update agent

README.md

@@ -22,8 +22,6 @@ Traditional security monitoring and EDR solutions are ineffective for CI/CD runn
 StepSecurity Harden-Runner addresses this gap by providing security monitoring tailored for CI/CD runners, with support for Linux, Windows, and macOS runners. This approach brings CI/CD runners under the same level of security scrutiny as other critical systems, addressing a significant gap in the software supply chain.
 ### Harden-Runner: Security Incidents Detected
 
-- [Harden-Runner Detected the Compromised axios npm Package Dropping a Remote Access Trojan](https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan) ([backstage/backstage#33693](https://github.com/backstage/backstage/issues/33693), [block/elasticgraph#1103](https://github.com/block/elasticgraph/issues/1103))
-- [Harden-Runner Detected the Trivy Compromise with Malicious v0.69.4 Release](https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release) ([k8gb-io/k8gb#2294](https://github.com/k8gb-io/k8gb/issues/2294))
 - [Harden-Runner Detected the tj-actions/changed-files compromise](https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised) ([CVE-2025-30066](https://github.com/advisories/GHSA-mrrh-fwg8-r2c3))
 - [Harden Runner Detected the Sha1-Hulud Supply Chain Attack in CNCF’s Backstage Repository](https://www.stepsecurity.io/blog/how-harden-runner-detected-the-sha1-hulud-supply-chain-attack-in-cncfs-backstage-repository)
 - [Harden-Runner Detected the NX Build System compromise](https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware)
@@ -34,7 +32,7 @@ StepSecurity Harden-Runner addresses this gap by providing security monitoring t
 - [Harden-Runner Flagged an Anomalous Outbound Call, Leading to a Docker Documentation Update](https://www.stepsecurity.io/blog/harden-runner-flags-anomalous-outbound-call-leading-to-docker-documentation-update)
 
 ### See It in Action
-Harden-Runner secures over **25 million CI/CD workflow runs every week**, protecting thousands of pipelines, including those from popular open-source projects by **Microsoft, Google, and CISA**. See how top projects are using Harden-Runner and explore the insights:  
+Harden-Runner secures over **18 million CI/CD workflow runs every week**, protecting thousands of pipelines, including those from popular open-source projects by **Microsoft, Google, and CISA**. See how top projects are using Harden-Runner and explore the insights:  
 ➡️ [Who's using Harden-Runner?](https://docs.stepsecurity.io/whos-using-harden-runner)
 
 ## Quick Links
@@ -72,7 +70,7 @@ To integrate Harden-Runner, follow these steps:
    ```yaml
    steps:
      - name: Harden Runner
-       uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
+       uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit
 
@@ -151,11 +149,11 @@ Harden-Runner is trusted by over 11,000 leading open-source projects and enterpr
 
 ### Enterprise Case Studies
 
-- [How Mercari Secures GitHub Actions with StepSecurity](https://www.stepsecurity.io/case-studies/mercari)
-- [How Omnissa Secures GitHub Actions with StepSecurity](https://www.stepsecurity.io/case-studies/omnissa)
-- [Chainguard Secures GitHub Actions with StepSecurity](https://www.stepsecurity.io/case-studies/chainguard)
 - [How Coveo Strengthened GitHub Actions Security with StepSecurity](https://www.stepsecurity.io/case-studies/coveo)
 - [Hashgraph Achieves Comprehensive CI/CD Security Without Compromising Development Speed](https://www.stepsecurity.io/case-studies/hashgraph)
+- [Chainguard Secures GitHub Actions with StepSecurity](https://www.stepsecurity.io/case-studies/chainguard)
+- [Kapiche secures their GitHub Actions software supply chain with Harden-Runner](https://www.stepsecurity.io/case-studies/kapiche)
+- [Arcjet Enhances CI/CD Security with Harden-Runner](https://www.stepsecurity.io/case-studies/arcjet)
 
 ---
 
@@ -163,7 +161,7 @@ Harden-Runner is trusted by over 11,000 leading open-source projects and enterpr
 
 Harden-Runner is designed to work seamlessly across a variety of runner environments, providing consistent security insights and protections regardless of where your workflows execute. For self-hosted runners, audit mode is deployed directly to the runner infrastructure without requiring any changes to your existing workflows. For more details, refer to the [official documentation](https://docs.stepsecurity.io/harden-runner).
 
-| Environment Type | Compatibility | Audit Mode Deployment | Workflow Changes for Audit/Block Mode |
+| Environment Type | Compatibility | Audit Mode Deployment | Workflow Changes for Audit Mode |
 |------------------|---------------|--------------------------|-------------------|
 | GitHub-hosted runners (Linux) | ✅ Full support | Add Harden-Runner Action to workflow | Yes |
 | GitHub-hosted runners (Windows, macOS) | ✅ Audit mode only | Add Harden-Runner Action to workflow | Yes |

action.yml

@@ -29,21 +29,9 @@ inputs:
     required: false
     default: "false"
   policy:
-    description: "Policy name to be used from the policy store. Requires id-token: write permission."
+    description: "Policy name to be used from the policy store"
     required: false
     default: ""
-  api-key:
-    description: "StepSecurity API key for authenticating with the policy store. Required when use-policy-store is set to true."
-    required: false
-    default: ""
-  use-policy-store:
-    description: "Set to true to fetch policy from the policy store using the API key. This is the preferred method over the policy input which requires id-token: write permission. Policies can be defined and attached at workflow, repo, org, or cluster (for ARC) level in the policy store. The most granular policy will apply."
-    required: false
-    default: "false"
-  deploy-on-self-hosted-vm:
-    description: "Set to true to deploy the Harden Runner agent directly on a self-hosted runner VM (Linux only). The recommended approach for self-hosted VMs is to bake the agent into the VM image; see docs.stepsecurity.io. Use this option only if baking is not possible, and only for ephemeral runners."
-    required: false
-    default: "false"
 
 branding:
   icon: "check-square"

dist/index.js

@@ -31910,22 +31910,6 @@ function isAgentInstalled(platform) {
             return false;
     }
 }
-function shouldDeployAgentOnSelfHosted(deployOnSelfHostedVm, isContainer, agentAlreadyInstalled) {
-    return deployOnSelfHostedVm && !isContainer && !agentAlreadyInstalled;
-}
-function detectThirdPartyRunnerProvider() {
-    var _a;
-    if (process.env["DEPOT_RUNNER"] === "1")
-        return "depot";
-    if (process.env["NAMESPACE_GITHUB_RUNTIME"])
-        return "namespace";
-    const runnerName = (_a = process.env["RUNNER_NAME"]) !== null && _a !== void 0 ? _a : "";
-    if (runnerName.startsWith("warp-"))
-        return "warp";
-    if (runnerName.startsWith("blacksmith-"))
-        return "blacksmith";
-    return null;
-}
 function utils_getAnnotationLogs(platform) {
     switch (platform) {
         case "linux":
@@ -32046,7 +32030,6 @@ const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing
 const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner.";
 const ARM64_RUNNER_MESSAGE = "ARM runners are not supported in the Harden-Runner community tier.";
 const ARM64_WINDOWS_RUNNER_MESSAGE = "Windows ARM runners are not yet supported by Harden-Runner.";
-const UBUNTU_SLIM_MESSAGE = "This job is running on an ubuntu-slim runner. Harden Runner is not supported on ubuntu-slim runners. This job will not be monitored.";
 
 ;// CONCATENATED MODULE: external "node:fs"
 const external_node_fs_namespaceObject = require("node:fs");
@@ -32084,7 +32067,6 @@ function isDocker() {
 ;// CONCATENATED MODULE: ./src/configs.ts
 const STEPSECURITY_ENV = "agent"; // agent or int
 const configs_STEPSECURITY_API_URL = (/* unused pure expression or super */ null && (`https://${STEPSECURITY_ENV}.api.stepsecurity.io/v1`));
-const STEPSECURITY_TELEMETRY_URL = "https://prod.app-api.stepsecurity.io/v1";
 const STEPSECURITY_WEB_URL = "https://app.stepsecurity.io";
 
 // EXTERNAL MODULE: ./node_modules/@actions/http-client/lib/index.js

dist/post/index.js

@@ -31881,7 +31881,6 @@ var lib_core = __nccwpck_require__(7484);
 ;// CONCATENATED MODULE: ./src/configs.ts
 const STEPSECURITY_ENV = "agent"; // agent or int
 const configs_STEPSECURITY_API_URL = `https://${STEPSECURITY_ENV}.api.stepsecurity.io/v1`;
-const STEPSECURITY_TELEMETRY_URL = "https://prod.app-api.stepsecurity.io/v1";
 const STEPSECURITY_WEB_URL = "https://app.stepsecurity.io";
 
 // EXTERNAL MODULE: external "child_process"
@@ -31916,22 +31915,6 @@ function isAgentInstalled(platform) {
             return false;
     }
 }
-function shouldDeployAgentOnSelfHosted(deployOnSelfHostedVm, isContainer, agentAlreadyInstalled) {
-    return deployOnSelfHostedVm && !isContainer && !agentAlreadyInstalled;
-}
-function detectThirdPartyRunnerProvider() {
-    var _a;
-    if (process.env["DEPOT_RUNNER"] === "1")
-        return "depot";
-    if (process.env["NAMESPACE_GITHUB_RUNTIME"])
-        return "namespace";
-    const runnerName = (_a = process.env["RUNNER_NAME"]) !== null && _a !== void 0 ? _a : "";
-    if (runnerName.startsWith("warp-"))
-        return "warp";
-    if (runnerName.startsWith("blacksmith-"))
-        return "blacksmith";
-    return null;
-}
 function getAnnotationLogs(platform) {
     switch (platform) {
         case "linux":
@@ -32052,7 +32035,6 @@ const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing
 const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner.";
 const ARM64_RUNNER_MESSAGE = "ARM runners are not supported in the Harden-Runner community tier.";
 const ARM64_WINDOWS_RUNNER_MESSAGE = "Windows ARM runners are not yet supported by Harden-Runner.";
-const UBUNTU_SLIM_MESSAGE = "This job is running on an ubuntu-slim runner. Harden Runner is not supported on ubuntu-slim runners. This job will not be monitored.";
 
