env.GITHUB_STATE, `correlation_id=${confg.correlation_id}${EOL}`, { encoding: "utf8" });
 }
 export async function installAgentForSelfHosted(owner: string, confg: Configuration) {
  try {
    console.log("Installing Harden Runner agent for self-hosted runner");
    let isTLS = await isTLSEnabled(owner);
    if (!isTLS) {
      console.log("TLS is not enabled for this organization. Agent installation skipped for self-hosted runner.");
      return;
    }
    const selfHostedConfig = {
      customer: owner,
      working_directory: confg.working_directory,
      api_url: confg.api_url,
      api_key: uuidv4(),
      allowed_endpoints: confg.allowed_endpoints,
      egress_policy: confg.egress_policy,
      disable_telemetry: confg.disable_telemetry,
      disable_sudo: confg.disable_sudo,
      disable_sudo_and_containers: confg.disable_sudo_and_containers,
      disable_file_monitoring: confg.disable_file_monitoring,
      is_github_hosted: false,
    };
    const selfHostedConfigStr = JSON.stringify(selfHostedConfig);
    cp.execSync("sudo mkdir -p /home/agent");
    chownForFolder(process.env.USER, "/home/agent");
    const agentInstalled = await installAgent(isTLS, selfHostedConfigStr);
    if (agentInstalled) {
      const statusFile = "/home/agent/agent.status";
      const logFile = "/home/agent/agent.log";
      let counter = 0;
      while (true) {
        if (!fs.existsSync(statusFile)) {
          counter++;
          if (counter > 30) {
            console.log("timed out");
            if (fs.existsSync(logFile)) {
              const content = fs.readFileSync(logFile, "utf-8");
              console.log(content);
            }
            break;
          }
          await sleep(300);
        } else {
          const content = fs.readFileSync(statusFile, "utf-8");
          console.log(content);
          break;
        }
      }
    }
  } catch (error) {
    console.log(`Failed to install agent for self-hosted runner: ${error.message}`);
  }
 }
 export async function installAgentForBravo(owner: string, confg: Configuration) {
  try {
    console.log("Installing Harden Runner bravo agent for third-party runner");
    let isTLS = await isTLSEnabled(owner);
    if (!isTLS) {
      console.log("TLS is not enabled for this organization. Bravo agent installation skipped.");
      return;
    }
    const bravoConfigStr = JSON.stringify(buildBravoConfig(confg));
    cp.execSync("sudo mkdir -p /home/agent");
    chownForFolder(process.env.USER, "/home/agent");
    await installAgentBravo(bravoConfigStr);
  } catch (error) {
    console.log(`Failed to install bravo agent: ${error.message}`);
  }
 }
--- a/src/utils.test.ts
+++ b/src/utils.test.ts
@ -1,158 +0,0 @@
 import { shouldDeployAgentOnSelfHosted, isAgentInstalled, isPlatformSupported, getAnnotationLogs, detectThirdPartyRunnerProvider } from "./utils";
 import * as fs from "fs";
 jest.mock("fs", () => ({
  ...jest.requireActual("fs"),
  existsSync: jest.fn(),
 }));
 const mockedExistsSync = fs.existsSync as jest.MockedFunction<typeof fs.existsSync>;
 describe("shouldDeployAgentOnSelfHosted", () => {
  test("returns true when deploy flag is true, not container, agent not installed", () => {
    expect(shouldDeployAgentOnSelfHosted(true, false, false)).toBe(true);
  });
  test("returns false when deploy flag is false", () => {
    expect(shouldDeployAgentOnSelfHosted(false, false, false)).toBe(false);
  });
  test("returns false when running in a container", () => {
    expect(shouldDeployAgentOnSelfHosted(true, true, false)).toBe(false);
  });
  test("returns false when agent is already installed", () => {
    expect(shouldDeployAgentOnSelfHosted(true, false, true)).toBe(false);
  });
  test("returns false when in container and agent installed", () => {
    expect(shouldDeployAgentOnSelfHosted(true, true, true)).toBe(false);
  });
  test("returns false when all conditions are negative", () => {
    expect(shouldDeployAgentOnSelfHosted(false, true, true)).toBe(false);
  });
 });
 describe("isAgentInstalled", () => {
  afterEach(() => {
    mockedExistsSync.mockReset();
  });
  test("returns false for linux when status file does not exist", () => {
    mockedExistsSync.mockReturnValue(false);
    expect(isAgentInstalled("linux")).toBe(false);
    expect(mockedExistsSync).toHaveBeenCalledWith("/home/agent/agent.status");
  });
  test("returns true for linux when status file exists", () => {
    mockedExistsSync.mockReturnValue(true);
    expect(isAgentInstalled("linux")).toBe(true);
  });
  test("returns false for win32 when status file does not exist", () => {
    mockedExistsSync.mockReturnValue(false);
    expect(isAgentInstalled("win32")).toBe(false);
    expect(mockedExistsSync).toHaveBeenCalledWith("C:\\agent\\agent.status");
  });
  test("returns false for darwin when status file does not exist", () => {
