Merge pull request #667 from step-security/update-agent-v1.8.6

Update agent to v1.8.6

.eslintrc.js

@@ -0,0 +1,33 @@
+module.exports = {
+    "env": {
+        "browser": true,
+        "es2021": true
+    },
+    "extends": [
+        "eslint:recommended",
+        "plugin:@typescript-eslint/recommended"
+    ],
+    "overrides": [
+        {
+            "env": {
+                "node": true
+            },
+            "files": [
+                ".eslintrc.{js,cjs}"
+            ],
+            "parserOptions": {
+                "sourceType": "script"
+            }
+        }
+    ],
+    "parser": "@typescript-eslint/parser",
+    "parserOptions": {
+        "ecmaVersion": "latest",
+        "sourceType": "module"
+    },
+    "plugins": [
+        "@typescript-eslint"
+    ],
+    "rules": {
+    }
+}

.github/workflows/canary.yml

@@ -22,13 +22,14 @@ jobs:
     permissions:
       contents: write
     steps:
-    - uses: step-security/harden-runner@dd2c410b088af7c0dc8046f3ac9a8f4148492a95 # v1
+    - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v1
       with:
-        allowed-endpoints: 
+        egress-policy: audit
+        allowed-endpoints:
           api.github.com:443
           github.com:443
 
-    - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v2
     - name: Update the rc tag
       uses: step-security/publish-action@b438f840875fdcb7d1de4fc3d1d30e86cf6acb5d
       with:
@@ -40,3 +41,9 @@ jobs:
       env:
         PAT: ${{ secrets.PAT }}
         canary: true
+
+    - name: Canary TLS test
+      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      env:
+        PAT: ${{ secrets.PAT }}
+        canary-tls: true

.github/workflows/codeql-analysis.yml

@@ -41,16 +41,16 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@dd2c410b088af7c0dc8046f3ac9a8f4148492a95
+      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
     - name: Checkout repository
-      uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@b398f525a5587552e573b247ac661067fafa920b
+      uses: github/codeql-action/init@2d790406f505036ef40ecba973cc774a50395aac
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -61,7 +61,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@b398f525a5587552e573b247ac661067fafa920b
+      uses: github/codeql-action/autobuild@2d790406f505036ef40ecba973cc774a50395aac
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -75,4 +75,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@b398f525a5587552e573b247ac661067fafa920b
+      uses: github/codeql-action/analyze@2d790406f505036ef40ecba973cc774a50395aac

.github/workflows/dependency-review.yml

@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@0c155c5e8556a497adf53f2c18edabf945ed8e70 # v4.3.2

.github/workflows/publish-immutable-actions.yml

@@ -0,0 +1,28 @@
+name: 'Publish Immutable Action Version'
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: read
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
+      - name: Checking out
+        uses: actions/checkout@v4
+      - name: Publish
+        id: publish
+        uses: actions/publish-immutable-action@0.0.4

.github/workflows/recurring-int-tests.yml

@@ -6,14 +6,14 @@ on:
 
 permissions:
   contents: read
-      
+
 jobs:
   int-tests:
     name: int tests
     runs-on: ubuntu-latest
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@dd2c410b088af7c0dc8046f3ac9a8f4148492a95
+      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
@@ -22,3 +22,18 @@ jobs:
       env:
         PAT: ${{ secrets.PAT }}
         canary: true
+
+  int-tls-tests:
+    name: int tls tests
+    runs-on: ubuntu-latest
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+    - name: Canary test
+      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      env:
+        PAT: ${{ secrets.PAT }}
+        canary-tls: true

.github/workflows/release.yml

@@ -25,13 +25,14 @@ jobs:
     permissions:
       contents: write
     steps:
-    - uses: step-security/harden-runner@dd2c410b088af7c0dc8046f3ac9a8f4148492a95
+    - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
       with:
-        allowed-endpoints: 
+        egress-policy: audit
+        allowed-endpoints:
           api.github.com:443
           github.com:443
 
-    - uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
     - name: Update the rc tag
       uses: step-security/publish-action@b438f840875fdcb7d1de4fc3d1d30e86cf6acb5d
       with:

.github/workflows/runs-on.yml

@@ -0,0 +1,179 @@
+name: RunsOn Tests
+
+on: 
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  test-host-outbound:
+    runs-on:
+      - runs-on=${{ github.run_id }}
+      - runner=2cpu-linux-x64
+      - image=ubuntu24-stepsecurity-x64
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@rc
+        with:
+          egress-policy: audit
+          allowed-endpoints: >
+            github.com:443
+            goreleaser.com:443
+            
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+            
+      - name: Run outbound calls from host
+        run: |
+          start_time=$(date +%s)
+          end_time=$((start_time + 90))  # 5 minutes = 300 seconds
+          
+          while [ $(date +%s) -lt $end_time ]; do
+            curl -I https://www.google.com
+            curl -I https://goreleaser.com
+            sleep 10  # wait 10 seconds between calls
+          done
+  
+  test-docker-outbound:
+    runs-on:
+      - runs-on=${{ github.run_id }}
+      - runner=2cpu-linux-x64
+      - image=ubuntu24-stepsecurity-x64
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@rc
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            archive.ubuntu.com:80
+            github.com:443
+            goreleaser.com:443
+            production.cloudflare.docker.com:443
+            docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com:443
+            *.docker.io:443
+            security.ubuntu.com:80
+         
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run outbound calls from within Docker container
+        continue-on-error: true
+        run: |
+          # Start the container
+          docker run --rm -d --name test-container ubuntu:latest sleep 90
+          
+          # Install curl in the container
+          docker exec test-container apt-get update
+          docker exec test-container apt-get install -y curl
+          
+          # Print /etc/resolv.conf from the container
+          docker exec test-container cat /etc/resolv.conf
+          
+          # Make outbound calls
+          for i in {1..9}; do
+            docker exec test-container curl -I https://www.google.com
+            docker exec test-container curl -I https://goreleaser.com
+            sleep 10  # wait 10 seconds between calls
+          done
+          
+          # Stop the container
+          docker stop test-container
+
+      
+  test-docker-build-outbound:
+    runs-on:
+      - runs-on=${{ github.run_id }}
+      - runner=2cpu-linux-x64
+      - image=ubuntu24-stepsecurity-x64
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@rc
+        with:
+          egress-policy: audit
+          allowed-endpoints: >
+            archive.ubuntu.com:80
+            auth.docker.io:443
+            github.com:443
+            goreleaser.com:443
+            production.cloudflare.docker.com:443
+            docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com:443
+            registry-1.docker.io:443
+            security.ubuntu.com:80
+            
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Build Docker image and test outbound calls during build
+        continue-on-error: true
+        run: |
+          # Create a Dockerfile that installs curl and makes outbound calls
+          cat <<EOF > Dockerfile
+          FROM ubuntu:latest
+          RUN apt-get update && apt-get install -y curl
+          RUN for i in {1..9}; do curl -I https://www.google.com && curl -I https://goreleaser.com; sleep 10; done
+          EOF
+          
+          # Build the Docker image
+          docker build -t test-image .
+          
+          # Print /etc/resolv.conf from the build container (temporary container used during build)
+          container_id=$(docker create test-image)
+          docker start $container_id
+          docker exec $container_id cat /etc/resolv.conf
+          docker stop $container_id
+          docker rm $container_id
+
+      - name: Print Docker logs with journalctl
+        run: |
+            sudo journalctl -u docker.service --no-pager 
+        shell: bash
+      
+  test-long-running-docker:
+    runs-on:
+      - runs-on=${{ github.run_id }}
+      - runner=2cpu-linux-x64
+      - image=ubuntu24-stepsecurity-x64
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@rc
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            archive.ubuntu.com:80
+            auth.docker.io:443
+            github.com:443
+            goreleaser.com:443
+            production.cloudflare.docker.com:443
+            registry-1.docker.io:443
+            docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com:443
+            security.ubuntu.com:80
+            
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run long-running Docker container with outbound calls
+        continue-on-error: true
+        run: |
+          # Start the long-running container
+          docker run --rm -d --name long-running-container ubuntu:latest bash -c "
+            apt-get update && apt-get install -y curl && 
+            while true; do 
+              curl -I https://www.google.com; 
+              curl -I https://goreleaser.com; 
+              sleep 10; 
+            done
+          "
+          
+          # Print /etc/resolv.conf from the container
+          docker exec long-running-container cat /etc/resolv.conf
+          
+          # Let the container run for 5 minutes
+          sleep 90
+          
+          # Stop the container
+          docker stop long-running-container
+     
+      

.github/workflows/scorecards.yml

@@ -0,0 +1,67 @@
+name: Scorecards supply-chain security
+on:
+  # Only the default branch is supported.
+  branch_protection_rule:
+  schedule:
+    # Weekly on Saturdays.
+    - cron: "30 1 * * 6"
+  push:
+    branches: [main, master]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Used to receive a badge. (Upcoming feature)
+      id-token: write
+      actions: read
+      contents: read
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          egress-policy: audit
+
+      - name: "Checkout code"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v3.0.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # tag=v1.1.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecards on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+
+          # Publish the results for public repositories to enable scorecard badges. For more details, see
+          # https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories, `publish_results` will automatically be set to `false`, regardless
+          # of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # tag=v4.6.1
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@2d790406f505036ef40ecba973cc774a50395aac # tag=v1.0.26
+        with:
+          sarif_file: results.sarif

.github/workflows/test.yml

@@ -0,0 +1,75 @@
+name: Test
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main # to update code coverage
+
+permissions: # added using https://github.com/step-security/secure-workflows
+  contents: read
+concurrency:
+  group: ${{ github.workflow }}
+jobs:
+  test:
+    permissions:
+      checks: write
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          disable-sudo: true
+          egress-policy: audit
+          allowed-endpoints: >
+            api.github.com:443
+            codecov.io:443
+            github.com:443
+            registry.npmjs.org:443
+            storage.googleapis.com:443
+            uploader.codecov.io:443
+
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Install Dependencies
+        run: npm ci
+      - name: Run coverage
+        run: npm test -- --coverage
+      - uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
+      - name: Publish Test Results
+        uses: step-security/publish-unit-test-result-action@e88bfc6c0dffc68a1067d63526c80c81f248da11 # v2.20.0
+        if: always()
+        with:
+          files: |
+            reports/*.xml
+
+  build-check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          disable-sudo: true
+          egress-policy: audit
+          allowed-endpoints: >
+            github.com:443
+            registry.npmjs.org:443
+
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Install Dependencies
+        run: npm ci
+      - name: Run build
+        run: npm run build
+      - name: Check for changes in dist
+        run: |
+          if [[ `git status --porcelain dist` ]]; then
+            echo "Changes detected in dist directory after build:"
+            git status --porcelain dist
+            git diff dist
+            exit 1
+          else
+            echo "No changes in dist directory - build is clean"
+          fi

.gitignore

@@ -20,6 +20,7 @@ lib-cov
 
 # Coverage directory used by tools like istanbul
 coverage
+reports
 *.lcov
 
 # nyc test coverage
@@ -104,4 +105,4 @@ typings/
 .tern-port
 
 # vscode files
-.vscode
+.vscode

.pre-commit-config.yaml

@@ -0,0 +1,15 @@
+exclude: ^dist/
+repos:
+- repo: https://github.com/gitleaks/gitleaks
+  rev: v8.16.3
+  hooks:
+  - id: gitleaks
+- repo: https://github.com/pre-commit/mirrors-eslint
+  rev: v8.38.0
+  hooks:
+  - id: eslint
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.4.0
+  hooks:
+  - id: end-of-file-fixer
+  - id: trailing-whitespace

README.md

@@ -1,123 +1,197 @@
+<p align="center">
 <picture>
-  <source media="(prefers-color-scheme: light)" srcset="images/banner.png" width="400">
-  <img src="images/banner.png" width="400">
+  <source media="(prefers-color-scheme: light)" srcset="images/harden-runner-new.png" width="400">
+  <img alt="Dark Banner" src="images/harden-runner-new.png" width="400">
 </picture>
+</p>
+
+<div align="center">
 