 // EXTERNAL MODULE: external "path"
 var external_path_ = __nccwpck_require__(6928);
@@ -32215,15 +32197,10 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
         console.log(CONTAINER_MESSAGE);
         return;
     }
-    if (isGithubHosted() && process.platform === "linux" && !process.env.USER) {
-        console.log(UBUNTU_SLIM_MESSAGE);
-        return;
-    }
     if (isARCRunner()) {
         console.log(`[!] ${ARC_RUNNER_MESSAGE}`);
         return;
     }
-    const thirdPartyProvider = detectThirdPartyRunnerProvider();
     if (process.env.STATE_selfHosted === "true") {
         return;
     }
@@ -32237,12 +32214,7 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
     }
     switch (process.platform) {
         case "linux":
-            if (thirdPartyProvider) {
-                yield handleAgentBravoCleanup();
-            }
-            else {
             yield handleLinuxCleanup();
-            }
             break;
         case "win32":
             yield handleWindowsCleanup();
@@ -32258,37 +32230,6 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
         console.log(exception);
     }
 }))();
-function handleAgentBravoCleanup() {
-    return cleanup_awaiter(this, void 0, void 0, function* () {
-        external_child_process_.execFileSync("/usr/bin/echo", ["step_policy_jobend"]);
-        const doneFile = "/home/agent/done.json";
-        let counter = 0;
-        while (true) {
-            if (!external_fs_.existsSync(doneFile)) {
-                counter++;
-                if (counter > 10) {
-                    console.log("timed out");
-                    break;
-                }
-                yield sleep(1000);
-            }
-            else {
-                console.log(external_fs_.readFileSync(doneFile, "utf-8"));
-                break;
-            }
-        }
-        const log = "/home/agent/agent.log";
-        if (external_fs_.existsSync(log)) {
-            console.log("log:");
-            console.log(external_fs_.readFileSync(log, "utf-8"));
-        }
-        const status = "/home/agent/agent.status";
-        if (external_fs_.existsSync(status)) {
-            console.log("status:");
-            console.log(external_fs_.readFileSync(status, "utf-8"));
-        }
-    });
-}
 function handleLinuxCleanup() {
     return cleanup_awaiter(this, void 0, void 0, function* () {
         if (process.env.STATE_isTLS === "false" && process.arch === "arm64") {

package-lock.json

@@ -2852,10 +2852,9 @@
       "integrity": "sha512-NzUnlZexiaH/46WDhANlyR2bXRopNg4F/zuSA3OpZnllCUgRaOF2znDioDWrmbNVsuZk6l9pMquQB38cfBZwkQ=="
     },
     "node_modules/brace-expansion": {
-      "version": "1.1.14",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz",
-      "integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==",
-      "license": "MIT",
+      "version": "1.1.12",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
+      "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
       "dependencies": {
         "balanced-match": "^1.0.0",
         "concat-map": "0.0.1"
@@ -3766,24 +3765,21 @@
       "license": "BSD-3-Clause"
     },
     "node_modules/fast-xml-builder": {
-      "version": "1.1.4",
-      "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.1.4.tgz",
-      "integrity": "sha512-f2jhpN4Eccy0/Uz9csxh3Nu6q4ErKxf0XIsasomfOihuSUa3/xw6w8dnOtCDgEItQFJG8KyXPzQXzcODDrrbOg==",
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.0.0.tgz",
+      "integrity": "sha512-fpZuDogrAgnyt9oDDz+5DBz0zgPdPZz6D4IR7iESxRXElrlGTRkHJ9eEt+SACRJwT0FNFrt71DFQIUFBJfX/uQ==",
       "funding": [
         {
           "type": "github",
           "url": "https://github.com/sponsors/NaturalIntelligence"
         }
       ],
-      "license": "MIT",
-      "dependencies": {
-        "path-expression-matcher": "^1.1.3"
-      }
+      "license": "MIT"
     },
     "node_modules/fast-xml-parser": {
-      "version": "5.5.11",
-      "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.5.11.tgz",
-      "integrity": "sha512-QL0eb0YbSTVWF6tTf1+LEMSgtCEjBYPpnAjoLC8SscESlAjXEIRJ7cHtLG0pLeDFaZLa4VKZLArtA/60ZS7vyA==",
+      "version": "5.4.1",
+      "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.4.1.tgz",
+      "integrity": "sha512-BQ30U1mKkvXQXXkAGcuyUA/GA26oEB7NzOtsxCDtyu62sjGw5QraKFhx2Em3WQNjPw9PG6MQ9yuIIgkSDfGu5A==",
       "funding": [
         {
           "type": "github",
@@ -3792,9 +3788,8 @@
       ],
       "license": "MIT",
       "dependencies": {
-        "fast-xml-builder": "^1.1.4",
-        "path-expression-matcher": "^1.4.0",
-        "strnum": "^2.2.3"
+        "fast-xml-builder": "^1.0.0",
+        "strnum": "^2.1.2"
       },
       "bin": {
         "fxparser": "src/cli/cli.js"
@@ -3891,11 +3886,10 @@
       }
     },
     "node_modules/flatted": {
-      "version": "3.4.2",
-      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
-      "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
-      "dev": true,
-      "license": "ISC"
+      "version": "3.2.5",
+      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.2.5.tgz",
+      "integrity": "sha512-WIWGi2L3DyTUvUrwRKgGi9TwxQMUEqPOPQBVi71R96jZXJdFskXEmf54BoZaS1kknGODoIGASGEzBUYdyMCBJg==",
+      "dev": true
     },
     "node_modules/form-data": {
       "version": "2.5.5",
@@ -6085,9 +6079,9 @@
       }
     },
     "node_modules/lodash": {
-      "version": "4.18.1",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
-      "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
+      "version": "4.17.23",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
+      "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
       "dev": true,
       "license": "MIT"
     },
@@ -6454,21 +6448,6 @@
         "node": ">=8"
       }
     },
-    "node_modules/path-expression-matcher": {
-      "version": "1.5.0",
-      "resolved": "https://registry.npmjs.org/path-expression-matcher/-/path-expression-matcher-1.5.0.tgz",
-      "integrity": "sha512-cbrerZV+6rvdQrrD+iGMcZFEiiSrbv9Tfdkvnusy6y0x0GKBXREFg/Y65GhIfm0tnLntThhzCnfKwp1WRjeCyQ==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/NaturalIntelligence"
-        }
-      ],
-      "license": "MIT",
-      "engines": {
-        "node": ">=14.0.0"
-      }
-    },
     "node_modules/path-is-absolute": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz",
@@ -6508,11 +6487,10 @@
       "integrity": "sha512-1fygroTLlHu66zi26VoTDv8yRgm0Fccecssto+MhsZ0D/DGW2sm8E8AjW7NU5VVTRt5GxbeZ5qBuJr+HyLYkjQ=="
     },
     "node_modules/picomatch": {
-      "version": "2.3.2",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
-      "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
+      "version": "2.3.1",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
+      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
       "dev": true,
-      "license": "MIT",
       "engines": {
         "node": ">=8.6"
       },
@@ -6988,9 +6966,9 @@
       }
     },
     "node_modules/strnum": {
-      "version": "2.2.3",
-      "resolved": "https://registry.npmjs.org/strnum/-/strnum-2.2.3.tgz",
-      "integrity": "sha512-oKx6RUCuHfT3oyVjtnrmn19H1SiCqgJSg+54XqURKp5aCMbrXrhLjRN9TjuwMjiYstZ0MzDrHqkGZ5dFTKd+zg==",
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/strnum/-/strnum-2.2.0.tgz",
+      "integrity": "sha512-Y7Bj8XyJxnPAORMZj/xltsfo55uOiyHcU2tnAVzHUnSJR/KsEX+9RoDeXEnsXtl/CX4fAcrt64gZ13aGaWPeBg==",
       "funding": [
         {
           "type": "github",
@@ -9722,9 +9700,9 @@
       "integrity": "sha512-NzUnlZexiaH/46WDhANlyR2bXRopNg4F/zuSA3OpZnllCUgRaOF2znDioDWrmbNVsuZk6l9pMquQB38cfBZwkQ=="
     },
     "brace-expansion": {
-      "version": "1.1.14",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz",
-      "integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==",
+      "version": "1.1.12",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
+      "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
       "requires": {
         "balanced-match": "^1.0.0",
         "concat-map": "0.0.1"
@@ -10393,21 +10371,17 @@
       "dev": true
     },
     "fast-xml-builder": {
-      "version": "1.1.4",
-      "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.1.4.tgz",
-      "integrity": "sha512-f2jhpN4Eccy0/Uz9csxh3Nu6q4ErKxf0XIsasomfOihuSUa3/xw6w8dnOtCDgEItQFJG8KyXPzQXzcODDrrbOg==",
-      "requires": {
-        "path-expression-matcher": "^1.1.3"
-      }
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.0.0.tgz",
+      "integrity": "sha512-fpZuDogrAgnyt9oDDz+5DBz0zgPdPZz6D4IR7iESxRXElrlGTRkHJ9eEt+SACRJwT0FNFrt71DFQIUFBJfX/uQ=="
     },
     "fast-xml-parser": {
-      "version": "5.5.11",
-      "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.5.11.tgz",
-      "integrity": "sha512-QL0eb0YbSTVWF6tTf1+LEMSgtCEjBYPpnAjoLC8SscESlAjXEIRJ7cHtLG0pLeDFaZLa4VKZLArtA/60ZS7vyA==",
+      "version": "5.4.1",
+      "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.4.1.tgz",
+      "integrity": "sha512-BQ30U1mKkvXQXXkAGcuyUA/GA26oEB7NzOtsxCDtyu62sjGw5QraKFhx2Em3WQNjPw9PG6MQ9yuIIgkSDfGu5A==",
       "requires": {
-        "fast-xml-builder": "^1.1.4",
-        "path-expression-matcher": "^1.4.0",
-        "strnum": "^2.2.3"
+        "fast-xml-builder": "^1.0.0",
+        "strnum": "^2.1.2"
       }
     },
     "fastq": {
@@ -10476,9 +10450,9 @@
       }
     },
     "flatted": {
-      "version": "3.4.2",
-      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
-      "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
+      "version": "3.2.5",
+      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.2.5.tgz",
+      "integrity": "sha512-WIWGi2L3DyTUvUrwRKgGi9TwxQMUEqPOPQBVi71R96jZXJdFskXEmf54BoZaS1kknGODoIGASGEzBUYdyMCBJg==",
       "dev": true
     },
     "form-data": {
@@ -12115,9 +12089,9 @@
       }
     },
     "lodash": {
-      "version": "4.18.1",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
-      "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
+      "version": "4.17.23",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
+      "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
       "dev": true
     },
     "lodash.memoize": {
@@ -12384,11 +12358,6 @@
       "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==",
       "dev": true
     },
-    "path-expression-matcher": {
-      "version": "1.5.0",
-      "resolved": "https://registry.npmjs.org/path-expression-matcher/-/path-expression-matcher-1.5.0.tgz",
-      "integrity": "sha512-cbrerZV+6rvdQrrD+iGMcZFEiiSrbv9Tfdkvnusy6y0x0GKBXREFg/Y65GhIfm0tnLntThhzCnfKwp1WRjeCyQ=="
-    },
     "path-is-absolute": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz",
@@ -12419,9 +12388,9 @@
       "integrity": "sha512-1fygroTLlHu66zi26VoTDv8yRgm0Fccecssto+MhsZ0D/DGW2sm8E8AjW7NU5VVTRt5GxbeZ5qBuJr+HyLYkjQ=="
     },
     "picomatch": {
-      "version": "2.3.2",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
-      "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
+      "version": "2.3.1",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
+      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
       "dev": true
     },
     "pirates": {
@@ -12748,9 +12717,9 @@
       "dev": true
     },
     "strnum": {
-      "version": "2.2.3",
-      "resolved": "https://registry.npmjs.org/strnum/-/strnum-2.2.3.tgz",
-      "integrity": "sha512-oKx6RUCuHfT3oyVjtnrmn19H1SiCqgJSg+54XqURKp5aCMbrXrhLjRN9TjuwMjiYstZ0MzDrHqkGZ5dFTKd+zg=="
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/strnum/-/strnum-2.2.0.tgz",
+      "integrity": "sha512-Y7Bj8XyJxnPAORMZj/xltsfo55uOiyHcU2tnAVzHUnSJR/KsEX+9RoDeXEnsXtl/CX4fAcrt64gZ13aGaWPeBg=="
     },
     "supports-color": {
       "version": "7.2.0",