    mockedExistsSync.mockReturnValue(false);
    expect(isAgentInstalled("darwin")).toBe(false);
    expect(mockedExistsSync).toHaveBeenCalledWith("/opt/step-security/agent.status");
  });
  test("returns false for unsupported platform", () => {
    expect(isAgentInstalled("freebsd" as NodeJS.Platform)).toBe(false);
  });
 });
 describe("isPlatformSupported", () => {
  test("returns true for linux", () => {
    expect(isPlatformSupported("linux")).toBe(true);
  });
  test("returns true for win32", () => {
    expect(isPlatformSupported("win32")).toBe(true);
  });
  test("returns true for darwin", () => {
    expect(isPlatformSupported("darwin")).toBe(true);
  });
  test("returns false for unsupported platform", () => {
    expect(isPlatformSupported("freebsd" as NodeJS.Platform)).toBe(false);
  });
 });
 describe("getAnnotationLogs", () => {
  test("throws for unsupported platform", () => {
    expect(() => getAnnotationLogs("freebsd" as NodeJS.Platform)).toThrow("platform not supported");
  });
 });
 describe("detectThirdPartyRunnerProvider", () => {
  const originalEnv = process.env;
  beforeEach(() => {
    process.env = { ...originalEnv };
    delete process.env.DEPOT_RUNNER;
    delete process.env.NAMESPACE_GITHUB_RUNTIME;
    delete process.env.RUNNER_NAME;
  });
  afterAll(() => {
    process.env = originalEnv;
  });
  test("returns depot when DEPOT_RUNNER=1", () => {
    process.env.DEPOT_RUNNER = "1";
    expect(detectThirdPartyRunnerProvider()).toBe("depot");
  });
  test("returns null when DEPOT_RUNNER=0", () => {
    process.env.DEPOT_RUNNER = "0";
    expect(detectThirdPartyRunnerProvider()).toBeNull();
  });
  test("returns namespace when NAMESPACE_GITHUB_RUNTIME is set", () => {
    process.env.NAMESPACE_GITHUB_RUNTIME = "something";
    expect(detectThirdPartyRunnerProvider()).toBe("namespace");
  });
  test("returns warp for RUNNER_NAME prefix warp-", () => {
    process.env.RUNNER_NAME = "warp-4x-x64-abc";
    expect(detectThirdPartyRunnerProvider()).toBe("warp");
  });
  test("returns blacksmith for RUNNER_NAME prefix blacksmith-", () => {
    process.env.RUNNER_NAME = "blacksmith-01kpj-4vcpu";
    expect(detectThirdPartyRunnerProvider()).toBe("blacksmith");
  });
  test("returns null when no env vars match", () => {
    expect(detectThirdPartyRunnerProvider()).toBeNull();
  });
  test("returns null for a non-matching RUNNER_NAME", () => {
    process.env.RUNNER_NAME = "GitHub Actions 1";
    expect(detectThirdPartyRunnerProvider()).toBeNull();
  });
  test("depot takes precedence over namespace", () => {
    process.env.DEPOT_RUNNER = "1";
    process.env.NAMESPACE_GITHUB_RUNTIME = "something";
    expect(detectThirdPartyRunnerProvider()).toBe("depot");
  });
  test("namespace takes precedence over warp runner name prefix", () => {
    process.env.NAMESPACE_GITHUB_RUNTIME = "something";
    process.env.RUNNER_NAME = "warp-x";
    expect(detectThirdPartyRunnerProvider()).toBe("namespace");
  });
  test("warp takes precedence over blacksmith when both prefixes seen (warp wins on name check order)", () => {
    process.env.RUNNER_NAME = "warp-x";
    expect(detectThirdPartyRunnerProvider()).toBe("warp");
  });
 });
--- a/src/utils.ts
+++ b/src/utils.ts
@ -32,25 +32,6 @@ export function isAgentInstalled(platform: NodeJS.Platform) {
  }
 }
 export function shouldDeployAgentOnSelfHosted(
  deployOnSelfHostedVm: boolean,
  isContainer: boolean,
  agentAlreadyInstalled: boolean
 ): boolean {
  return deployOnSelfHostedVm && !isContainer && !agentAlreadyInstalled;
 }
 export type ThirdPartyRunnerProvider = "depot" | "namespace" | "warp" | "blacksmith";
 export function detectThirdPartyRunnerProvider(): ThirdPartyRunnerProvider | null {
  if (process.env["DEPOT_RUNNER"] === "1") return "depot";
  if (process.env["NAMESPACE_GITHUB_RUNTIME"]) return "namespace";
  const runnerName = process.env["RUNNER_NAME"] ?? "";
  if (runnerName.startsWith("warp-")) return "warp";
  if (runnerName.startsWith("blacksmith-")) return "blacksmith";
  return null;
 }
 export function getAnnotationLogs(platform: NodeJS.Platform) {
  switch (platform) {
    case "linux":
Author	SHA1	Message	Date
Varun Sharma	bc791947a3	Merge pull request #634 from h0x0er/jatin/winmac Add combined windows and macos changes	2026-02-07 22:10:19 -08:00
Jatin	ec2fee99eb	wait for done.json only if agent is installed	2026-02-03 17:59:09 +05:30
Jatin	e823d39c9a	Fixed verifyChecksum logic and updated macos checksum	2026-02-03 16:06:10 +05:30
Jatin	9a13b2d01e	updated macos-installer download-url	2026-02-03 15:33:26 +05:30
Jatin	6061152f29	addressed comments	2026-02-03 12:04:06 +05:30
Jatin	ac1419447b	Read platform specific annotation-logs & added post-step check in macos-cleanup	2026-02-02 17:40:08 +05:30
Jatin	ef9c6372b3	combined windows and macos changes	2026-02-02 15:04:58 +05:30