 [![Maintained by stepsecurity.io](https://img.shields.io/badge/maintained%20by-stepsecurity.io-blueviolet)](https://stepsecurity.io/?utm_source=github&utm_medium=organic_oss&utm_campaign=harden-runner)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/step-security/harden-runner/badge)](https://api.securityscorecards.dev/projects/github.com/step-security/harden-runner)
 [![License: Apache 2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://raw.githubusercontent.com/step-security/harden-runner/main/LICENSE)
 
+</div>
+
+# Harden-Runner
+
+Corporate laptops and production servers typically have robust security monitoring in place to reduce risk and meet compliance requirements. However, CI/CD runners, which handle sensitive information like secrets for cloud environments and create production builds, often lack such security measures. This oversight has led to significant supply chain attacks, including the SolarWinds and Codecov breaches.
+
+Traditional security monitoring and EDR solutions are ineffective for CI/CD runners due to their ephemeral nature. These tools also lack the necessary context to correlate events with specific workflow runs in a CI/CD environment.
+
+StepSecurity Harden-Runner addresses this gap by providing security monitoring tailored for CI/CD runners, with support for Linux, Windows, and macOS runners. This approach brings CI/CD runners under the same level of security scrutiny as other critical systems, addressing a significant gap in the software supply chain.
+### Harden-Runner: Security Incidents Detected
+
+- [Harden-Runner Detected the Compromised axios npm Package Dropping a Remote Access Trojan](https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan) ([backstage/backstage#33693](https://github.com/backstage/backstage/issues/33693), [block/elasticgraph#1103](https://github.com/block/elasticgraph/issues/1103))
+- [Harden-Runner Detected the Trivy Compromise with Malicious v0.69.4 Release](https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release) ([k8gb-io/k8gb#2294](https://github.com/k8gb-io/k8gb/issues/2294))
+- [Harden-Runner Detected the tj-actions/changed-files compromise](https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised) ([CVE-2025-30066](https://github.com/advisories/GHSA-mrrh-fwg8-r2c3))
+- [Harden Runner Detected the Sha1-Hulud Supply Chain Attack in CNCF’s Backstage Repository](https://www.stepsecurity.io/blog/how-harden-runner-detected-the-sha1-hulud-supply-chain-attack-in-cncfs-backstage-repository)
+- [Harden-Runner Detected the NX Build System compromise](https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware)
+- [Harden-Runner Detected a CI/CD Supply Chain Attack in Google’s Open-Source Project Flank](https://www.stepsecurity.io/case-studies/flank)
+- [Harden-Runner Detected a CI/CD Supply Chain Attack in Microsoft’s Open-Source Project Azure Karpenter Provider in Real-Time](https://www.stepsecurity.io/case-studies/azure-karpenter-provider)
+- [Harden-Runner Detected Anomalous Traffic to api.ipify.org Across Multiple Customers](https://www.stepsecurity.io/blog/harden-runner-detects-anomalous-traffic-to-api-ipify-org-across-multiple-customers)  
+- [Harden-Runner Detected an Unexpected Microsoft Defender Installation on GitHub-Hosted Ubuntu Runners](https://www.stepsecurity.io/blog/how-stepsecurity-harden-runner-detected-unexpected-microsoft-defender-installation-on-github-hosted-ubuntu-runners)
+- [Harden-Runner Flagged an Anomalous Outbound Call, Leading to a Docker Documentation Update](https://www.stepsecurity.io/blog/harden-runner-flags-anomalous-outbound-call-leading-to-docker-documentation-update)
+
+### See It in Action
+Harden-Runner secures over **25 million CI/CD workflow runs every week**, protecting thousands of pipelines, including those from popular open-source projects by **Microsoft, Google, and CISA**. See how top projects are using Harden-Runner and explore the insights:  
+➡️ [Who's using Harden-Runner?](https://docs.stepsecurity.io/whos-using-harden-runner)
+
+## Quick Links
+- [Getting Started Guide](#getting-started)
+- [Why Choose Harden-Runner](#why-choose-harden-runner)
+- [Features and Capabilities](#features)
+- [Case Studies and Trusted Projects](#trusted-by-and-case-studies)
+- [Environment Compatibility Matrix](#environment-compatibility-matrix)
+- [How It Works](docs/how-it-works.md)
+- [Known Limitations](docs/limitations.md)
+- [Join the Discussions](#discussions)
+- [Official Documentation](https://docs.stepsecurity.io/harden-runner)
+
 ---
 
-Harden-Runner GitHub Action installs a security agent on the GitHub-hosted runner (Ubuntu VM) to
+## Introduction
 
-1. Prevent exfiltration of credentials
-2. Detect compromised dependencies and build tools
-3. Detect tampering of source code during build
+Learn how Harden-Runner works through the video below, which shows how it detected the tj-actions/changed-files compromise.  [View the interactive demo here](https://app.storylane.io/share/679y2zgzljov).
 
-<p align="left">
-      <img src="https://github.com/step-security/supply-chain-goat/blob/main/images/harden-runner/HardenRunnerGIFV.gif" alt="Demo using GIF" >
-    </p>
+<a href="https://www.youtube.com/watch?v=oTAJ7Hy7nPU" target="_blank">
+  <img src="images/case-study.png" alt="Harden-Runner detected the tj-actions/changed-files Breach" title="This case study video shows how StepSecurity Harden-Runner detected the tj-actions/changed-files Breach">
+</a>
 
-## Why
+---
+## Getting Started
 
-Compromised dependencies and build tools typically make outbound calls to exfiltrate data or credentials, or may tamper source code, dependencies, or artifacts during the build.
+This guide walks you through the steps to set up and use Harden-Runner in your CI/CD workflows. For more details, refer to the [official documentation](https://docs.stepsecurity.io/harden-runner).
 
-Harden-Runner GitHub Actions installs a daemon that monitors process, file, and network activity to:
+### **Step 1: Add Harden-Runner to Your Workflow**
 
-| |Countermeasure |Threat|
-|--|----------|----------------|
-|1.| Block outbound calls that are not in the allowed list to prevent exfiltration of credentials |To prevent [Codecov breach](https://github.com/step-security/supply-chain-goat/blob/main/RestrictOutboundTraffic.md) scenario|
-|2.| Detect if source code is being overwritten during the build process to inject a backdoor | To detect [SolarWinds incident scenario](https://github.com/step-security/supply-chain-goat/blob/main/MonitorSourceCode.md)|
-|3.| Detect compromised dependencies that make unexpected outbound network calls | To detect [Dependency confusion](https://github.com/step-security/supply-chain-goat/blob/main/DNSExfiltration.md) and [Malicious dependencies](https://github.com/step-security/supply-chain-goat/blob/main/CompromisedDependency.md)
-
-Read this [case study](https://infosecwriteups.com/detecting-malware-packages-in-github-actions-7b93a9985635) on how Harden-Runner detected malicious packages in the NPM registry.
-
-## How
-
-1. Add `step-security/harden-runner` to your GitHub Actions workflow file as the first step in each job.
+To integrate Harden-Runner, follow these steps:
 