src/bravo-config.test.ts

@@ -1,81 +0,0 @@
-import { buildBravoConfig } from "./bravo-config";
-import { Configuration } from "./interfaces";
-
-const base: Configuration = {
-  repo: "org/repo",
-  run_id: "123",
-  correlation_id: "depot-abc",
-  working_directory: "/w",
-  api_url: "https://int.api.stepsecurity.io/v1",
-  telemetry_url: "https://int.app-api.stepsecurity.io/v1",
-  allowed_endpoints: "github.com:443",
-  egress_policy: "audit",
-  disable_telemetry: false,
-  disable_sudo: false,
-  disable_sudo_and_containers: false,
-  disable_file_monitoring: false,
-  is_github_hosted: false,
-  private: "true" as unknown as string,
-  is_debug: false,
-  one_time_key: "otk-xyz",
-  api_key: "tenant-key",
-  use_policy_store: false,
-  deploy_on_self_hosted_vm: false,
-};
-
-describe("buildBravoConfig", () => {
-  test("forces is_github_hosted=true so agent honors passed correlation_id", () => {
-    expect(buildBravoConfig(base).is_github_hosted).toBe(true);
-  });
-
-  test("omits api_key (agent authenticates via one_time_key, not vm-api-key)", () => {
-    expect(buildBravoConfig(base)).not.toHaveProperty("api_key");
-  });
-
-  test("omits customer (server infers tenant from repo)", () => {
-    expect(buildBravoConfig(base)).not.toHaveProperty("customer");
-  });
-
-  test("omits use_policy_store (action-side concern, not agent)", () => {
-    expect(buildBravoConfig(base)).not.toHaveProperty("use_policy_store");
-  });
-
-  test("forwards telemetry_url so network events hit configured env", () => {
-    expect(buildBravoConfig(base).telemetry_url).toBe(base.telemetry_url);
-  });
-
-  test("forwards one_time_key so agent can auth to presigned URL endpoint", () => {
-    expect(buildBravoConfig(base).one_time_key).toBe("otk-xyz");
-  });
-
-  test("forwards repo, run_id, correlation_id so server can attribute events", () => {
-    const cfg = buildBravoConfig(base);
-    expect(cfg.repo).toBe("org/repo");
-    expect(cfg.run_id).toBe("123");
-    expect(cfg.correlation_id).toBe("depot-abc");
-  });
-
-  test("forwards private flag", () => {
-    expect(buildBravoConfig(base).private).toBe(base.private);
-  });
-
-  test("forwards egress_policy and allowed_endpoints", () => {
-    const cfg = buildBravoConfig(base);
-    expect(cfg.egress_policy).toBe("audit");
-    expect(cfg.allowed_endpoints).toBe("github.com:443");
-  });
-
-  test("forwards disable_* flags", () => {
-    const cfg = buildBravoConfig({
-      ...base,
-      disable_telemetry: true,
-      disable_sudo: true,
-      disable_sudo_and_containers: true,
-      disable_file_monitoring: true,
-    });
-    expect(cfg.disable_telemetry).toBe(true);
-    expect(cfg.disable_sudo).toBe(true);
-    expect(cfg.disable_sudo_and_containers).toBe(true);
-    expect(cfg.disable_file_monitoring).toBe(true);
-  });
-});

src/bravo-config.ts

@@ -1,21 +0,0 @@
-import { Configuration } from "./interfaces";
-
-export function buildBravoConfig(confg: Configuration) {
-  return {
-    repo: confg.repo,
-    run_id: confg.run_id,
-    correlation_id: confg.correlation_id,
-    working_directory: confg.working_directory,
-    api_url: confg.api_url,
-    telemetry_url: confg.telemetry_url,
-    one_time_key: confg.one_time_key,
-    allowed_endpoints: confg.allowed_endpoints,
-    egress_policy: confg.egress_policy,
-    disable_telemetry: confg.disable_telemetry,
-    disable_sudo: confg.disable_sudo,
-    disable_sudo_and_containers: confg.disable_sudo_and_containers,
-    disable_file_monitoring: confg.disable_file_monitoring,
-    private: confg.private,
-    is_github_hosted: true,
-  };
-}

src/checksum.test.ts

@@ -1,98 +0,0 @@
-import * as fs from "fs";
-import * as crypto from "crypto";
-import * as core from "@actions/core";
-import { verifyChecksum, CHECKSUMS } from "./checksum";
-
-jest.mock("fs", () => ({
-  ...jest.requireActual("fs"),
-  readFileSync: jest.fn(),
-}));
-jest.mock("crypto", () => ({
-  ...jest.requireActual("crypto"),
-  createHash: jest.fn(),
-}));
-jest.mock("@actions/core");
-
-const mockReadFile = fs.readFileSync as jest.MockedFunction<typeof fs.readFileSync>;
-const mockSetFailed = core.setFailed as jest.MockedFunction<typeof core.setFailed>;
-const mockCreateHash = crypto.createHash as jest.MockedFunction<typeof crypto.createHash>;
-
-function stubHash(hash: string) {
-  mockCreateHash.mockReturnValue({
-    update: jest.fn().mockReturnThis(),
-    digest: jest.fn().mockReturnValue(hash),
-  } as unknown as crypto.Hash);
-}
-
-const WRONG_HASH = "0".repeat(64);
-
-describe("verifyChecksum", () => {
-  beforeEach(() => {
-    jest.clearAllMocks();
-    mockReadFile.mockReturnValue(Buffer.from("test-payload"));
-  });
-
-  describe("agentType=bravo", () => {
-    test("passes with matching bravo amd64 checksum", () => {
-      stubHash(CHECKSUMS.bravo.amd64);
-      expect(verifyChecksum("/tmp/f", true, "amd64", "linux", "bravo")).toBe(true);
-      expect(mockSetFailed).not.toHaveBeenCalled();
-    });
-
-    test("passes with matching bravo arm64 checksum", () => {
-      stubHash(CHECKSUMS.bravo.arm64);
-      expect(verifyChecksum("/tmp/f", true, "arm64", "linux", "bravo")).toBe(true);
-    });
-
-    test("uses bravo checksum even when isTLS=false", () => {
-      stubHash(CHECKSUMS.bravo.amd64);
-      expect(verifyChecksum("/tmp/f", false, "amd64", "linux", "bravo")).toBe(true);
-    });
-
-    test("fails on mismatched bravo checksum", () => {
-      stubHash(WRONG_HASH);
-      expect(verifyChecksum("/tmp/f", true, "amd64", "linux", "bravo")).toBe(false);
-      expect(mockSetFailed).toHaveBeenCalled();
-    });
-  });
-
-  describe("agentType default (omitted)", () => {
-    test("uses TLS checksum when isTLS=true", () => {
-      stubHash(CHECKSUMS.tls.amd64);
-      expect(verifyChecksum("/tmp/f", true, "amd64", "linux")).toBe(true);
-    });
-
-    test("uses non_tls checksum when isTLS=false", () => {
-      stubHash(CHECKSUMS.non_tls.amd64);
-      expect(verifyChecksum("/tmp/f", false, "amd64", "linux")).toBe(true);
-    });
-
-    test("TLS mismatch fails", () => {
-      stubHash(CHECKSUMS.bravo.amd64);
-      expect(verifyChecksum("/tmp/f", true, "amd64", "linux")).toBe(false);
-      expect(mockSetFailed).toHaveBeenCalled();
-    });
-  });
-
-  describe("darwin", () => {
-    test("passes with matching darwin checksum", () => {
-      stubHash(CHECKSUMS.darwin);
-      expect(verifyChecksum("/tmp/f", false, "", "darwin")).toBe(true);
-    });
-  });
-
-  describe("win32", () => {
-    test("passes with matching windows amd64 checksum", () => {
-      stubHash(CHECKSUMS.windows.amd64);
-      expect(verifyChecksum("/tmp/f", false, "amd64", "win32")).toBe(true);
-    });
-  });
-
-  describe("unsupported platform", () => {
-    test("returns false without calling setFailed", () => {
-      stubHash(CHECKSUMS.bravo.amd64);
-      expect(verifyChecksum("/tmp/f", true, "amd64", "freebsd")).toBe(false);
-      expect(mockSetFailed).not.toHaveBeenCalled();
-    });
-  });
-});

src/checksum.ts

@@ -2,21 +2,17 @@ import * as core from "@actions/core";
 import * as crypto from "crypto";
 import * as fs from "fs";
 
-export const CHECKSUMS = {
+const CHECKSUMS = {
   tls: {
-    amd64: "d58a9c1c5245155ce4c71507a61e213a29925a7c39c0d20bfd00bef0d281bdbb", // v1.8.6
-    arm64: "084fa95e74d17321dd1c37c93abeb8577e53ddf5266410e19f52aa79a02ae33e",
+    amd64: "19c35eee1347077eb71306b122ad4a1cf83f36ef0f69fd91b0c0d79ffd0eabdd", // v1.7.10
+    arm64: "f9192788e86b2e44b795f072e8cc03eec9852649609aeedac0761d3b67c991fa",
   },
   non_tls: {
-    amd64: "e38de61e1afd98dd339bb9acce4996183875d482be1638fb198ab02b3e25bbef", // v0.16.0
+    amd64: "1531bda40026b799b0704d0f775c372653a91fe436628fa8b416849d9c0707a8", // v0.14.4
   },
-  bravo: {
-    amd64: "495f607a891d89f12214849301f247bdca565afe67deb170fe7e5d6d361852ca", // v1.8.6
-    arm64: "f96f66ab946097aae1fc887e12fe1cefcc5d510bce179221c7185374e4adf538",
-  },
-  darwin: "fe26a1f6af4afe9f1a854d8633832f5d18ab542827003cae445b3a64021d612c", // v0.0.5
+  darwin: "797399a3a3f6f9c4c000a02e0d8c7b16499129c9bdc2ad9cf2a10072c10654fb", // v0.0.4
   windows: {
-    amd64: "93f1e5d87c6647e6eca7963d5f4b4bd73107029430f8e6945ffece93007a89f5", // v1.0.2
+    amd64: "e98f8b9cf9ecf6566f1e16a470fbe4aef01610a644fd8203a1bab3ff142186c8", // v1.0.0
   },
 };
 
@@ -25,8 +21,7 @@ export function verifyChecksum(
   downloadPath: string,
   isTLS: boolean,
   variant: string,
-  platform: string,
-  agentType: "default" | "bravo" = "default"
+  platform: string
 ) {
   const fileBuffer: Buffer = fs.readFileSync(downloadPath);
   const checksum: string = crypto
@@ -38,13 +33,9 @@ export function verifyChecksum(
 
   switch (platform) {
     case "linux":
-      if (agentType === "bravo") {
-        expectedChecksum = CHECKSUMS["bravo"][variant];
-      } else {
       expectedChecksum = isTLS
         ? CHECKSUMS["tls"][variant]
         : CHECKSUMS["non_tls"][variant];
-      }
       break;
     case "darwin":
       expectedChecksum = CHECKSUMS["darwin"];

src/cleanup.ts

@@ -6,7 +6,7 @@ import isDocker from "is-docker";
 import { isARCRunner } from "./arc-runner";
 import { isGithubHosted } from "./tls-inspect";
 import { context } from "@actions/github";
-import { isPlatformSupported, isAgentInstalled, detectThirdPartyRunnerProvider } from "./utils";
+import { isPlatformSupported, isAgentInstalled } from "./utils";
 
 (async () => {
   console.log("[harden-runner] post-step");
@@ -26,18 +26,11 @@ import { isPlatformSupported, isAgentInstalled, detectThirdPartyRunnerProvider }
     return;
   }
 
-  if (isGithubHosted() && process.platform === "linux" && !process.env.USER) {
-    console.log(common.UBUNTU_SLIM_MESSAGE);
-    return;
-  }
-
   if (isARCRunner()) {
     console.log(`[!] ${common.ARC_RUNNER_MESSAGE}`);
     return;
   }
 
-  const thirdPartyProvider = detectThirdPartyRunnerProvider();
-
   if (process.env.STATE_selfHosted === "true") {
     return;
   }
@@ -56,11 +49,7 @@ import { isPlatformSupported, isAgentInstalled, detectThirdPartyRunnerProvider }
 
   switch (process.platform) {
     case "linux":
-      if (thirdPartyProvider) {
-        await handleAgentBravoCleanup();
-      } else {
       await handleLinuxCleanup();
-      }
       break;
     case "win32":
       await handleWindowsCleanup();
@@ -77,38 +66,6 @@ import { isPlatformSupported, isAgentInstalled, detectThirdPartyRunnerProvider }
   }
 })();
 
-async function handleAgentBravoCleanup() {
-  cp.execFileSync("/usr/bin/echo", ["step_policy_jobend"]);
-
-  const doneFile = "/home/agent/done.json";
-  let counter = 0;
-  while (true) {
-    if (!fs.existsSync(doneFile)) {
-      counter++;
-      if (counter > 10) {
-        console.log("timed out");
-        break;
-      }
-      await sleep(1000);
-    } else {
-      console.log(fs.readFileSync(doneFile, "utf-8"));
-      break;
-    }
-  }
-
-  const log = "/home/agent/agent.log";
-  if (fs.existsSync(log)) {
-    console.log("log:");
-    console.log(fs.readFileSync(log, "utf-8"));
-  }
-
-  const status = "/home/agent/agent.status";
-  if (fs.existsSync(status)) {
-    console.log("status:");
-    console.log(fs.readFileSync(status, "utf-8"));
-  }
-}
-
 async function handleLinuxCleanup() {
   if (process.env.STATE_isTLS === "false" && process.arch === "arm64") {
     return;

src/common.ts

@@ -148,6 +148,3 @@ export const ARM64_RUNNER_MESSAGE =
 
 export const ARM64_WINDOWS_RUNNER_MESSAGE =
   "Windows ARM runners are not yet supported by Harden-Runner.";
-
-export const UBUNTU_SLIM_MESSAGE =
-  "This job is running on an ubuntu-slim runner. Harden Runner is not supported on ubuntu-slim runners. This job will not be monitored.";

src/configs.ts

@@ -2,7 +2,4 @@ export const STEPSECURITY_ENV = "agent"; // agent or int
 
 export const STEPSECURITY_API_URL = `https://${STEPSECURITY_ENV}.api.stepsecurity.io/v1`;
 
-export const STEPSECURITY_TELEMETRY_URL =
-  "https://prod.app-api.stepsecurity.io/v1";
-
 export const STEPSECURITY_WEB_URL = "https://app.stepsecurity.io";

src/install-agent.ts

@@ -26,7 +26,7 @@ export async function installAgent(
 
   if (isTLS) {
     downloadPath = await tc.downloadTool(
-      `https://github.com/step-security/agent-ebpf/releases/download/v1.8.6/harden-runner_1.8.6_linux_${variant}.tar.gz`,
+      `https://github.com/step-security/agent-ebpf/releases/download/v1.7.10/harden-runner_1.7.10_linux_${variant}.tar.gz`,
       undefined,
       auth
     );
@@ -36,7 +36,7 @@ export async function installAgent(
       return false;
     }
     downloadPath = await tc.downloadTool(
-      "https://github.com/step-security/agent/releases/download/v0.16.0/agent_0.16.0_linux_amd64.tar.gz",
+      "https://github.com/step-security/agent/releases/download/v0.14.4/agent_0.14.4_linux_amd64.tar.gz",
       undefined,
       auth
     );
@@ -69,60 +69,6 @@ export async function installAgent(
   return true;
 }
 