+- Open your GitHub Actions workflow file (e.g., `.github/workflows/<workflow-name>.yml`).
+- Add the following code as the first step in each job:
    ```yaml
    steps:
-     - uses: step-security/harden-runner@dd2c410b088af7c0dc8046f3ac9a8f4148492a95
+     - name: Harden Runner
+       uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
        with:
          egress-policy: audit
-   ```
 
-2. In the workflow logs, you will see a link to security insights and recommendations.
+**Tip**: Automate this step by pasting your workflow into the [StepSecurity online tool](https://app.stepsecurity.io/secure-workflow)
+<details>
+<summary>Click to view the full Getting Started Guide</summary>
 
-<p align="left">
-  <img src="https://github.com/step-security/supply-chain-goat/blob/main/images/harden-runner/ActionLog.png" alt="Link in build log" >
-</p>
+### **Step 2: Access Security Insights**
 
-3. Click on the link ([example link](https://app.stepsecurity.io/github/ossf/scorecard/actions/runs/2265028928)). You will see a process monitor view of what activities happened as part of each step.
+Run your workflow. Once completed:
+- Review the **workflow logs** and the **job markdown summary**.
+- Look for a link to **security insights and recommendations**.
+  <p align="left">
+      <img src="images/buildlog1.png" alt="Link in workflow log" >
+    </p>
+- Click on the provided link (e.g., [example link](https://app.stepsecurity.io/github/step-security/github-actions-goat/actions/runs/7704454287?jobid=20996777560&tab=network-events)) to access the **Process Monitor View**, which displays:
+   - **Network events**: Outbound network calls correlated with each step.
+   - **File events**: File writes tracked during the job.
+     <p align="left">
+      <img src="images/network-events.png" alt="Link in network events" >
+    </p>
 
-<p align="left">
-  <img src="https://github.com/step-security/supply-chain-goat/blob/main/images/harden-runner/OutboundCalls2.png" alt="Insights from harden-runner" >
-</p>
+</details>
 
-4. Below the insights, you will see the recommended policy. Add the recommended outbound endpoints to your workflow file, and only traffic to these endpoints will be allowed. When you use `egress-policy: block` mode, you can also set `disable-telemetry: true` to not send telemetry to the StepSecurity API.
+---
+## Why Choose Harden-Runner?
 
-<p align="left">
-  <img src="https://github.com/step-security/supply-chain-goat/blob/main/images/harden-runner/RecomPolicy1.png" alt="Policy recommended by harden-runner" >
-</p>
+- **Prevent Exfiltration:** Prevent the exfiltration of CI/CD secrets and source code.
+- **Detect Tampering:** Identify source code modifications during builds.
+- **Anomaly Detection:** Spot unusual dependencies and workflow behaviors.
+- **Simplify Permissions:** Determine the minimum required `GITHUB_TOKEN` permissions.
 
-5. If outbound network call is made to an endpoint not in the allowed list or if source code is tampered, you will see an annotation in the workflow run.
 
-<p align="left">
-  <img src="https://github.com/step-security/supply-chain-goat/blob/main/images/harden-runner/SourceCodeOverwrite.png" alt="Policy recommended by harden-runner" >
-</p>
+---
 
-## Support for private repositories
+## Features
 
-Install the [Harden Runner App](https://github.com/marketplace/harden-runner-app) to use Harden-Runner GitHub Action for `Private` repositories.
+Harden-Runner offers a comprehensive suite of features to enhance the security of your CI/CD workflows, available in two tiers: **Community** (Free) and **Enterprise** (Paid).
 
-- If you use Harden-Runner GitHub Action in a private repository, the generated insights URL is NOT public.
-- You need to authenticate first to access insights URL for private repository. Only those who have access to the repository can view it.
-- [Harden Runner App](https://github.com/marketplace/harden-runner-app) only needs `actions: read` permissions on your repositories.
+### Community (Free)
 
-Read this [case study on how Kapiche uses Harden Runner](https://www.stepsecurity.io/case-studies/kapiche/) to improve software supply chain security in their open source and private repositories.
+- **CI/CD-Aware Event Correlation:** Each outbound network connection, file operation, and process execution is mapped to the exact step, job, and workflow where it occurs.
+- **Automated Baseline Creation:** Harden-Runner builds a baseline for each job based on past outbound network connections.
+- **Anomaly Detection:** Once the baseline is created, any future outbound calls not in the baseline trigger a detection.
+- **Block Network Egress Traffic with Domain Allowlist:** Optionally use the automatically created baseline to control outbound network traffic by specifying allowed domains, preventing unauthorized data exfiltration.
+- **Detect Modification of Source Code:** Monitor and alert on unauthorized changes to your source code during the CI/CD pipeline.
 
-## Discussions
+### Enterprise (Paid)
 
-If you have questions or ideas, please use [discussions](https://github.com/step-security/harden-runner/discussions).
+Includes all features in the **Community** tier, plus:
 
-1. [Support for private repositories](https://github.com/step-security/harden-runner/discussions/74)
-2. [Where should allowed-endpoints be stored?](https://github.com/step-security/harden-runner/discussions/84)
-3. [Cryptographically verify tools run as part of the CI/ CD pipeline](https://github.com/step-security/harden-runner/discussions/94)
+- **Support for Private Repositories:** Extend Harden-Runner's security capabilities to your private GitHub repositories.
+- **Support for Self-Hosted Runners:** Apply security controls and monitoring to self-hosted GitHub Actions runners.
+- **GitHub Checks Integration:** Enable GitHub Checks for Harden-Runner—if the baseline remains unchanged, the check passes; if it changes, the check fails, showing new outbound connections.
+- **View Outbound GitHub API calls at the Job Level:** Monitor HTTPS requests to GitHub APIs
+- **Determine Minimum GITHUB_TOKEN Permissions:** Monitor outbound HTTPS requests to GitHub APIs to recommend the least-privilege permissions needed for your workflows, enhancing security by reducing unnecessary access.
+- **View the Name and Path of Every File Written During the Build Process:** Gain visibility into every file written to the build environment, including the ability to correlate file writes with processes, ensuring complete transparency.
+- **View Process Names and Arguments:** Monitor every process executed during the build process, along with its arguments, and navigate the process tree to detect suspicious activities.
+
+For a detailed comparison and more information, please visit our [Pricing Page](https://www.stepsecurity.io/pricing).
+
+Explore the full feature set in the [Features Documentation](https://docs.stepsecurity.io/harden-runner).
+
+---
+
+## Trusted By and Case Studies
+
+Harden-Runner is trusted by over 11,000 leading open-source projects and enterprises, including Microsoft, Google, Kubernetes, and more.
+
+### Trusted by
+
+
+| [![CISA](https://avatars.githubusercontent.com/u/18539691?s=60&v=4)](https://app.stepsecurity.io/github/cisagov/skeleton-generic/actions/runs/9947319332?jobid=27479776091&tab=network-events) | [![Microsoft](https://avatars.githubusercontent.com/u/6154722?s=60&v=4)](https://app.stepsecurity.io/github/microsoft/ebpf-for-windows/actions/runs/7587031851) | [![Google](https://avatars.githubusercontent.com/u/2810941?s=60&v=4)](https://app.stepsecurity.io/github/GoogleCloudPlatform/functions-framework-ruby/actions/runs/7576989995) | [![DataDog](https://avatars.githubusercontent.com/u/365230?s=60&v=4)](https://app.stepsecurity.io/github/DataDog/stratus-red-team/actions/runs/7446169664) | [![Intel](https://avatars.githubusercontent.com/u/17888862?s=60&v=4)](https://app.stepsecurity.io/github/intel/cve-bin-tool/actions/runs/7590975903) | [![Kubernetes](https://avatars.githubusercontent.com/u/36015203?s=60&v=4)](https://app.stepsecurity.io/github/kubernetes-sigs/cluster-api-provider-azure/actions/runs/7591172950) | [![Node.js](https://avatars.githubusercontent.com/u/9950313?s=60&v=4)](https://app.stepsecurity.io/github/nodejs/node/actions/runs/7591405720) | [![AWS](https://avatars.githubusercontent.com/u/2232217?s=60&v=4)](https://app.stepsecurity.io/github/aws/aperf/actions/runs/7631366761) |
+| --------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- |
+| **CISA**<br>[Explore](https://app.stepsecurity.io/github/cisagov/skeleton-generic/actions/runs/9947319332?jobid=27479776091&tab=network-events)                                                | **Microsoft**<br>[Explore](https://app.stepsecurity.io/github/microsoft/ebpf-for-windows/actions/runs/7587031851)                                               | **Google**<br>[Explore](https://app.stepsecurity.io/github/GoogleCloudPlatform/functions-framework-ruby/actions/runs/7576989995)                                               | **DataDog**<br>[Explore](https://app.stepsecurity.io/github/DataDog/stratus-red-team/actions/runs/7446169664)                                              | **Intel**<br>[Explore](https://app.stepsecurity.io/github/intel/cve-bin-tool/actions/runs/7590975903)                                                | **Kubernetes**<br>[Explore](https://app.stepsecurity.io/github/kubernetes-sigs/cluster-api-provider-azure/actions/runs/7591172950)                                                | **Node.js**<br>[Explore](https://app.stepsecurity.io/github/nodejs/node/actions/runs/7591405720)                                               | **AWS**<br>[Explore](https://app.stepsecurity.io/github/aws/aperf/actions/runs/7631366761)                                               |
+
+### Enterprise Case Studies
+
+- [How Mercari Secures GitHub Actions with StepSecurity](https://www.stepsecurity.io/case-studies/mercari)
+- [How Omnissa Secures GitHub Actions with StepSecurity](https://www.stepsecurity.io/case-studies/omnissa)
+- [Chainguard Secures GitHub Actions with StepSecurity](https://www.stepsecurity.io/case-studies/chainguard)
+- [How Coveo Strengthened GitHub Actions Security with StepSecurity](https://www.stepsecurity.io/case-studies/coveo)
+- [Hashgraph Achieves Comprehensive CI/CD Security Without Compromising Development Speed](https://www.stepsecurity.io/case-studies/hashgraph)
+
+---
+
+## Environment Compatibility Matrix
+
+Harden-Runner is designed to work seamlessly across a variety of runner environments, providing consistent security insights and protections regardless of where your workflows execute. For self-hosted runners, audit mode is deployed directly to the runner infrastructure without requiring any changes to your existing workflows. For more details, refer to the [official documentation](https://docs.stepsecurity.io/harden-runner).
+
+| Environment Type | Compatibility | Audit Mode Deployment | Workflow Changes for Audit/Block Mode |
+|------------------|---------------|--------------------------|-------------------|
+| GitHub-hosted runners (Linux) | ✅ Full support | Add Harden-Runner Action to workflow | Yes |
+| GitHub-hosted runners (Windows, macOS) | ✅ Audit mode only | Add Harden-Runner Action to workflow | Yes |
+| Self-hosted VM runners | ✅ Full support | Include agent in runner image | No |
+| Self-hosted bare-metal runners | ✅ Full support | Install agent as a service | No |
+| Actions Runner Controller (ARC) | ✅ Full support | Deploy as DaemonSet | No |
+| RunsOn Runners | ✅ Full support | Pre-integrated | No |
+
+## How It Works
+
+Want to know the technical details? Dive into the architecture of Harden-Runner and its integrations for GitHub-hosted and self-hosted runners in our [How Harden-Runner Works Documentation](docs/how-it-works.md).