-export async function installAgentBravo(configStr: string): Promise<boolean> {
-  // Note: to avoid github rate limiting
-  const token = core.getInput("token", { required: true });
-  const auth = `token ${token}`;
-
-  const variant = process.arch === "x64" ? "amd64" : "arm64";
-  const downloadPath = await tc.downloadTool(
-    `https://github.com/step-security/agent-ebpf/releases/download/v1.8.6/harden-runner-bravo_1.8.6_linux_${variant}.tar.gz`,
-    undefined,
-    auth
-  );
-
-  if (!verifyChecksum(downloadPath, true, variant, "linux", "bravo")) {
-    return false;
-  }
-
-  const extractPath = await tc.extractTar(downloadPath);
-  cp.execFileSync("cp", [path.join(extractPath, "agent"), "/home/agent/agent"]);
-
-  cp.execSync("chmod +x /home/agent/agent");
-
-  fs.writeFileSync("/home/agent/agent.json", configStr);
-
-  const logStream = fs.openSync("/home/agent/agent.stdout", "a");
-  const agentProcess = cp.spawn("sudo", ["/home/agent/agent"], {
-    cwd: "/home/agent",
-    detached: true,
-    stdio: ["ignore", logStream, logStream],
-  });
-  agentProcess.unref();
-
-  const agentStatus = "/home/agent/agent.status";
-  const deadline = Date.now() + 10000;
-  while (true) {
-    if (!fs.existsSync(agentStatus)) {
-      if (Date.now() >= deadline) {
-        console.log("timed out waiting for bravo agent");
-        if (fs.existsSync("/home/agent/agent.stdout")) {
-          console.log(fs.readFileSync("/home/agent/agent.stdout", "utf-8"));
-        }
-        if (fs.existsSync("/home/agent/agent.log")) {
-          console.log(fs.readFileSync("/home/agent/agent.log", "utf-8"));
-        }
-        break;
-      }
-      await new Promise((resolve) => setTimeout(resolve, 300));
-    } else {
-      console.log(fs.readFileSync(agentStatus, "utf-8"));
-      break;
-    }
-  }
-  return true;
-}
-
 export async function installMacosAgent(configStr: string): Promise<boolean> {
   const token = core.getInput("token", { required: true });
   const auth = `token ${token}`;
@@ -143,7 +89,7 @@ export async function installMacosAgent(configStr: string): Promise<boolean> {
 
     // Download installer package
     const downloadUrl =
-      "https://github.com/step-security/agent-releases/releases/download/v0.0.5-mac/macos-installer-0.0.5.tar.gz";
+      "https://github.com/step-security/agent-releases/releases/download/v0.0.4-mac/macos-installer-0.0.4.tar.gz";
     core.info(`Downloading macOS installer.. : ${downloadUrl}`);
     const downloadPath = await tc.downloadTool(downloadUrl, undefined, auth);
     core.info(`✓ Successfully downloaded installer to: ${downloadPath}`);
@@ -226,7 +172,7 @@ export async function installWindowsAgent(configStr: string): Promise<boolean> {
   const agentExePath = path.join(agentDir, "agent.exe");
 
   const downloadPath = await tc.downloadTool(
-    `https://github.com/step-security/agent-releases/releases/download/v1.0.2-win/harden-runner-agent-windows_1.0.2_windows_amd64.tar.gz`,
+    `https://github.com/step-security/agent-releases/releases/download/v1.0.0-win/harden-runner-agent-windows_1.0.0_windows_amd64.tar.gz`,
     undefined,
     auth
   );

src/interfaces.ts

@@ -4,7 +4,6 @@ export interface Configuration {
   correlation_id: string;
   working_directory: string;
   api_url: string;
-  telemetry_url: string;
   allowed_endpoints: string;
   egress_policy: string;
   disable_telemetry: boolean;
@@ -15,9 +14,6 @@ export interface Configuration {
   private: string;
   is_debug: boolean;
   one_time_key: string;
-  api_key: string;
-  use_policy_store: boolean;
-  deploy_on_self_hosted_vm: boolean;
 }
 
 export interface PolicyResponse {
@@ -29,5 +25,4 @@ export interface PolicyResponse {
   disable_file_monitoring?: boolean;
   disable_telemetry?: boolean;
   egress_policy?: string;
-  policy_name?: string;
 }

src/policy-utils.test.ts

@@ -32,7 +32,6 @@ test("merge configs", async () => {
     correlation_id: "aaaaa",
     working_directory: "/xyz",
     api_url: "xyz",
-    telemetry_url: "xyz",
     allowed_endpoints: "",
     egress_policy: "audit",
     disable_telemetry: false,
@@ -43,9 +42,6 @@ test("merge configs", async () => {
     is_github_hosted: true,
     is_debug: false,
     one_time_key: "",
-    api_key: "",
-    use_policy_store: false,
-    deploy_on_self_hosted_vm: false,
   };
   let policyResponse: PolicyResponse = {
     owner: "h0x0er",
@@ -63,7 +59,6 @@ test("merge configs", async () => {
     correlation_id: "aaaaa",
     working_directory: "/xyz",
     api_url: "xyz",
-    telemetry_url: "xyz",
     allowed_endpoints: "github.com:443 google.com:443",
     egress_policy: "audit",
     disable_telemetry: false,
@@ -74,320 +69,8 @@ test("merge configs", async () => {
     is_github_hosted: true,
     is_debug: false,
     one_time_key: "",
-    api_key: "",
-    use_policy_store: false,
-    deploy_on_self_hosted_vm: false,
   };
 