+
+---
 
 ## Limitations
 
-1. Harden-Runner GitHub Action only works for GitHub-hosted runners. Self-hosted runners are not supported.
-2. Only Ubuntu VM is supported. Windows and MacOS GitHub-hosted runners are not supported. There is a discussion about that [here](https://github.com/step-security/harden-runner/discussions/121).
-3. Harden-Runner is not supported when [job is run in a container](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container) as it needs sudo access on the Ubuntu VM to run. It can be used to monitor jobs that use containers to run steps. The limitation is if the entire job is run in a container. That is not common for GitHub Actions workflows, as most of them run directly on `ubuntu-latest`.
+While Harden-Runner offers powerful features, there are certain limitations. See the complete list in [Known Limitations](docs/limitations.md).
 
-## Testimonials
+---
 
-> _I think this is a great idea and for the threat model of build-time, an immediate network egress request monitoring makes a lot of sense_ - [Liran Tal](https://stars.github.com/profiles/lirantal/), GitHub Star, and Author of Essential Node.js Security
+## Discussions
 
-> _Harden-Runner strikes an elegant balance between ease-of-use, maintainability, and mitigation that I intend to apply to all of my 300+ npm packages. I look forward to the tool’s improvement over time_ - [Jordan Harband](https://github.com/ljharb), Open Source Maintainer
+Join the conversation! For questions, ideas, or feedback, visit our [Discussions Page](https://github.com/step-security/harden-runner/discussions).
 
-> _Harden runner from Step security is such a nice solution, it is another piece of the puzzle in helping treat the CI environment like production and solving supply chain security. I look forward to seeing it evolve._ - Cam Parry, Staff Site Reliability Engineer, Kapiche
+For enterprise support, email support@stepsecurity.io. Interested in using Harden-Runner in other CI/CD platforms? Reach out to interest@stepsecurity.io.
 
-## Workflows using harden-runner
+---
 
-Some important workflows using harden-runner:
-| |Repository |Link to insights|
-|--|----------|----------------|
-|1.|[nvm-sh/nvm](https://github.com/nvm-sh/nvm/blob/master/.github/workflows/lint.yml)|[Link to insights](https://app.stepsecurity.io/github/nvm-sh/nvm/actions/runs/1757959262)|
-|2.|[yannickcr/eslint-plugin-react](https://github.com/yannickcr/eslint-plugin-react/blob/master/.github/workflows/release.yml)|[Link to insights](https://app.stepsecurity.io/github/yannickcr/eslint-plugin-react/actions/runs/1930818585)
-|3.|[microsoft/msquic](https://github.com/microsoft/msquic/blob/main/.github/workflows/docker-publish.yml)|[Link to insights](https://app.stepsecurity.io/github/microsoft/msquic/actions/runs/1759010243)
-|4.|[ossf/scorecard](https://github.com/ossf/scorecard/blob/main/.github/workflows/codeql-analysis.yml)|[Link to insights](https://app.stepsecurity.io/github/ossf/scorecard/actions/runs/2006162141)
-|5.|[Automattic/vip-go-mu-plugins](https://github.com/Automattic/vip-go-mu-plugins/blob/master/.github/workflows/e2e.yml)|[Link to insights](https://app.stepsecurity.io/github/Automattic/vip-go-mu-plugins/actions/runs/1758760957)
+## License
 
-## How does it work?
-
-Harden-Runner GitHub Action downloads and installs the StepSecurity Agent.
-
-- The code to monitor file, process, and network activity is in the Agent.
-- The agent is written in Go and is open source at https://github.com/step-security/agent
-- The agent's build is reproducible. You can view the steps to reproduce the build [here](http://app.stepsecurity.io/github/step-security/agent/releases/latest).
-
-## 1-minute Demo Video
-
-https://user-images.githubusercontent.com/25015917/156026587-79356450-9b35-4254-9c2e-7f2cc8d81059.mp4
+Harden-Runner is open source. See the [LICENSE](LICENSE) file for details.

action.yml

@@ -1,5 +1,5 @@
-name: "Harden Runner"
-description: "Security agent for GitHub-hosted runner to monitor the build process"
+name: "Harden-Runner"
+description: "Harden-Runner provides runtime security for GitHub-hosted and self-hosted runners"
 inputs:
   allowed-endpoints:
     description: "Only these endpoints will be allowed if egress-policy is set to block"
@@ -16,11 +16,40 @@ inputs:
     description: "Disable sending telemetry to StepSecurity API, can be set to true or false. This can only be set to true when egress-policy is set to block"
     required: false
     default: "false"
+  disable-sudo:
+    description: "Disable sudo access for the runner account. Note: This parameter will be deprecated in the future. Please use disable-sudo-and-containers instead."
+    required: false
+    default: "false"
+  disable-sudo-and-containers:
+    description: "Disable sudo and container access for the runner account"
+    required: false
+    default: "false"
+  disable-file-monitoring:
+    description: "Disable file monitoring"
+    required: false
+    default: "false"
+  policy:
+    description: "Policy name to be used from the policy store. Requires id-token: write permission."
+    required: false
+    default: ""
+  api-key:
+    description: "StepSecurity API key for authenticating with the policy store. Required when use-policy-store is set to true."
+    required: false
+    default: ""
+  use-policy-store:
+    description: "Set to true to fetch policy from the policy store using the API key. This is the preferred method over the policy input which requires id-token: write permission. Policies can be defined and attached at workflow, repo, org, or cluster (for ARC) level in the policy store. The most granular policy will apply."
+    required: false
+    default: "false"
+  deploy-on-self-hosted-vm:
+    description: "Set to true to deploy the Harden Runner agent directly on a self-hosted runner VM (Linux only). The recommended approach for self-hosted VMs is to bake the agent into the VM image; see docs.stepsecurity.io. Use this option only if baking is not possible, and only for ephemeral runners."
+    required: false
+    default: "false"
+
 branding:
   icon: "check-square"
   color: "green"
 runs:
-  using: "node16"
+  using: "node24"
   pre: "dist/pre/index.js"
   main: "dist/index.js"
   post: "dist/post/index.js"

docs/how-it-works.md

@@ -0,0 +1,20 @@
+## How Harden-Runner Works?
+
+### GitHub-Hosted Runners
+
+For GitHub-hosted runners, Harden-Runner GitHub Action downloads and installs the StepSecurity Agent.
+
+- The code to monitor file, process, and network activity is in the Agent.
+- The community tier agent for Linux is open-source and can be found [here](https://github.com/step-security/agent). The enterprise agent for Linux and agents for Windows and macOS are closed-source.
+
+### Self-Hosted Actions Runner Controller (ARC) Runners
+
+- ARC Harden Runner daemonset uses eBPF
+- You can find more details in this [blog post](https://www.stepsecurity.io/blog/introducing-harden-runner-for-kubernetes-based-self-hosted-actions-runners)
+- ARC Harden Runner is NOT open source.
+
+### Self-Hosted VM Runners (e.g. on EC2)
+
+- For self-hosted VMs, you add the Harden-Runner agent into your runner image (e.g. AMI).
+- You can find more details in this [blog post](https://www.stepsecurity.io/blog/ci-cd-security-for-self-hosted-vm-runners)
+- Agent for self-hosted VMs is NOT open source.

docs/limitations.md

@@ -0,0 +1,8 @@
+## Limitations
+
+### GitHub-Hosted Runners
+* Harden-Runner is not supported when [job is run in a container](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container) with built-in labels such as `ubuntu-latest`, as it needs sudo access on the Ubuntu VM to run. The limitation is if the entire job is run in a container. However, such jobs can be monitored when using custom VM images with GitHub-hosted runners. This is also not a limitation for Self-Hosted runners.
+
+### Self-Hosted Actions Runner Controller (ARC) Runners
+
+* Since ARC Harden Runner uses eBPF, only Linux jobs are supported. Windows and MacOS jobs are not supported.

jest.config.ts

@@ -0,0 +1,9 @@
+/** @type {import('ts-jest/dist/types').InitialOptionsTsJest} */
+export default {
+  preset: "ts-jest",
+  testEnvironment: "node",
+  reporters: [
+    "default",
+    ["jest-junit", { outputDirectory: "reports", outputName: "report.xml" }],
+  ],
+};

osv-scanner.toml

@@ -0,0 +1,15 @@
+[[IgnoredVulns]]
+id = "GHSA-h5c3-5r3r-rr8q"
+reason = "Untrusted headers are not processed"
+
+[[IgnoredVulns]]
+id = "GHSA-rmvr-2pp2-xj38"
+reason = "Untrusted headers are not processed"
+
+[[IgnoredVulns]]
+id = "GHSA-xx4v-prfh-6cgc"
+reason = "Untrusted headers are not processed"
+
+[[IgnoredVulns]]
+id = "GHSA-g9mf-h72j-4rw9"
+reason = "undici fetch() is only used to call GitHub API; exploitation requires a malicious server"

package.json

@@ -1,14 +1,15 @@
 {
   "name": "step-security-harden-runner",
-  "version": "1.5.0",
-  "description": "Security agent for GitHub-hosted runner to monitor the build process",
+  "version": "2.7.0",
+  "description": "Security agent for GitHub-hosted runner: block egress traffic & detect code overwrite to prevent breaches",
   "main": "index.js",
   "scripts": {
     "build": "npm run main && npm run pre && npm run post",
     "main": "ncc build src/index.ts --source-map",
     "pre": "ncc build src/setup.ts --source-map -o dist/pre",
     "post": "ncc build src/cleanup.ts --source-map -o dist/post",
-    "lint": "eslint src/**/*.ts"
+    "lint": "eslint src/**/*.ts",
+    "test": "jest"
   },
   "repository": {
     "type": "git",
@@ -22,28 +23,31 @@
   },
   "homepage": "https://github.com/step-security/harden-runner#readme",
   "dependencies": {
-    "@actions/cache": "^3.0.4",
+    "@actions/cache": "^4.0.0",
     "@actions/core": "^1.5.0",
     "@actions/exec": "^1.1.0",
-    "@actions/github": "^5.0.0",
+    "@actions/github": "^6.0.1",
     "@actions/http-client": "^2.0.1",
     "@actions/tool-cache": "^1.7.1",
+    "@babel/helpers": "^7.26.10",
     "ansi-regex": ">=5.0.1",
     "is-docker": "^3.0.0",
     "node-fetch": ">=3.2.0",
     "uuid": "^8.3.2"
   },
   "devDependencies": {
-    "@types/jest": "^27.0.1",
+    "@types/jest": "^27.5.2",
     "@types/node": "^16.9.0",
-    "@typescript-eslint/eslint-plugin": "^4.29.2",
-    "@typescript-eslint/parser": "^4.29.2",
-    "@vercel/ncc": "^0.30.0",
+    "@typescript-eslint/eslint-plugin": "^6.1.0",
+    "@typescript-eslint/parser": "^6.1.0",
+    "@vercel/ncc": "^0.38.3",
     "eslint": "^7.32.0",
     "eslint-config-google": "^0.14.0",
-    "jest": ">=27.4.7",
+    "jest": "^29.3.1",
     "jest-junit": ">=13.0.0",
-    "ts-jest": ">=27.1.3",
+    "nock": "^13.3.0",
+    "ts-jest": "^29.0.3",
+    "ts-node": "^10.9.1",
     "typescript": "^4.3.5"
   }
 }

src/arc-runner.test.ts

@@ -0,0 +1,9 @@
+import { isARCRunner } from "./arc-runner";
+
+it("should correctly recognize arc based runner", async () => {
+  process.env["GITHUB_ACTIONS_RUNNER_EXTRA_USER_AGENT"] =
+    "actions-runner-controller/2.0.1";
+
+  let isArc: boolean = await isARCRunner();
+  expect(isArc).toBe(true);
+});

src/arc-runner.ts

@@ -0,0 +1,57 @@
+import * as cp from "child_process";
+import * as fs from "fs";
+import path from "path";
+
+export function isARCRunner(): boolean {
+  const runnerUserAgent = process.env["GITHUB_ACTIONS_RUNNER_EXTRA_USER_AGENT"];
+
+  let isARC = false;
+
+  if (!runnerUserAgent) {
+    isARC = false;
+  } else {
+    isARC = runnerUserAgent.includes("actions-runner-controller/");
+  }
+
+  return isARC || isSecondaryPod();
+}
+
+function isSecondaryPod(): boolean {
+  const workDir = "/__w";
+  let hasKubeEnv = process.env["KUBERNETES_PORT"] !== undefined;
+  return fs.existsSync(workDir) && hasKubeEnv;
+}
+
+export function sendAllowedEndpoints(endpoints: string): void {
+  const startTime = Date.now();