   localConfig = mergeConfigs(localConfig, policyResponse);
   expect(localConfig).toStrictEqual(expectedConfiguration);
 });
-
-// ==================== additional fetchPolicy tests ====================
-
-test("fetchPolicy throws when idToken is empty", async () => {
-  await expect(fetchPolicy("owner", "policy1", "")).rejects.toThrow(
-    "[PolicyFetch]: id-token in empty"
-  );
-});
-
-test("fetchPolicy retries on failure and succeeds", async () => {
-  const owner = "test-owner";
-  const policyName = "test-policy";
-  const response = {
-    allowed_endpoints: ["example.com:443"],
-    egress_policy: "block",
-  };
-
-  nock(`${STEPSECURITY_API_URL}`)
-    .get(`/github/${owner}/actions/policies/${policyName}`)
-    .replyWithError("connection timeout");
-  nock(`${STEPSECURITY_API_URL}`)
-    .get(`/github/${owner}/actions/policies/${policyName}`)
-    .reply(200, response);
-
-  const policy = await fetchPolicy(owner, policyName, "token123");
-  expect(policy).toStrictEqual(response);
-});
-
-test("fetchPolicy throws after all retries exhausted", async () => {
-  const owner = "test-owner";
-  const policyName = "test-policy";
-
-  nock(`${STEPSECURITY_API_URL}`)
-    .get(`/github/${owner}/actions/policies/${policyName}`)
-    .times(3)
-    .replyWithError("connection timeout");
-
-  await expect(
-    fetchPolicy(owner, policyName, "token123")
-  ).rejects.toThrow("[Policy Fetch]");
-});
-
-test("fetchPolicy preserves statusCode from error", async () => {
-  const owner = "test-owner";
-  const policyName = "test-policy";
-
-  const errorWithStatus = new Error("Not Found");
-  (errorWithStatus as any).statusCode = 404;
-
-  nock(`${STEPSECURITY_API_URL}`)
-    .get(`/github/${owner}/actions/policies/${policyName}`)
-    .times(3)
-    .replyWithError(errorWithStatus);
-
-  try {
-    await fetchPolicy(owner, policyName, "token123");
-    fail("should have thrown");
-  } catch (err) {
-    expect(err.message).toContain("[Policy Fetch]");
-  }
-});
-
-// ==================== fetchPolicyFromStore ====================
-
-import { fetchPolicyFromStore } from "./policy-utils";
-
-const policyStoreQueryString = (workflow: string, runId: string, correlationId: string) =>
-  `workflow=${encodeURIComponent(workflow)}&run_id=${encodeURIComponent(runId)}&correlationId=${encodeURIComponent(correlationId)}`;
-
-test("success: fetches policy from store", async () => {
-  const owner = "test-owner";
-  const repo = "test-repo";
-  const workflow = "ci.yml";
-  const runId = "12345";
-  const correlationId = "abc-def";
-  const response = {
-    allowed_endpoints: ["registry.npmjs.org:443", "github.com:443"],
-    egress_policy: "block",
-    disable_sudo: true,
-    disable_file_monitoring: false,
-  };
-
-  nock(`${STEPSECURITY_API_URL}`)
-    .get(`/github/${owner}/${repo}/actions/policies/workflow-policy?${policyStoreQueryString(workflow, runId, correlationId)}`)
-    .reply(200, response);
-
-  const result = await fetchPolicyFromStore(owner, repo, "my-api-key", workflow, runId, correlationId);
-  expect(result).toStrictEqual(response);
-});
-
-test("fetchPolicyFromStore throws when apiKey is empty", async () => {
-  await expect(
-    fetchPolicyFromStore("owner", "repo", "", "ci.yml", "123", "abc")
-  ).rejects.toThrow("[PolicyStoreFetch]: api-key is empty");
-});
-
-test("fetchPolicyFromStore returns null when policy not found (404)", async () => {
-  const owner = "test-owner";
-  const repo = "test-repo";
-  const workflow = "ci.yml";
-  const runId = "12345";
-  const correlationId = "abc-def";
-
-  nock(`${STEPSECURITY_API_URL}`)
-    .get(`/github/${owner}/${repo}/actions/policies/workflow-policy?${policyStoreQueryString(workflow, runId, correlationId)}`)
-    .reply(404, { message: "not found" });
-
-  const result = await fetchPolicyFromStore(owner, repo, "my-api-key", workflow, runId, correlationId);
-  expect(result).toBeNull();
-});
-
-test("fetchPolicyFromStore returns null when API returns empty policy", async () => {
-  const owner = "test-owner";
-  const repo = "nonexistent-repo";
-  const workflow = "ci.yml";
-  const runId = "12345";
-  const correlationId = "abc-def";
-
-  nock(`${STEPSECURITY_API_URL}`)
-    .get(`/github/${owner}/${repo}/actions/policies/workflow-policy?${policyStoreQueryString(workflow, runId, correlationId)}`)
-    .reply(200, { allowed_endpoints: [], egress_policy: "", policy_name: "" });
-
-  const result = await fetchPolicyFromStore(owner, repo, "my-api-key", workflow, runId, correlationId);
-  expect(result).toBeNull();
-});
-
-test("fetchPolicyFromStore retries on failure and succeeds", async () => {
-  const owner = "test-owner";
-  const repo = "test-repo";
-  const workflow = "ci.yml";
-  const runId = "12345";
-  const correlationId = "abc-def";
-  const response = {
-    allowed_endpoints: ["example.com:443"],
-    egress_policy: "audit",
-  };
-
-  nock(`${STEPSECURITY_API_URL}`)
-    .get(`/github/${owner}/${repo}/actions/policies/workflow-policy?${policyStoreQueryString(workflow, runId, correlationId)}`)
-    .replyWithError("timeout");
-  nock(`${STEPSECURITY_API_URL}`)
-    .get(`/github/${owner}/${repo}/actions/policies/workflow-policy?${policyStoreQueryString(workflow, runId, correlationId)}`)
-    .reply(200, response);
-
-  const result = await fetchPolicyFromStore(owner, repo, "my-api-key", workflow, runId, correlationId);
-  expect(result).toStrictEqual(response);
-});
-
-test("fetchPolicyFromStore throws after all retries exhausted", async () => {
-  const owner = "test-owner";
-  const repo = "test-repo";
-  const workflow = "ci.yml";
-  const runId = "12345";
-  const correlationId = "abc-def";
-
-  nock(`${STEPSECURITY_API_URL}`)
-    .get(`/github/${owner}/${repo}/actions/policies/workflow-policy?${policyStoreQueryString(workflow, runId, correlationId)}`)
-    .times(3)
-    .replyWithError("connection refused");
-
-  await expect(
-    fetchPolicyFromStore(owner, repo, "my-api-key", workflow, runId, correlationId)
-  ).rejects.toThrow("[Policy Store Fetch]");
-});
-
-test("fetchPolicyFromStore preserves statusCode from error", async () => {
-  const owner = "test-owner";
-  const repo = "test-repo";
-  const workflow = "ci.yml";
-  const runId = "12345";
-  const correlationId = "abc-def";
-
-  const errorWithStatus = new Error("Unauthorized");
-  (errorWithStatus as any).statusCode = 401;
-
-  nock(`${STEPSECURITY_API_URL}`)
-    .get(`/github/${owner}/${repo}/actions/policies/workflow-policy?${policyStoreQueryString(workflow, runId, correlationId)}`)
-    .times(3)
-    .replyWithError(errorWithStatus);
-
-  try {
-    await fetchPolicyFromStore(owner, repo, "my-api-key", workflow, runId, correlationId);
-    fail("should have thrown");
-  } catch (err) {
-    expect(err.message).toContain("[Policy Store Fetch]");
-  }
-});
-
-test("fetchPolicyFromStore sends correct authorization header", async () => {
-  const owner = "test-owner";
-  const repo = "test-repo";
-  const apiKey = "secret-key-123";
-  const workflow = "ci.yml";
-  const runId = "12345";
-  const correlationId = "abc-def";
-
-  nock(`${STEPSECURITY_API_URL}`, {
-    reqheaders: {
-      Authorization: `vm-api-key ${apiKey}`,
-      Source: "github-actions",
-    },
-  })
-    .get(`/github/${owner}/${repo}/actions/policies/workflow-policy?${policyStoreQueryString(workflow, runId, correlationId)}`)
-    .reply(200, { allowed_endpoints: [], egress_policy: "audit" });
-
-  const result = await fetchPolicyFromStore(owner, repo, apiKey, workflow, runId, correlationId);
-  expect(result).toStrictEqual({
-    allowed_endpoints: [],
-    egress_policy: "audit",
-  });
-});
-
-// ==================== additional mergeConfigs tests ====================
-
-test("mergeConfigs does not override local allowed_endpoints if not empty", () => {
-  let localConfig: Configuration = {
-    repo: "test/repo",
-    run_id: "xyx",
-    correlation_id: "aaaaa",
-    working_directory: "/xyz",
-    api_url: "xyz",
-    telemetry_url: "xyz",
-    allowed_endpoints: "local.endpoint:443",
-    egress_policy: "audit",
-    disable_telemetry: false,
-    disable_sudo: false,
-    disable_sudo_and_containers: false,
-    disable_file_monitoring: false,
-    private: "true",
-    is_github_hosted: true,
-    is_debug: false,
-    one_time_key: "",
-    api_key: "",
-    use_policy_store: false,
-    deploy_on_self_hosted_vm: false,
-  };
-  let policyResponse: PolicyResponse = {
-    allowed_endpoints: ["remote.endpoint:443"],
-    egress_policy: "block",
-  };
-
-  localConfig = mergeConfigs(localConfig, policyResponse);
-  expect(localConfig.allowed_endpoints).toBe("local.endpoint:443");
-  expect(localConfig.egress_policy).toBe("block");
-});
-
-test("mergeConfigs overrides disable_sudo_and_containers from remote", () => {
-  let localConfig: Configuration = {
-    repo: "test/repo",
-    run_id: "xyx",
-    correlation_id: "aaaaa",
-    working_directory: "/xyz",
-    api_url: "xyz",
-    telemetry_url: "xyz",
-    allowed_endpoints: "",
-    egress_policy: "audit",
-    disable_telemetry: false,
-    disable_sudo: false,
-    disable_sudo_and_containers: false,
-    disable_file_monitoring: false,
-    private: "true",
-    is_github_hosted: true,
-    is_debug: false,
-    one_time_key: "",
-    api_key: "",
-    use_policy_store: false,
-    deploy_on_self_hosted_vm: false,
-  };
-  let policyResponse: PolicyResponse = {
-    allowed_endpoints: [],
-    disable_sudo_and_containers: true,
-  };
-
-  localConfig = mergeConfigs(localConfig, policyResponse);
-  expect(localConfig.disable_sudo_and_containers).toBe(true);
-});
-
-test("mergeConfigs does not override fields when remote values are undefined", () => {
-  let localConfig: Configuration = {
-    repo: "test/repo",
-    run_id: "xyx",
-    correlation_id: "aaaaa",
-    working_directory: "/xyz",
-    api_url: "xyz",
-    telemetry_url: "xyz",
-    allowed_endpoints: "",
-    egress_policy: "block",
-    disable_telemetry: false,
-    disable_sudo: true,
-    disable_sudo_and_containers: true,
-    disable_file_monitoring: true,
-    private: "true",
-    is_github_hosted: true,
-    is_debug: false,
-    one_time_key: "",
-    api_key: "",
-    use_policy_store: false,
-    deploy_on_self_hosted_vm: false,
-  };
-  let policyResponse: PolicyResponse = {
-    allowed_endpoints: [],
-  };
-
-  localConfig = mergeConfigs(localConfig, policyResponse);
-  expect(localConfig.disable_sudo).toBe(true);
-  expect(localConfig.disable_sudo_and_containers).toBe(true);
-  expect(localConfig.disable_file_monitoring).toBe(true);
-  expect(localConfig.egress_policy).toBe("block");
-});

src/policy-utils.ts

@@ -50,65 +50,6 @@ export async function fetchPolicy(
   }
 }
 
-export async function fetchPolicyFromStore(
-  owner: string,
-  repo: string,
-  apiKey: string,
-  workflow: string,
-  runId: string,
-  correlationId: string
-): Promise<PolicyResponse | null> {
-  if (apiKey === "") {
-    throw new Error("[PolicyStoreFetch]: api-key is empty");
-  }
-
-  let policyEndpoint = `${STEPSECURITY_API_URL}/github/${owner}/${repo}/actions/policies/workflow-policy?workflow=${encodeURIComponent(workflow)}&run_id=${encodeURIComponent(runId)}&correlationId=${encodeURIComponent(correlationId)}`;
-
-  let httpClient = new HttpClient();
-
-  let headers = {};
-  headers["Authorization"] = `vm-api-key ${apiKey}`;
-  headers["Source"] = "github-actions";
-
-  let response = undefined;
-  let err = undefined;
-
-  let retry = 0;
-  while (retry < 3) {
-    try {
-      console.log(`Attempt: ${retry + 1}`);
-      response = await httpClient.getJson<PolicyResponse>(
-        policyEndpoint,
-        headers
-      );
-      break;
-    } catch (e) {
-      err = e;
-    }
-    retry += 1;
-    await sleep(1000);
-  }
-
-  if (response === undefined && err !== undefined) {
-    const error = new Error(`[Policy Store Fetch] ${err}`);
-    if (err.statusCode !== undefined) {
-      (error as any).statusCode = err.statusCode;
-    }
-    throw error;
-  }
-
-  if (response.statusCode === 404) {
-    return null;
-  }
-
-  const result = response.result;
-  if (!result || (!result.egress_policy && (!result.allowed_endpoints || result.allowed_endpoints.length === 0))) {
-    return null;
-  }
-
-  return result;
-}
-
 export function mergeConfigs(
   localConfig: Configuration,
   remoteConfig: PolicyResponse

src/setup.ts

@@ -16,7 +16,7 @@ import {
   isValidEvent,
 } from "./cache";
 import { Configuration, PolicyResponse } from "./interfaces";
-import { fetchPolicy, fetchPolicyFromStore, mergeConfigs } from "./policy-utils";
+import { fetchPolicy, mergeConfigs } from "./policy-utils";
 import * as cache from "@actions/cache";
 import { getCacheEntry } from "@actions/cache/lib/internal/cacheHttpClient";
 import * as cacheTwirpClient from "@actions/cache/lib/internal/shared/cacheTwirpClient";
@@ -25,21 +25,15 @@ import { getCacheServiceVersion } from "@actions/cache/lib/internal/config";
 
 import * as utils from "@actions/cache/lib/internal/cacheUtils";
 import { isARCRunner, sendAllowedEndpoints } from "./arc-runner";
-import {
-  STEPSECURITY_API_URL,
-  STEPSECURITY_TELEMETRY_URL,
-  STEPSECURITY_WEB_URL,
-} from "./configs";
+import { STEPSECURITY_API_URL, STEPSECURITY_WEB_URL } from "./configs";
 import { isGithubHosted, isTLSEnabled } from "./tls-inspect";
 import {
   installAgent,
-  installAgentBravo,
   installMacosAgent,
   installWindowsAgent,
 } from "./install-agent";
 