+  const allowedEndpoints = endpoints.split(" "); // endpoints are space separated
+
+  let sent = 0;
+  for (let endpoint of allowedEndpoints) {
+    endpoint = endpoint.trim();
+    if (endpoint.length > 0) {
+      let encodedEndpoint = Buffer.from(endpoint).toString("base64");
+      let endpointPolicyStr = `step_policy_endpoint_${encodedEndpoint}`;
+      echo(endpointPolicyStr);
+      sent++;
+    }
+  }
+
+  if (sent > 0) {
+    applyPolicy(sent);
+  }
+
+  const duration = Date.now() - startTime;
+  console.log(
+    `[harden-runner] sendAllowedEndpoints completed in ${duration}ms (sent ${sent} endpoints)`
+  );
+}
+
+function applyPolicy(count: number): void {
+  let applyPolicyStr = `step_policy_apply_${count}`;
+  echo(applyPolicyStr);
+}
+
+function echo(content: string) {
+  cp.execFileSync("echo", [content]);
+}

src/bravo-config.test.ts

@@ -0,0 +1,81 @@
+import { buildBravoConfig } from "./bravo-config";
+import { Configuration } from "./interfaces";
+
+const base: Configuration = {
+  repo: "org/repo",
+  run_id: "123",
+  correlation_id: "depot-abc",
+  working_directory: "/w",
+  api_url: "https://int.api.stepsecurity.io/v1",
+  telemetry_url: "https://int.app-api.stepsecurity.io/v1",
+  allowed_endpoints: "github.com:443",
+  egress_policy: "audit",
+  disable_telemetry: false,
+  disable_sudo: false,
+  disable_sudo_and_containers: false,
+  disable_file_monitoring: false,
+  is_github_hosted: false,
+  private: "true" as unknown as string,
+  is_debug: false,
+  one_time_key: "otk-xyz",
+  api_key: "tenant-key",
+  use_policy_store: false,
+  deploy_on_self_hosted_vm: false,
+};
+
+describe("buildBravoConfig", () => {
+  test("forces is_github_hosted=true so agent honors passed correlation_id", () => {
+    expect(buildBravoConfig(base).is_github_hosted).toBe(true);
+  });
+
+  test("omits api_key (agent authenticates via one_time_key, not vm-api-key)", () => {
+    expect(buildBravoConfig(base)).not.toHaveProperty("api_key");
+  });
+
+  test("omits customer (server infers tenant from repo)", () => {
+    expect(buildBravoConfig(base)).not.toHaveProperty("customer");
+  });
+
+  test("omits use_policy_store (action-side concern, not agent)", () => {
+    expect(buildBravoConfig(base)).not.toHaveProperty("use_policy_store");
+  });
+
+  test("forwards telemetry_url so network events hit configured env", () => {
+    expect(buildBravoConfig(base).telemetry_url).toBe(base.telemetry_url);
+  });
+
+  test("forwards one_time_key so agent can auth to presigned URL endpoint", () => {
+    expect(buildBravoConfig(base).one_time_key).toBe("otk-xyz");
+  });
+
+  test("forwards repo, run_id, correlation_id so server can attribute events", () => {
+    const cfg = buildBravoConfig(base);
+    expect(cfg.repo).toBe("org/repo");
+    expect(cfg.run_id).toBe("123");
+    expect(cfg.correlation_id).toBe("depot-abc");
+  });
+
+  test("forwards private flag", () => {
+    expect(buildBravoConfig(base).private).toBe(base.private);
+  });
+
+  test("forwards egress_policy and allowed_endpoints", () => {
+    const cfg = buildBravoConfig(base);
+    expect(cfg.egress_policy).toBe("audit");
+    expect(cfg.allowed_endpoints).toBe("github.com:443");
+  });
+
+  test("forwards disable_* flags", () => {
+    const cfg = buildBravoConfig({
+      ...base,
+      disable_telemetry: true,
+      disable_sudo: true,
+      disable_sudo_and_containers: true,
+      disable_file_monitoring: true,
+    });
+    expect(cfg.disable_telemetry).toBe(true);
+    expect(cfg.disable_sudo).toBe(true);
+    expect(cfg.disable_sudo_and_containers).toBe(true);
+    expect(cfg.disable_file_monitoring).toBe(true);
+  });
+});

src/bravo-config.ts

@@ -0,0 +1,21 @@
+import { Configuration } from "./interfaces";
+
+export function buildBravoConfig(confg: Configuration) {
+  return {
+    repo: confg.repo,
+    run_id: confg.run_id,
+    correlation_id: confg.correlation_id,
+    working_directory: confg.working_directory,
+    api_url: confg.api_url,
+    telemetry_url: confg.telemetry_url,
+    one_time_key: confg.one_time_key,
+    allowed_endpoints: confg.allowed_endpoints,
+    egress_policy: confg.egress_policy,
+    disable_telemetry: confg.disable_telemetry,
+    disable_sudo: confg.disable_sudo,
+    disable_sudo_and_containers: confg.disable_sudo_and_containers,
+    disable_file_monitoring: confg.disable_file_monitoring,
+    private: confg.private,
+    is_github_hosted: true,
+  };
+}

src/cache.ts

@@ -1,98 +1,6 @@
-import * as core from "@actions/core";
-import { HttpClient } from "@actions/http-client";
-import { RequestOptions } from "@actions/http-client/lib/interfaces";
-import { BearerCredentialHandler } from "@actions/http-client/lib/auth";
-import * as crypto from "crypto";
-
-const versionSalt = "1.0";
 export const cacheKey = "harden-runner-cacheKey";
 export const cacheFile = "/home/agent/cache.txt";
 
-function getCacheApiUrl(resource: string): string {
-  const baseUrl: string = process.env["ACTIONS_CACHE_URL"] || "";
-  if (!baseUrl) {
-    throw new Error("Cache Service Url not found, unable to restore cache.");
-  }
-
-  const url = `${baseUrl}_apis/artifactcache/${resource}`;
-  core.debug(`Resource Url: ${url}`);
-  return url;
-}
-
-function createAcceptHeader(type: string, apiVersion: string): string {
-  return `${type};api-version=${apiVersion}`;
-}
-
-function getRequestOptions(): RequestOptions {
-  const token = process.env["ACTIONS_RUNTIME_TOKEN"] || "";
-
-  const requestOptions: RequestOptions = {
-    headers: {
-      Accept: createAcceptHeader("application/json", "6.0-preview.1"),
-      Authorization: `Bearer ${token}`,
-    },
-  };
-
-  return requestOptions;
-}
-
-function createHttpClient(): HttpClient {
-  const token = process.env["ACTIONS_RUNTIME_TOKEN"] || "";
-  const bhandler = new BearerCredentialHandler(token);
-  return new HttpClient("actions/cache", [bhandler], getRequestOptions());
-}
-
-export function getCacheVersion(
-  paths: string[],
-  compressionMethod?: CompressionMethod
-): string {
-  const components = paths.concat(
-    !compressionMethod || compressionMethod === CompressionMethod.Gzip
-      ? []
-      : [compressionMethod]
-  );
-
-  // Add salt to cache version to support breaking changes in cache entry
-  components.push(versionSalt);
-
-  return crypto.createHash("sha256").update(components.join("|")).digest("hex");
-}
-
-export async function getCacheEntry(
-  keys: string[],
-  paths: string[],
-  options?: InternalCacheOptions
-): Promise<ArtifactCacheEntry | null> {
-  const httpClient = createHttpClient();
-  const version = getCacheVersion(paths, options?.compressionMethod);
-  const resource = `cache?keys=${encodeURIComponent(
-    keys.join(",")
-  )}&version=${version}`;
-
-  const response = await httpClient.getJson<ArtifactCacheEntry>(
-    getCacheApiUrl(resource)
-  );
-  if (response.statusCode === 204) {
-    throw new Error("Request returned 204 status");
-  }
-  if (!isSuccessStatusCode(response.statusCode)) {
-    throw new Error(`Cache service responded with ${response.statusCode}`);
-  }
-
-  const cacheResult = response.result;
-  const cacheDownloadUrl = cacheResult?.archiveLocation;
-  if (!cacheDownloadUrl) {
-    throw new Error("Cache still be done, but  not found.");
-  }
-
-  return cacheResult;
-}
-
-export interface InternalCacheOptions {
-  compressionMethod?: CompressionMethod;
-  cacheSize?: number;
-}
-
 export interface ArtifactCacheEntry {
   cacheKey?: string;
   scope?: string;
@@ -100,13 +8,6 @@ export interface ArtifactCacheEntry {
   archiveLocation?: string;
 }
 
-function isSuccessStatusCode(statusCode?: number): boolean {
-  if (!statusCode) {
-    return false;
-  }
-  return statusCode >= 200 && statusCode < 300;
-}
-
 export enum CompressionMethod {
   Gzip = "gzip",
   // Long range mode was added to zstd in v1.3.2.
@@ -118,4 +19,4 @@ export enum CompressionMethod {
 const RefKey = "GITHUB_REF";
 export function isValidEvent(): boolean {
   return RefKey in process.env && Boolean(process.env[RefKey]);
-}
+}

src/checksum.test.ts

@@ -0,0 +1,98 @@
+import * as fs from "fs";
+import * as crypto from "crypto";
+import * as core from "@actions/core";
+import { verifyChecksum, CHECKSUMS } from "./checksum";
+
+jest.mock("fs", () => ({
+  ...jest.requireActual("fs"),
+  readFileSync: jest.fn(),
+}));
+jest.mock("crypto", () => ({
+  ...jest.requireActual("crypto"),
+  createHash: jest.fn(),
+}));
+jest.mock("@actions/core");
+
+const mockReadFile = fs.readFileSync as jest.MockedFunction<typeof fs.readFileSync>;
+const mockSetFailed = core.setFailed as jest.MockedFunction<typeof core.setFailed>;
+const mockCreateHash = crypto.createHash as jest.MockedFunction<typeof crypto.createHash>;
+
+function stubHash(hash: string) {
+  mockCreateHash.mockReturnValue({
+    update: jest.fn().mockReturnThis(),
+    digest: jest.fn().mockReturnValue(hash),
+  } as unknown as crypto.Hash);
+}
+
+const WRONG_HASH = "0".repeat(64);
+
+describe("verifyChecksum", () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+    mockReadFile.mockReturnValue(Buffer.from("test-payload"));
+  });
+
+  describe("agentType=bravo", () => {
+    test("passes with matching bravo amd64 checksum", () => {
+      stubHash(CHECKSUMS.bravo.amd64);
+      expect(verifyChecksum("/tmp/f", true, "amd64", "linux", "bravo")).toBe(true);
+      expect(mockSetFailed).not.toHaveBeenCalled();
+    });
+
+    test("passes with matching bravo arm64 checksum", () => {
+      stubHash(CHECKSUMS.bravo.arm64);
+      expect(verifyChecksum("/tmp/f", true, "arm64", "linux", "bravo")).toBe(true);
+    });
+
+    test("uses bravo checksum even when isTLS=false", () => {
+      stubHash(CHECKSUMS.bravo.amd64);
+      expect(verifyChecksum("/tmp/f", false, "amd64", "linux", "bravo")).toBe(true);
+    });
+
+    test("fails on mismatched bravo checksum", () => {
+      stubHash(WRONG_HASH);
+      expect(verifyChecksum("/tmp/f", true, "amd64", "linux", "bravo")).toBe(false);
+      expect(mockSetFailed).toHaveBeenCalled();
+    });
+  });
+
+  describe("agentType default (omitted)", () => {
+    test("uses TLS checksum when isTLS=true", () => {
+      stubHash(CHECKSUMS.tls.amd64);
+      expect(verifyChecksum("/tmp/f", true, "amd64", "linux")).toBe(true);
+    });
+
+    test("uses non_tls checksum when isTLS=false", () => {
+      stubHash(CHECKSUMS.non_tls.amd64);
+      expect(verifyChecksum("/tmp/f", false, "amd64", "linux")).toBe(true);
+    });
+
+    test("TLS mismatch fails", () => {
+      stubHash(CHECKSUMS.bravo.amd64);
+      expect(verifyChecksum("/tmp/f", true, "amd64", "linux")).toBe(false);
+      expect(mockSetFailed).toHaveBeenCalled();
+    });
+  });
+
+  describe("darwin", () => {
+    test("passes with matching darwin checksum", () => {
+      stubHash(CHECKSUMS.darwin);
+      expect(verifyChecksum("/tmp/f", false, "", "darwin")).toBe(true);
+    });
+  });
+
+  describe("win32", () => {
+    test("passes with matching windows amd64 checksum", () => {
+      stubHash(CHECKSUMS.windows.amd64);
+      expect(verifyChecksum("/tmp/f", false, "amd64", "win32")).toBe(true);
+    });
+  });
+
+  describe("unsupported platform", () => {
+    test("returns false without calling setFailed", () => {
+      stubHash(CHECKSUMS.bravo.amd64);
+      expect(verifyChecksum("/tmp/f", true, "amd64", "freebsd")).toBe(false);
+      expect(mockSetFailed).not.toHaveBeenCalled();
+    });
+  });
+});

src/checksum.ts

@@ -2,21 +2,68 @@ import * as core from "@actions/core";
 import * as crypto from "crypto";
 import * as fs from "fs";
 
-export function verifyChecksum(downloadPath: string) {
+export const CHECKSUMS = {
+  tls: {
+    amd64: "d58a9c1c5245155ce4c71507a61e213a29925a7c39c0d20bfd00bef0d281bdbb", // v1.8.6
+    arm64: "084fa95e74d17321dd1c37c93abeb8577e53ddf5266410e19f52aa79a02ae33e",
+  },
+  non_tls: {
+    amd64: "e38de61e1afd98dd339bb9acce4996183875d482be1638fb198ab02b3e25bbef", // v0.16.0
+  },
+  bravo: {
+    amd64: "495f607a891d89f12214849301f247bdca565afe67deb170fe7e5d6d361852ca", // v1.8.6
+    arm64: "f96f66ab946097aae1fc887e12fe1cefcc5d510bce179221c7185374e4adf538",
+  },
+  darwin: "fe26a1f6af4afe9f1a854d8633832f5d18ab542827003cae445b3a64021d612c", // v0.0.5
+  windows: {
+    amd64: "93f1e5d87c6647e6eca7963d5f4b4bd73107029430f8e6945ffece93007a89f5", // v1.0.2
+  },
+};
+
+// verifyChecksum returns true if checksum is valid
+export function verifyChecksum(
+  downloadPath: string,
+  isTLS: boolean,
+  variant: string,
+  platform: string,
+  agentType: "default" | "bravo" = "default"
+) {
   const fileBuffer: Buffer = fs.readFileSync(downloadPath);
   const checksum: string = crypto
     .createHash("sha256")
     .update(fileBuffer)
     .digest("hex"); // checksum of downloaded file
 
-  const expectedChecksum: string =
-    "7027c15a988395f3dde5e77d9a58889669adbda52fbd527ae8216e6d81dd8b1a"; // checksum for v0.11.0
+  let expectedChecksum: string = "";
+
+  switch (platform) {
+    case "linux":
+      if (agentType === "bravo") {
+        expectedChecksum = CHECKSUMS["bravo"][variant];
+      } else {
+        expectedChecksum = isTLS
+          ? CHECKSUMS["tls"][variant]
+          : CHECKSUMS["non_tls"][variant];
+      }
+      break;
+    case "darwin":
+      expectedChecksum = CHECKSUMS["darwin"];
+      break;
+    case "win32":
+      expectedChecksum = CHECKSUMS["windows"][variant];
+      break;
+    default:
+      console.log(`Unsupported platform: ${platform}`);
+      return false;
+  }
 
   if (checksum !== expectedChecksum) {
     core.setFailed(
-      `Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`
+      `❌ Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`
     );
+    return false;
   }
 
-  core.debug("Checksum verification passed.");
+  core.info(`✅ Checksum verification passed. checksum=${checksum}`);
+  return true;
 }

src/cleanup.ts

@@ -1,29 +1,131 @@
 import * as fs from "fs";
-import * as cp from "child_process";
-import * as core from "@actions/core";
 import * as common from "./common";
+import * as cp from "child_process";
+import * as path from "path";
 import isDocker from "is-docker";
-import * as cache from "@actions/cache";
-import { cacheFile, cacheKey, isValidEvent } from "./cache";
-import path from "path";
+import { isARCRunner } from "./arc-runner";
+import { isGithubHosted } from "./tls-inspect";
+import { context } from "@actions/github";
+import { isPlatformSupported, isAgentInstalled, detectThirdPartyRunnerProvider } from "./utils";
 
 (async () => {
-  if (process.platform !== "linux") {
-    console.log(common.UBUNTU_MESSAGE);
+  console.log("[harden-runner] post-step");
+
+  const customProperties = context?.payload?.repository?.custom_properties || {};
+  if (customProperties["skip-harden-runner"] === "true") {
+    console.log("Skipping harden-runner: custom property 'skip-harden-runner' is set to 'true'");
     return;
   }
-  if (isDocker()) {
+
+  if (!isPlatformSupported(process.platform)) {
+    console.log(common.UNSUPPORTED_RUNNER_MESSAGE);
+    return;
+  }
+  if (isGithubHosted() && isDocker()) {
     console.log(common.CONTAINER_MESSAGE);
     return;
   }
 
+  if (isGithubHosted() && process.platform === "linux" && !process.env.USER) {
+    console.log(common.UBUNTU_SLIM_MESSAGE);
+    return;
+  }
+
+  if (isARCRunner()) {
+    console.log(`[!] ${common.ARC_RUNNER_MESSAGE}`);
+    return;
+  }
+
+  const thirdPartyProvider = detectThirdPartyRunnerProvider();
+
+  if (process.env.STATE_selfHosted === "true") {
+    return;
+  }
+
+  if (process.env.STATE_customVMImage === "true") {
+    return;
+  }
+
+  if (
+    String(process.env.STATE_monitorStatusCode) ===
+    common.STATUS_HARDEN_RUNNER_UNAVAILABLE
+  ) {
+    console.log(common.HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
+    return;
+  }
+
+  switch (process.platform) {
+    case "linux":
+      if (thirdPartyProvider) {
+        await handleAgentBravoCleanup();
+      } else {
+        await handleLinuxCleanup();
+      }
+      break;
+    case "win32":
+      await handleWindowsCleanup();
+      break;
+    case "darwin":
+      await handleMacosCleanup();
+      break;
+  }
+
+  try {
+    await common.addSummary();
+  } catch (exception) {
+    console.log(exception);
+  }
+})();
+
+async function handleAgentBravoCleanup() {
+  cp.execFileSync("/usr/bin/echo", ["step_policy_jobend"]);
+
+  const doneFile = "/home/agent/done.json";
+  let counter = 0;
+  while (true) {
+    if (!fs.existsSync(doneFile)) {
+      counter++;
+      if (counter > 10) {
+        console.log("timed out");
+        break;
+      }
+      await sleep(1000);
+    } else {
+      console.log(fs.readFileSync(doneFile, "utf-8"));
+      break;
+    }
+  }
+
+  const log = "/home/agent/agent.log";
+  if (fs.existsSync(log)) {
+    console.log("log:");
+    console.log(fs.readFileSync(log, "utf-8"));
+  }
+
+  const status = "/home/agent/agent.status";
+  if (fs.existsSync(status)) {
+    console.log("status:");
+    console.log(fs.readFileSync(status, "utf-8"));
+  }
+}
+
+async function handleLinuxCleanup() {
+  if (process.env.STATE_isTLS === "false" && process.arch === "arm64") {
+    return;
+  }
+
+  if (isGithubHosted() && fs.existsSync("/home/agent/post_event.json")) {
+    console.log("Post step already executed, skipping");
+    return;
+  }
+
   fs.writeFileSync(
     "/home/agent/post_event.json",
     JSON.stringify({ event: "post" })
   );
 
-  var doneFile = "/home/agent/done.json";
-  var counter = 0;
+  const doneFile = "/home/agent/done.json";
+  let counter = 0;
   while (true) {
     if (!fs.existsSync(doneFile)) {
       counter++;
@@ -33,19 +135,26 @@ import path from "path";
         break;
       }
       await sleep(1000);
-    } // The file *does* exist
-    else {
+    } else {
+      // The file *does* exist
       break;
     }
   }
 
-  var log = "/home/agent/agent.log";
+  const log = "/home/agent/agent.log";
   if (fs.existsSync(log)) {
     console.log("log:");
     var content = fs.readFileSync(log, "utf-8");
     console.log(content);
   }
 
+  const daemonLog = "/home/agent/daemon.log";
+  if (fs.existsSync(daemonLog)) {
+    console.log("daemonLog:");
+    var content = fs.readFileSync(daemonLog, "utf-8");
+    console.log(content);
+  }
+
   var status = "/home/agent/agent.status";
   if (fs.existsSync(status)) {
     console.log("status:");
@@ -53,34 +162,185 @@ import path from "path";
     console.log(content);
   }
 
-  // write annotations
-  var annotationsFile = "/home/agent/annotation.log";
-  if (fs.existsSync(annotationsFile)) {
-    var content = fs.readFileSync(annotationsFile, "utf-8");
-    content.split(/\r?\n/).forEach((line) => {
-      core.error(line);
-    });
-  }
+  var disable_sudo = process.env.STATE_disableSudo;
+  var disable_sudo_and_containers = process.env.STATE_disableSudoAndContainers;
 
-  // Always log the service log
-  var journalLog = cp.execSync("sudo journalctl -u agent.service", {
-    encoding: "utf8",
-  });
-  console.log("Service log:");
-  console.log(journalLog);
-
-  if (isValidEvent()) {
+  if (disable_sudo !== "true" && disable_sudo_and_containers !== "true") {
     try {
-      const cmd = "cp";
-      const args = [path.join(__dirname, "cache.txt"), cacheFile];
-      cp.execFileSync(cmd, args);
-      const cacheResult = await cache.saveCache([cacheFile], cacheKey);
-      console.log(cacheResult);
-    } catch (exception) {
-      console.log(exception);
+      var journalLog = cp.execSync(
+        "sudo journalctl -u agent.service --lines=1000",
+        {
+          encoding: "utf8",
+          maxBuffer: 1024 * 1024 * 10, // 10MB buffer
+        }
+      );
+      console.log("agent.service log:");
+      console.log(journalLog);
+    } catch (error) {
+      console.log("Warning: Could not fetch service logs:", error.message);
     }
   }
-})();
+}
+
+async function handleMacosCleanup() {
+  const post_event = "/opt/step-security/post_event.json";
+
+  if (isGithubHosted() && fs.existsSync(post_event)) {
+    console.log("Post step already executed, skipping");
+    return;
+  }
+
+  fs.writeFileSync(post_event, JSON.stringify({ event: "post" }));
+
+  // if agent is installed; wait for it to create done.json
+  if (isAgentInstalled(process.platform)) {
+    let macDone = "/opt/step-security/done.json";
+    let counter = 0;
+    while (true) {
+      if (!fs.existsSync(macDone)) {
+        counter++;
+        if (counter > 10) {
+          console.log("timed out");
+          break;
+        }
+        await sleep(1000);
+      } else {
+        // The file *does* exist
+        break;
+      }
+    }
+  }
+
+  let macAgentLog = "/opt/step-security/agent.log";
+  if (fs.existsSync(macAgentLog)) {
+    console.log("macAgentLog:");
+    var content = fs.readFileSync(macAgentLog, "utf-8");
+    console.log(content);
+  } else {
+    console.log("😭 macos agent.log file not found");
+  }
+
+  // Capture system log stream for harden-runner subsystem
+  try {
+    console.log("\nSystem log stream for io.stepsecurity.harden-runner:");
+    const logStreamOutput = cp.execSync(
+      "log show --predicate 'subsystem == \"io.stepsecurity.harden-runner\"' --info --last 10m",
+      {
+        encoding: "utf8",
+        maxBuffer: 1024 * 1024 * 10, // 10MB buffer
+        timeout: 5000, // 5 seconds timeout
+      }
+    );
+    console.log(logStreamOutput);
+  } catch (error) {
+    console.log("Warning: Could not fetch system log stream:", error.message);
+  }
+}
+
+async function handleWindowsCleanup() {
+  // windows cleanup
+  const agentDir = process.env.STATE_agentDir || "C:\\agent";
+  const postEventFile = path.join(agentDir, "post_event.json");
+
+  if (isGithubHosted() && fs.existsSync(postEventFile)) {
+    console.log("Windows post step already executed, skipping");
+    return;
+  }
+
+  if (process.arch === "arm64") {
+    console.log(common.ARM64_WINDOWS_RUNNER_MESSAGE);
+    return;
+  }
+
+  const p = cp.spawn(
+    "powershell.exe",
+    [
+      "-NoProfile",
+      "-NonInteractive",
+      "-Command",
+      "query user; exit $LASTEXITCODE",
+    ],
+    { stdio: ["ignore", "pipe", "pipe"], shell: false, windowsHide: true }
+  );
+  p.unref();
+
+  fs.writeFileSync(postEventFile, JSON.stringify({ event: "post" }));
+
+  // if agent is installed; wait for it to create done.json
+  if (isAgentInstalled(process.platform)) {
+    const doneFile = path.join(agentDir, "done.json");
+    let counter = 0;
+    while (true) {
+      if (!fs.existsSync(doneFile)) {
+        counter++;
+        if (counter > 10) {
+          console.log("timed out");
+          break;
+        }
+        await sleep(1000);
+      } else {
+        break;
+      }
+    }
+  }
+
+  console.log("stopping windows agent process...");
+  const pidFile = path.join(agentDir, "agent.pid");
+
+  try {
+    if (!fs.existsSync(pidFile)) {
+      console.log("PID file not found. Agent may not be running.");
+      return;
+    }
+
+    const pid = parseInt(fs.readFileSync(pidFile, "utf8").trim());
+    console.log(`agent PID from file: ${pid}`);
+
+    try {
+      process.kill(pid, 0); // signal 0 just checks if process exists
+    } catch {
+      console.log("agent process not running.");
+      fs.unlinkSync(pidFile);
+      return;
+    }
+
+    console.log(`stopping agent process (PID: ${pid})...`);
+    process.kill(pid, "SIGINT");
+
+    let gracefulShutdown = false;
+    for (let i = 0; i < 10; i++) {
+      await sleep(1000);
+
+      try {
+        process.kill(pid, 0); // check if still exists
+      } catch {
+        gracefulShutdown = true;
+        console.log("agent process stopped gracefully");
+        break;
+      }
+    }
+