-import { chownForFolder, detectThirdPartyRunnerProvider, isAgentInstalled, isPlatformSupported, shouldDeployAgentOnSelfHosted } from "./utils";
-import { buildBravoConfig } from "./bravo-config";
+import { chownForFolder, isAgentInstalled, isPlatformSupported } from "./utils";
 
 interface MonitorResponse {
   runner_ip_address?: string;
@@ -66,11 +60,6 @@ interface MonitorResponse {
       return;
     }
 
-    if (isGithubHosted() && process.platform === "linux" && !process.env.USER) {
-      console.log(common.UBUNTU_SLIM_MESSAGE);
-      return;
-    }
-
     var correlation_id = uuidv4();
     var api_url = STEPSECURITY_API_URL;
     var web_url = STEPSECURITY_WEB_URL;
@@ -81,7 +70,6 @@ interface MonitorResponse {
       correlation_id: correlation_id,
       working_directory: process.env["GITHUB_WORKSPACE"],
       api_url: api_url,
-      telemetry_url: STEPSECURITY_TELEMETRY_URL,
       allowed_endpoints: core.getInput("allowed-endpoints"),
       egress_policy: core.getInput("egress-policy"),
       disable_telemetry: core.getBooleanInput("disable-telemetry"),
@@ -94,55 +82,10 @@ interface MonitorResponse {
       is_github_hosted: isGithubHosted(),
       is_debug: core.isDebug(),
       one_time_key: "",
-      api_key: core.getInput("api-key"),
-      use_policy_store: core.getBooleanInput("use-policy-store"),
-      deploy_on_self_hosted_vm: core.getBooleanInput("deploy-on-self-hosted-vm"),
     };
 
-    if (confg.api_key !== "") {
-      core.setSecret(confg.api_key);
-    }
-
     let policyName = core.getInput("policy");
-    if (confg.use_policy_store) {
-      console.log(`Fetching policy from policy store`);
-      if (confg.api_key === "") {
-        core.warning(
-          "api-key is not set while use-policy-store is true. Defaulting to audit mode."
-        );
-        confg.egress_policy = "audit";
-      } else {
-        try {
-          const repoName = (process.env["GITHUB_REPOSITORY"] || "").split("/")[1] || "";
-          const workflowRef = process.env["GITHUB_WORKFLOW_REF"] || "";
-          const workflow = workflowRef.replace(/.*\.github\/workflows\//, "").replace(/@.*/, "");
-          let result: PolicyResponse | null = await fetchPolicyFromStore(
-            context.repo.owner,
-            repoName,
-            confg.api_key,
-            workflow,
-            confg.run_id,
-            confg.correlation_id
-          );
-          if (result !== null) {
-            core.info(`Policy found: ${result.policy_name || "unnamed"}`);
-            confg = mergeConfigs(confg, result);
-          } else {
-            core.info("No policy found in policy store. Defaulting to audit mode.");
-            confg.egress_policy = "audit";
-          }
-        } catch (err) {
-          core.info(`[!] ${err}`);
-          if (err.statusCode >= 400 && err.statusCode < 500) {
-            core.info("Policy not found in policy store. Defaulting to audit mode.");
-            confg.egress_policy = "audit";
-          } else {
-            core.error(`Unexpected error fetching from policy store: ${err}. Falling back to audit mode.`);
-            confg.egress_policy = "audit";
-          }
-        }
-      }
-    } else if (policyName !== "") {
+    if (policyName !== "") {
       console.log(`Fetching policy from API with name: ${policyName}`);
       try {
         let idToken: string = await core.getIDToken();
@@ -299,46 +242,13 @@ interface MonitorResponse {
     const runnerName = process.env.RUNNER_NAME || "";
     core.info(`RUNNER_NAME: ${runnerName}`);
     if (!isGithubHosted()) {
-      const thirdPartyProvider = detectThirdPartyRunnerProvider();
-      if (thirdPartyProvider) {
-        const providerLabel = thirdPartyProvider.charAt(0).toUpperCase() + thirdPartyProvider.slice(1);
-        if (process.platform !== "linux") {
-          core.info(`Detected ${providerLabel} runner on ${process.platform}. Bravo agent is Linux-only, skipping install.`);
-          return;
-        }
-        core.info(`Detected ${providerLabel} runner environment. Installing agent-bravo.`);
-        confg.correlation_id = runnerName || confg.correlation_id;
-        await callMonitorEndpoint(api_url, confg);
-        await installAgentForBravo(context.repo.owner, confg);
-        return;
-      }
-
       fs.appendFileSync(process.env.GITHUB_STATE, `selfHosted=true${EOL}`, {
         encoding: "utf8",
       });
 
       core.info(common.SELF_HOSTED_RUNNER_MESSAGE);
 
-      const inContainer = isDocker();
-      const alreadyInstalled = isAgentInstalled(process.platform);
-
-      if (shouldDeployAgentOnSelfHosted(confg.deploy_on_self_hosted_vm, inContainer, alreadyInstalled)) {
-        if (process.platform !== "linux") {
-          core.info("deploy-on-self-hosted-vm is only supported on Linux. Skipping agent deployment.");
-        } else {
-          core.info("deploy-on-self-hosted-vm is enabled. Installing agent on self-hosted runner.");
-          await installAgentForSelfHosted(context.repo.owner, confg);
-        }
-      } else {
-        if (confg.deploy_on_self_hosted_vm && inContainer) {
-          core.info("Skipping agent deployment: running inside a container.");
-        }
-        if (confg.deploy_on_self_hosted_vm && alreadyInstalled) {
-          core.info("Agent already installed on self-hosted runner, skipping installation.");
-        }
-      }
-
-      if (confg.egress_policy === "block" && !confg.deploy_on_self_hosted_vm) {
+      if (confg.egress_policy === "block") {
         sendAllowedEndpoints(confg.allowed_endpoints);
         await sleep(5000);
       }
@@ -417,8 +327,7 @@ interface MonitorResponse {
       return;
     }
 
-    const { api_key, use_policy_store, ...agentConfig } = confg;
-    const configStr = JSON.stringify(agentConfig);
+    const configStr = JSON.stringify(confg);
 
     // platform specific
     let statusFile = "";
@@ -493,112 +402,3 @@ export function sleep(ms: number) {
     setTimeout(resolve, ms);
   });
 }
-
-async function callMonitorEndpoint(api_url: string, confg: Configuration) {
-  const _http = new httpm.HttpClient();
-  _http.requestOptions = { socketTimeout: 3 * 1000 };
-  let statusCode: number | undefined;
-  let addSummary = "false";
-  try {
-    const monitorRequestData = {
-      correlation_id: confg.correlation_id,
-      job: process.env["GITHUB_JOB"],
-    };
-    const resp = await _http.postJson<MonitorResponse>(
-      `${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`,
-      monitorRequestData
-    );
-    statusCode = resp.statusCode;
-    if (resp.statusCode === 200 && resp.result) {
-      console.log(`Runner IP Address: ${resp.result.runner_ip_address}`);
-      confg.one_time_key = resp.result.one_time_key;
-      addSummary = resp.result.monitoring_started ? "true" : "false";
-    }
-  } catch (e) {
-    console.log(`error in connecting to ${api_url}: ${e}`);
-  }
-  fs.appendFileSync(process.env.GITHUB_STATE, `monitorStatusCode=${statusCode}${EOL}`, { encoding: "utf8" });
-  fs.appendFileSync(process.env.GITHUB_STATE, `addSummary=${addSummary}${EOL}`, { encoding: "utf8" });
-  fs.appendFileSync(process.env.GITHUB_STATE, `correlation_id=${confg.correlation_id}${EOL}`, { encoding: "utf8" });
-}
-
-export async function installAgentForSelfHosted(owner: string, confg: Configuration) {
-  try {
-    console.log("Installing Harden Runner agent for self-hosted runner");
-
-    let isTLS = await isTLSEnabled(owner);
-
-    if (!isTLS) {
-      console.log("TLS is not enabled for this organization. Agent installation skipped for self-hosted runner.");
-      return;
-    }
-
-    const selfHostedConfig = {
-      customer: owner,
-      working_directory: confg.working_directory,
-      api_url: confg.api_url,
-      api_key: uuidv4(),
-      allowed_endpoints: confg.allowed_endpoints,
-      egress_policy: confg.egress_policy,
-      disable_telemetry: confg.disable_telemetry,
-      disable_sudo: confg.disable_sudo,
-      disable_sudo_and_containers: confg.disable_sudo_and_containers,
-      disable_file_monitoring: confg.disable_file_monitoring,
-      is_github_hosted: false,
-    };
-    const selfHostedConfigStr = JSON.stringify(selfHostedConfig);
-
-    cp.execSync("sudo mkdir -p /home/agent");
-    chownForFolder(process.env.USER, "/home/agent");
-
-    const agentInstalled = await installAgent(isTLS, selfHostedConfigStr);
-
-    if (agentInstalled) {
-      const statusFile = "/home/agent/agent.status";
-      const logFile = "/home/agent/agent.log";
-      let counter = 0;
-      while (true) {
-        if (!fs.existsSync(statusFile)) {
-          counter++;
-          if (counter > 30) {
-            console.log("timed out");
-            if (fs.existsSync(logFile)) {
-              const content = fs.readFileSync(logFile, "utf-8");
-              console.log(content);
-            }
-            break;
-          }
-          await sleep(300);
-        } else {
-          const content = fs.readFileSync(statusFile, "utf-8");
-          console.log(content);
-          break;
-        }
-      }
-    }
-  } catch (error) {
-    console.log(`Failed to install agent for self-hosted runner: ${error.message}`);
-  }
-}
-
-export async function installAgentForBravo(owner: string, confg: Configuration) {
-  try {
-    console.log("Installing Harden Runner bravo agent for third-party runner");
-
-    let isTLS = await isTLSEnabled(owner);
-
-    if (!isTLS) {
-      console.log("TLS is not enabled for this organization. Bravo agent installation skipped.");
-      return;
-    }
-
-    const bravoConfigStr = JSON.stringify(buildBravoConfig(confg));
-
-    cp.execSync("sudo mkdir -p /home/agent");
-    chownForFolder(process.env.USER, "/home/agent");
-
-    await installAgentBravo(bravoConfigStr);
-  } catch (error) {
-    console.log(`Failed to install bravo agent: ${error.message}`);
-  }
-}