+    if (!gracefulShutdown) {
+      console.log("graceful shutdown timeout (10s), forcing termination...");
+      process.kill(pid, "SIGKILL");
+      console.log("agent process terminated forcefully");
+    }
+
+    if (fs.existsSync(pidFile)) {
+      fs.unlinkSync(pidFile);
+      console.log("PID file cleaned up");
+    }
+  } catch (error) {
+    console.log("warning: error stopping agent process:", error.message);
+  }
+
+  const log = path.join(agentDir, "agent.log");
+  if (fs.existsSync(log)) {
+    console.log("agent log:");
+    const content = fs.readFileSync(log, "utf-8");
+    console.log(content);
+  }
+}
 
 function sleep(ms) {
   return new Promise((resolve) => {

src/common.test.ts

@@ -0,0 +1,28 @@
+import { processLogLine } from "./common"; // import the function
+
+describe("processLogLine function", () => {
+  it("correctly processes the log line and adds an entry to the array", () => {
+    const tableEntries: {
+      pid: string;
+      process: string;
+      domain: string;
+      ipAddress: string;
+      status: string;
+    }[] = [];
+    const logLine =
+      "Thu, 15 Jun 2023 05:35:29 GMT:endpoint called ip address:port 104.16.24.35:443, domain: registry.npmjs.org., pid: 2135, process: node.";
+
+    processLogLine(logLine, tableEntries);
+
+    // Check if a single entry is added to the array
+    expect(tableEntries.length).toBe(1);
+
+    // Check if the entry's properties are set correctly
+    const entry = tableEntries[0];
+    expect(entry.pid).toBe("2135");
+    expect(entry.process).toBe("node");
+    expect(entry.domain).toBe("registry.npmjs.org.");
+    expect(entry.ipAddress).toBe("104.16.24.35:443");
+    expect(entry.status).toBe("✅ Allowed"); // Since the IP address is not '54.185.253.63', status should be '✔️ Allowed'
+  });
+});

src/common.ts

@@ -1,3 +1,7 @@
+import * as core from "@actions/core";
+import { STEPSECURITY_API_URL, STEPSECURITY_WEB_URL } from "./configs";
+import { getAnnotationLogs } from "./utils";
+
 export function printInfo(web_url) {
   console.log(
     "\x1b[32m%s\x1b[0m",
@@ -9,8 +13,141 @@ export function printInfo(web_url) {
   );
 }
 
-export const CONTAINER_MESSAGE =
-  "This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored.";
+export const processLogLine = (
+  line: string,
+  tableEntries: {
+    pid: string;
+    process: string;
+    domain: string;
+    ipAddress: string;
+    status: string;
+  }[]
+): void => {
+  if (
+    line.includes("pid") &&
+    line.includes("process") &&
+    line.includes("domain") &&
+    line.includes("ip address")
+  ) {
+    const matches = line.match(
+      /ip address:port ([\d.:]+), domain: ([\w.-]+), pid: (\d+), process: (\w+)/
+    );
+    if (matches) {
+      const [ipAddress, domain, pid, process] = matches.slice(1);
 
-export const UBUNTU_MESSAGE =
-  "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
+      // Check if all values are non-empty and domain does not end with specified patterns
+      if (
+        pid &&
+        process &&
+        domain &&
+        ipAddress &&
+        !domain.endsWith(".actions.githubusercontent.com.") &&
+        !domain.endsWith(".blob.core.windows.net.")
+      ) {
+        const status = ipAddress.startsWith("54.185.253.63")
+          ? "❌ Blocked"
+          : "✅ Allowed";
+
+        tableEntries.push({ pid, process, domain, ipAddress, status });
+      }
+    }
+  }
+};
+
+export async function addSummary() {
+  if (process.env.STATE_addSummary !== "true") {
+    return;
+  }
+
+  const correlation_id = process.env.STATE_correlation_id;
+  if (!correlation_id) {
+    return;
+  }
+
+
+  let needsSubscription = false;
+  try {
+    let data = getAnnotationLogs(process.platform);
+    if (
+      data !== undefined &&
+      data.includes("StepSecurity Harden Runner is disabled")
+    ) {
+      needsSubscription = true;
+    }
+  } catch (err) {
+    //console.error(err);
+  }
+
+  if (needsSubscription) {
+    await core.summary
+      .addSeparator()
+      .addRaw(
+        `<h2>⚠️ Your GitHub Actions Runtime Security is currently disabled!</h2>`
+      );
+
+    await core.summary
+      .addRaw(
+        `
+<p>It appears that you're using the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a> by StepSecurity within a private repository. However, runtime security is not enabled as your organization hasn't signed up for a free trial or a paid subscription yet.</p>
+<p>To enable runtime security, start a free trial today by installing the <a href="https://github.com/apps/stepsecurity-actions-security">StepSecurity Actions Security GitHub App</a>. For more information or assistance, feel free to reach out to us through our <a href="https://www.stepsecurity.io/contact">contact form</a>.</p>
+`
+      )
+      .addSeparator()
+      .write();
+    return;
+  }
+
+  // Extract owner and repo from GITHUB_REPOSITORY (format: owner/repo)
+  const [owner, repo] = process.env["GITHUB_REPOSITORY"]?.split("/") || [];
+  const run_id = process.env["GITHUB_RUN_ID"];
+
+  if (!owner || !repo || !run_id || !correlation_id) {
+    return;
+  }
+
+  // Fetch job summary from API
+  const apiUrl = `${STEPSECURITY_API_URL}/github/${owner}/${repo}/actions/runs/${run_id}/correlation/${correlation_id}/job-markdown-summary`;
+
+  try {
+    const response = await fetch(apiUrl);
+    if (!response.ok) {
+      console.error(`Failed to fetch job summary: ${response.status} ${response.statusText}`);
+      return;
+    }
+
+    const markdownSummary = await response.text();
+
+    // Render the markdown summary using core.summary.addRaw
+    await core.summary.addRaw(markdownSummary).write();
+    return;
+  } catch (error) {
+    console.error(`Error fetching job summary: ${error}`);
+    return;
+  }
+}
+
+export const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
+
+export const CONTAINER_MESSAGE =
+  "This job is running in a container. Such jobs can be monitored by installing Harden Runner in a custom VM image for GitHub-hosted runners.";
+
+export const UNSUPPORTED_RUNNER_MESSAGE =
+  "This job is not running in a GitHub Actions Hosted Runner. Harden Runner is only supported on GitHub-hosted runners (Ubuntu, Windows, and macOS). This job will not be monitored.";
+
+export const SELF_HOSTED_RUNNER_MESSAGE =
+  "This job is running on a self-hosted runner.";
+
+export const HARDEN_RUNNER_UNAVAILABLE_MESSAGE =
+  "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
+
+export const ARC_RUNNER_MESSAGE =
+  "Workflow is currently being executed in ARC based runner.";
+
+export const ARM64_RUNNER_MESSAGE =
+  "ARM runners are not supported in the Harden-Runner community tier.";
+
+export const ARM64_WINDOWS_RUNNER_MESSAGE =
+  "Windows ARM runners are not yet supported by Harden-Runner.";
+
+export const UBUNTU_SLIM_MESSAGE =
+  "This job is running on an ubuntu-slim runner. Harden Runner is not supported on ubuntu-slim runners. This job will not be monitored.";

src/configs.ts

@@ -0,0 +1,8 @@
+export const STEPSECURITY_ENV = "agent"; // agent or int
+
+export const STEPSECURITY_API_URL = `https://${STEPSECURITY_ENV}.api.stepsecurity.io/v1`;
+
+export const STEPSECURITY_TELEMETRY_URL =
+  "https://prod.app-api.stepsecurity.io/v1";
+
+export const STEPSECURITY_WEB_URL = "https://app.stepsecurity.io";

src/index.ts

@@ -1,17 +1,41 @@
 import * as common from "./common";
 import * as core from "@actions/core";
 import isDocker from "is-docker";
+import { STEPSECURITY_WEB_URL } from "./configs";
+import { isGithubHosted } from "./tls-inspect";
+import { context } from "@actions/github";
+import { isPlatformSupported } from "./utils";
 
 (async () => {
-  if (process.platform !== "linux") {
-    console.log(common.UBUNTU_MESSAGE);
+  console.log("[harden-runner] main-step");
+
+  const customProperties = context?.payload?.repository?.custom_properties || {};
+  if (customProperties["skip-harden-runner"] === "true") {
+    console.log("Skipping harden-runner: custom property 'skip-harden-runner' is set to 'true'");
     return;
   }
-  if (isDocker()) {
+
+  if (!isPlatformSupported(process.platform)) {
+    console.log(common.UNSUPPORTED_RUNNER_MESSAGE);
+    return;
+  }
+  if (isGithubHosted() && isDocker()) {
     console.log(common.CONTAINER_MESSAGE);
     return;
   }
 
+  if (
+    String(process.env.STATE_monitorStatusCode) ===
+    common.STATUS_HARDEN_RUNNER_UNAVAILABLE
+  ) {
+    console.log(common.HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
+    return;
+  }
+
+  if (process.env.STATE_isTLS === "false" && process.arch === "arm64") {
+    return;
+  }
+
   if (
     core.getBooleanInput("disable-telemetry") &&
     core.getInput("egress-policy") === "block"
@@ -20,7 +44,7 @@ import isDocker from "is-docker";
       "Telemetry will not be sent to StepSecurity API as disable-telemetry is set to true"
     );
   } else {
-    var web_url = "https://app.stepsecurity.io";
+    var web_url = STEPSECURITY_WEB_URL;
     common.printInfo(web_url);
   }
 })();

src/install-agent.ts

@@ -0,0 +1,278 @@
+import * as tc from "@actions/tool-cache";
+import * as core from "@actions/core";
+import * as cp from "child_process";
+import * as path from "path";
+import * as fs from "fs";
+import { verifyChecksum } from "./checksum";
+import { EOL } from "os";
+import { ARM64_RUNNER_MESSAGE, ARM64_WINDOWS_RUNNER_MESSAGE } from "./common";
+import { chownForFolder } from "./utils";
+
+export async function installAgent(
+  isTLS: boolean,
+  configStr: string
+): Promise<boolean> {
+  // Note: to avoid github rate limiting
+  const token = core.getInput("token", { required: true });
+  const auth = `token ${token}`;
+
+  const variant = process.arch === "x64" ? "amd64" : "arm64";
+
+  let downloadPath: string;
+
+  fs.appendFileSync(process.env.GITHUB_STATE, `isTLS=${isTLS}${EOL}`, {
+    encoding: "utf8",
+  });
+
+  if (isTLS) {
+    downloadPath = await tc.downloadTool(
+      `https://github.com/step-security/agent-ebpf/releases/download/v1.8.6/harden-runner_1.8.6_linux_${variant}.tar.gz`,
+      undefined,
+      auth
+    );
+  } else {
+    if (variant === "arm64") {
+      console.log(ARM64_RUNNER_MESSAGE);
+      return false;
+    }
+    downloadPath = await tc.downloadTool(
+      "https://github.com/step-security/agent/releases/download/v0.16.0/agent_0.16.0_linux_amd64.tar.gz",
+      undefined,
+      auth
+    );
+  }
+
+  if (!verifyChecksum(downloadPath, isTLS, variant, "linux")) {
+    return false;
+  }
+
+  const extractPath = await tc.extractTar(downloadPath);
+
+  let cmd = "cp",
+    args = [path.join(extractPath, "agent"), "/home/agent/agent"];
+
+  cp.execFileSync(cmd, args);
+
+  cp.execSync("chmod +x /home/agent/agent");
+
+  fs.writeFileSync("/home/agent/agent.json", configStr);
+
+  cmd = "sudo";
+  args = [
+    "cp",
+    path.join(__dirname, "agent.service"),
+    "/etc/systemd/system/agent.service",
+  ];
+  cp.execFileSync(cmd, args);
+  cp.execSync("sudo systemctl daemon-reload");
+  cp.execSync("sudo service agent start", { timeout: 15000 });
+  return true;
+}
+
+export async function installAgentBravo(configStr: string): Promise<boolean> {
+  // Note: to avoid github rate limiting
+  const token = core.getInput("token", { required: true });
+  const auth = `token ${token}`;
+
+  const variant = process.arch === "x64" ? "amd64" : "arm64";
+  const downloadPath = await tc.downloadTool(
+    `https://github.com/step-security/agent-ebpf/releases/download/v1.8.6/harden-runner-bravo_1.8.6_linux_${variant}.tar.gz`,
+    undefined,
+    auth
+  );
+
+  if (!verifyChecksum(downloadPath, true, variant, "linux", "bravo")) {
+    return false;
+  }
+
+  const extractPath = await tc.extractTar(downloadPath);
+  cp.execFileSync("cp", [path.join(extractPath, "agent"), "/home/agent/agent"]);
+
+  cp.execSync("chmod +x /home/agent/agent");
+
+  fs.writeFileSync("/home/agent/agent.json", configStr);