src/utils.test.ts

@@ -1,158 +0,0 @@
-import { shouldDeployAgentOnSelfHosted, isAgentInstalled, isPlatformSupported, getAnnotationLogs, detectThirdPartyRunnerProvider } from "./utils";
-import * as fs from "fs";
-
-jest.mock("fs", () => ({
-  ...jest.requireActual("fs"),
-  existsSync: jest.fn(),
-}));
-
-const mockedExistsSync = fs.existsSync as jest.MockedFunction<typeof fs.existsSync>;
-
-describe("shouldDeployAgentOnSelfHosted", () => {
-  test("returns true when deploy flag is true, not container, agent not installed", () => {
-    expect(shouldDeployAgentOnSelfHosted(true, false, false)).toBe(true);
-  });
-
-  test("returns false when deploy flag is false", () => {
-    expect(shouldDeployAgentOnSelfHosted(false, false, false)).toBe(false);
-  });
-
-  test("returns false when running in a container", () => {
-    expect(shouldDeployAgentOnSelfHosted(true, true, false)).toBe(false);
-  });
-
-  test("returns false when agent is already installed", () => {
-    expect(shouldDeployAgentOnSelfHosted(true, false, true)).toBe(false);
-  });
-
-  test("returns false when in container and agent installed", () => {
-    expect(shouldDeployAgentOnSelfHosted(true, true, true)).toBe(false);
-  });
-
-  test("returns false when all conditions are negative", () => {
-    expect(shouldDeployAgentOnSelfHosted(false, true, true)).toBe(false);
-  });
-});
-
-describe("isAgentInstalled", () => {
-  afterEach(() => {
-    mockedExistsSync.mockReset();
-  });
-
-  test("returns false for linux when status file does not exist", () => {
-    mockedExistsSync.mockReturnValue(false);
-    expect(isAgentInstalled("linux")).toBe(false);
-    expect(mockedExistsSync).toHaveBeenCalledWith("/home/agent/agent.status");
-  });
-
-  test("returns true for linux when status file exists", () => {
-    mockedExistsSync.mockReturnValue(true);
-    expect(isAgentInstalled("linux")).toBe(true);
-  });
-
-  test("returns false for win32 when status file does not exist", () => {
-    mockedExistsSync.mockReturnValue(false);
-    expect(isAgentInstalled("win32")).toBe(false);
-    expect(mockedExistsSync).toHaveBeenCalledWith("C:\\agent\\agent.status");
-  });
-
-  test("returns false for darwin when status file does not exist", () => {
-    mockedExistsSync.mockReturnValue(false);
-    expect(isAgentInstalled("darwin")).toBe(false);
-    expect(mockedExistsSync).toHaveBeenCalledWith("/opt/step-security/agent.status");
-  });
-
-  test("returns false for unsupported platform", () => {
-    expect(isAgentInstalled("freebsd" as NodeJS.Platform)).toBe(false);
-  });
-});
-
-describe("isPlatformSupported", () => {
-  test("returns true for linux", () => {
-    expect(isPlatformSupported("linux")).toBe(true);
-  });
-
-  test("returns true for win32", () => {
-    expect(isPlatformSupported("win32")).toBe(true);
-  });
-
-  test("returns true for darwin", () => {
-    expect(isPlatformSupported("darwin")).toBe(true);
-  });
-
-  test("returns false for unsupported platform", () => {
-    expect(isPlatformSupported("freebsd" as NodeJS.Platform)).toBe(false);
-  });
-});
-
-describe("getAnnotationLogs", () => {
-  test("throws for unsupported platform", () => {
-    expect(() => getAnnotationLogs("freebsd" as NodeJS.Platform)).toThrow("platform not supported");
-  });
-});
-
-describe("detectThirdPartyRunnerProvider", () => {
-  const originalEnv = process.env;
-
-  beforeEach(() => {
-    process.env = { ...originalEnv };
-    delete process.env.DEPOT_RUNNER;
-    delete process.env.NAMESPACE_GITHUB_RUNTIME;
-    delete process.env.RUNNER_NAME;
-  });
-
-  afterAll(() => {
-    process.env = originalEnv;
-  });
-
-  test("returns depot when DEPOT_RUNNER=1", () => {
-    process.env.DEPOT_RUNNER = "1";
-    expect(detectThirdPartyRunnerProvider()).toBe("depot");
-  });
-
-  test("returns null when DEPOT_RUNNER=0", () => {
-    process.env.DEPOT_RUNNER = "0";
-    expect(detectThirdPartyRunnerProvider()).toBeNull();
-  });
-
-  test("returns namespace when NAMESPACE_GITHUB_RUNTIME is set", () => {
-    process.env.NAMESPACE_GITHUB_RUNTIME = "something";
-    expect(detectThirdPartyRunnerProvider()).toBe("namespace");
-  });
-
-  test("returns warp for RUNNER_NAME prefix warp-", () => {
-    process.env.RUNNER_NAME = "warp-4x-x64-abc";
-    expect(detectThirdPartyRunnerProvider()).toBe("warp");
-  });
-
-  test("returns blacksmith for RUNNER_NAME prefix blacksmith-", () => {
-    process.env.RUNNER_NAME = "blacksmith-01kpj-4vcpu";
-    expect(detectThirdPartyRunnerProvider()).toBe("blacksmith");
-  });
-
-  test("returns null when no env vars match", () => {
-    expect(detectThirdPartyRunnerProvider()).toBeNull();
-  });
-
-  test("returns null for a non-matching RUNNER_NAME", () => {
-    process.env.RUNNER_NAME = "GitHub Actions 1";
-    expect(detectThirdPartyRunnerProvider()).toBeNull();
-  });
-
-  test("depot takes precedence over namespace", () => {
-    process.env.DEPOT_RUNNER = "1";
-    process.env.NAMESPACE_GITHUB_RUNTIME = "something";
-    expect(detectThirdPartyRunnerProvider()).toBe("depot");
-  });
-
-  test("namespace takes precedence over warp runner name prefix", () => {
-    process.env.NAMESPACE_GITHUB_RUNTIME = "something";
-    process.env.RUNNER_NAME = "warp-x";
-    expect(detectThirdPartyRunnerProvider()).toBe("namespace");
-  });
-
-  test("warp takes precedence over blacksmith when both prefixes seen (warp wins on name check order)", () => {
-    process.env.RUNNER_NAME = "warp-x";
-    expect(detectThirdPartyRunnerProvider()).toBe("warp");
-  });
-});

src/utils.ts

@@ -32,25 +32,6 @@ export function isAgentInstalled(platform: NodeJS.Platform) {
   }
 }
 
-export function shouldDeployAgentOnSelfHosted(
-  deployOnSelfHostedVm: boolean,
-  isContainer: boolean,
-  agentAlreadyInstalled: boolean
-): boolean {
-  return deployOnSelfHostedVm && !isContainer && !agentAlreadyInstalled;
-}
-
-export type ThirdPartyRunnerProvider = "depot" | "namespace" | "warp" | "blacksmith";
-
-export function detectThirdPartyRunnerProvider(): ThirdPartyRunnerProvider | null {
-  if (process.env["DEPOT_RUNNER"] === "1") return "depot";
-  if (process.env["NAMESPACE_GITHUB_RUNTIME"]) return "namespace";
-  const runnerName = process.env["RUNNER_NAME"] ?? "";
-  if (runnerName.startsWith("warp-")) return "warp";
-  if (runnerName.startsWith("blacksmith-")) return "blacksmith";
-  return null;
-}
-
 export function getAnnotationLogs(platform: NodeJS.Platform) {
   switch (platform) {
     case "linux":