+
+  const logStream = fs.openSync("/home/agent/agent.stdout", "a");
+  const agentProcess = cp.spawn("sudo", ["/home/agent/agent"], {
+    cwd: "/home/agent",
+    detached: true,
+    stdio: ["ignore", logStream, logStream],
+  });
+  agentProcess.unref();
+
+  const agentStatus = "/home/agent/agent.status";
+  const deadline = Date.now() + 10000;
+  while (true) {
+    if (!fs.existsSync(agentStatus)) {
+      if (Date.now() >= deadline) {
+        console.log("timed out waiting for bravo agent");
+        if (fs.existsSync("/home/agent/agent.stdout")) {
+          console.log(fs.readFileSync("/home/agent/agent.stdout", "utf-8"));
+        }
+        if (fs.existsSync("/home/agent/agent.log")) {
+          console.log(fs.readFileSync("/home/agent/agent.log", "utf-8"));
+        }
+        break;
+      }
+      await new Promise((resolve) => setTimeout(resolve, 300));
+    } else {
+      console.log(fs.readFileSync(agentStatus, "utf-8"));
+      break;
+    }
+  }
+  return true;
+}
+
+export async function installMacosAgent(configStr: string): Promise<boolean> {
+  const token = core.getInput("token", { required: true });
+  const auth = `token ${token}`;
+
+  try {
+    // Create working directory
+    core.info("Creating /opt/step-security directory...");
+    cp.execSync("sudo mkdir -p /opt/step-security");
+    chownForFolder(process.env.USER, "/opt/step-security");
+    core.info("✓ Successfully created /opt/step-security directory");
+
+    // Create agent configuration file
+    core.info("Creating agent.json");
+    fs.writeFileSync("/opt/step-security/agent.json", configStr);
+    core.info(
+      "✓ Successfully created agent.json at /opt/step-security/agent.json"
+    );
+
+    // Download installer package
+    const downloadUrl =
+      "https://github.com/step-security/agent-releases/releases/download/v0.0.5-mac/macos-installer-0.0.5.tar.gz";
+    core.info(`Downloading macOS installer.. : ${downloadUrl}`);
+    const downloadPath = await tc.downloadTool(downloadUrl, undefined, auth);
+    core.info(`✓ Successfully downloaded installer to: ${downloadPath}`);
+
+    // Verify SHA256 checksum
+    core.info("Verifying SHA256 checksum of downloaded tar file...");
+    if (!verifyChecksum(downloadPath, false, "", "darwin")) {
+      return false;
+    }
+
+    // Extract installer package
+    core.info("Extracting installer...");
+    const extractPath = await tc.extractTar(downloadPath);
+    core.info(`✓ Successfully extracted installer to: ${extractPath}`);
+
+    // Copy Installer binary to /opt/step-security
+    const installerSourcePath = path.join(extractPath, "Installer");
+    const installerBinaryPath = "/opt/step-security/Installer";
+
+    core.info(
+      `Copying Installer from ${installerSourcePath} to /opt/step-security...`
+    );
+    cp.execFileSync("cp", [installerSourcePath, installerBinaryPath]);
+    core.info("✓ Successfully copied Installer to /opt/step-security");
+
+
+    // Verify installer binary exists
+    if (!fs.existsSync(installerBinaryPath)) {
+      throw new Error(
+        "Installer binary not found at /opt/step-security/Installer"
+      );
+    }
+    core.info("✓ Installer binary verified");
+
+    // Make installer executable
+    core.info("Making installer executable...");
+    cp.execSync(`chmod +x "${installerBinaryPath}"`);
+    core.info("✓ Installer is now executable");
+
+    // Run installer
+    core.info("Running installer...");
+    cp.execSync(
+      `sudo "${installerBinaryPath}" -workdir /opt/step-security >> /opt/step-security/agent.log 2>&1`,
+      {
+        shell: "/bin/bash",
+        timeout: 10000, // 10 second timeout
+      }
+    );
+    core.info("✓ Installer completed successfully");
+
+    core.info("✅ macOS agent installation completed successfully");
+    return true;
+  } catch (error) {
+    core.error(`❌ Failed to install macOS agent: ${error}`);
+    if (error instanceof Error && error.stack) {
+      core.debug(error.stack);
+    }
+    return false;
+  }
+}
+
+export async function installWindowsAgent(configStr: string): Promise<boolean> {
+  const token = core.getInput("token", { required: true });
+  const auth = `token ${token}`;
+
+  const variant = process.arch === "x64" ? "amd64" : "arm64";
+  if (variant === "arm64") {
+    console.log(ARM64_WINDOWS_RUNNER_MESSAGE);
+    return false;
+  }
+
+  const agentDir = "C:\\agent";
+  core.info(`Creating agent directory: ${agentDir}`);
+  if (!fs.existsSync(agentDir)) {
+    fs.mkdirSync(agentDir, { recursive: true });
+  }
+  fs.appendFileSync(process.env.GITHUB_STATE, `agentDir=${agentDir}${EOL}`, {
+    encoding: "utf8",
+  });
+  const agentExePath = path.join(agentDir, "agent.exe");
+
+  const downloadPath = await tc.downloadTool(
+    `https://github.com/step-security/agent-releases/releases/download/v1.0.2-win/harden-runner-agent-windows_1.0.2_windows_amd64.tar.gz`,
+    undefined,
+    auth
+  );
+
+  // validate the checksum
+  if (!verifyChecksum(downloadPath, false, variant, process.platform)) {
+    return false;
+  }
+
+  const extractPath = await tc.extractTar(downloadPath);
+
+  const extractedAgentPath = path.join(extractPath, "agent.exe");
+  fs.copyFileSync(extractedAgentPath, agentExePath);
+  core.info(`Copied agent from ${extractedAgentPath} to ${agentExePath}`);
+
+  const configPath = path.join(agentDir, "config.json");
+  fs.writeFileSync(configPath, configStr);
+  core.info(`Created config file: ${configPath}`);
+
+  core.info("Starting Windows Agent...");
+
+  try {
+    const logPath = path.join(agentDir, "agent.log");
+    const logStream = fs.openSync(logPath, "a");
+    core.info(`Agent logs will be written to: ${logPath}`);
+
+    const agentProcess = cp.spawn(agentExePath, [], {
+      cwd: agentDir,
+      detached: true,
+      stdio: ["ignore", logStream, logStream],
+      windowsHide: false,
+      shell: false,
+    });
+
+    const pidFile = path.join(agentDir, "agent.pid");
+    fs.writeFileSync(pidFile, agentProcess.pid.toString());
+    core.info(`Agent process started with PID: ${agentProcess.pid}`);
+    core.info(`PID saved to: ${pidFile}`);
+
+    agentProcess.unref();
+
+    core.info("Windows Agent process started successfully");
+    return true;
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : String(error);
+    core.setFailed(`Failed to start Windows agent process: ${errorMessage}`);
+    return false;
+  }
+}

src/interfaces.ts

@@ -0,0 +1,33 @@
+export interface Configuration {
+  repo: string;
+  run_id: string;
+  correlation_id: string;
+  working_directory: string;
+  api_url: string;
+  telemetry_url: string;
+  allowed_endpoints: string;
+  egress_policy: string;
+  disable_telemetry: boolean;
+  disable_sudo: boolean;
+  disable_sudo_and_containers: boolean;
+  disable_file_monitoring: boolean;
+  is_github_hosted: boolean;
+  private: string;
+  is_debug: boolean;
+  one_time_key: string;
+  api_key: string;
+  use_policy_store: boolean;
+  deploy_on_self_hosted_vm: boolean;
+}
+
+export interface PolicyResponse {
+  owner?: string;
+  policyName?: string;
+  allowed_endpoints?: string[];
+  disable_sudo?: boolean;
+  disable_sudo_and_containers?: boolean;
+  disable_file_monitoring?: boolean;
+  disable_telemetry?: boolean;
+  egress_policy?: string;
+  policy_name?: string;
+}

src/policy-utils.test.ts

@@ -0,0 +1,393 @@
+import nock from "nock";
+import { fetchPolicy, mergeConfigs } from "./policy-utils";
+import { Configuration, PolicyResponse } from "./interfaces";
+import { STEPSECURITY_API_URL } from "./configs";
+
+test("success: fetching policy", async () => {
+  let owner = "h0x0er";
+  let policyName = "policy1";
+  let response = {
+    owner: "h0x0er",
+    policyName: "policy1",
+    allowed_endpoints: ["github.com:443"],
+    egress_policy: "audit",
+    disable_telemetry: false,
+    disable_sudo: false,
+    disable_file_monitoring: false,
+  };
+  const policyScope = nock(`${STEPSECURITY_API_URL}`)
+    .get(`/github/${owner}/actions/policies/${policyName}`)
+    .reply(200, response);
+
+  let idToken = "xyz";
+  let policy = await fetchPolicy(owner, policyName, idToken);
+  console.log(policy);
+  expect(policy).toStrictEqual(response);
+});
+
+test("merge configs", async () => {
+  let localConfig: Configuration = {
+    repo: "test/repo",
+    run_id: "xyx",
+    correlation_id: "aaaaa",
+    working_directory: "/xyz",
+    api_url: "xyz",
+    telemetry_url: "xyz",
+    allowed_endpoints: "",
+    egress_policy: "audit",
+    disable_telemetry: false,
+    disable_sudo: false,
+    disable_sudo_and_containers: false,
+    disable_file_monitoring: false,
+    private: "true",
+    is_github_hosted: true,
+    is_debug: false,
+    one_time_key: "",
+    api_key: "",
+    use_policy_store: false,
+    deploy_on_self_hosted_vm: false,
+  };
+  let policyResponse: PolicyResponse = {
+    owner: "h0x0er",
+    policyName: "policy1",
+    allowed_endpoints: ["github.com:443", "google.com:443"],
+    egress_policy: "audit",
+    disable_telemetry: false,
+    disable_sudo: false,
+    disable_file_monitoring: false,
+  };
+
+  let expectedConfiguration: Configuration = {
+    repo: "test/repo",
+    run_id: "xyx",
+    correlation_id: "aaaaa",
+    working_directory: "/xyz",
+    api_url: "xyz",
+    telemetry_url: "xyz",
+    allowed_endpoints: "github.com:443 google.com:443",
+    egress_policy: "audit",
+    disable_telemetry: false,
+    disable_sudo: false,
+    disable_sudo_and_containers: false,
+    disable_file_monitoring: false,
+    private: "true",
+    is_github_hosted: true,
+    is_debug: false,
+    one_time_key: "",
+    api_key: "",
+    use_policy_store: false,
+    deploy_on_self_hosted_vm: false,
+  };
+
+  localConfig = mergeConfigs(localConfig, policyResponse);
+  expect(localConfig).toStrictEqual(expectedConfiguration);
+});
+
+// ==================== additional fetchPolicy tests ====================
+
+test("fetchPolicy throws when idToken is empty", async () => {
+  await expect(fetchPolicy("owner", "policy1", "")).rejects.toThrow(
+    "[PolicyFetch]: id-token in empty"
+  );
+});
+
+test("fetchPolicy retries on failure and succeeds", async () => {
+  const owner = "test-owner";
+  const policyName = "test-policy";
+  const response = {
+    allowed_endpoints: ["example.com:443"],
+    egress_policy: "block",
+  };
+
+  nock(`${STEPSECURITY_API_URL}`)
+    .get(`/github/${owner}/actions/policies/${policyName}`)
+    .replyWithError("connection timeout");
+  nock(`${STEPSECURITY_API_URL}`)
+    .get(`/github/${owner}/actions/policies/${policyName}`)
+    .reply(200, response);
+
+  const policy = await fetchPolicy(owner, policyName, "token123");
+  expect(policy).toStrictEqual(response);
+});
+
+test("fetchPolicy throws after all retries exhausted", async () => {
+  const owner = "test-owner";
+  const policyName = "test-policy";
+
+  nock(`${STEPSECURITY_API_URL}`)
+    .get(`/github/${owner}/actions/policies/${policyName}`)
+    .times(3)
+    .replyWithError("connection timeout");
+
+  await expect(
+    fetchPolicy(owner, policyName, "token123")
+  ).rejects.toThrow("[Policy Fetch]");
+});
+
+test("fetchPolicy preserves statusCode from error", async () => {
+  const owner = "test-owner";
+  const policyName = "test-policy";
+
+  const errorWithStatus = new Error("Not Found");
+  (errorWithStatus as any).statusCode = 404;
+
+  nock(`${STEPSECURITY_API_URL}`)
+    .get(`/github/${owner}/actions/policies/${policyName}`)
+    .times(3)
+    .replyWithError(errorWithStatus);
+
+  try {
+    await fetchPolicy(owner, policyName, "token123");
+    fail("should have thrown");
+  } catch (err) {
+    expect(err.message).toContain("[Policy Fetch]");
+  }
+});
+
+// ==================== fetchPolicyFromStore ====================
+
+import { fetchPolicyFromStore } from "./policy-utils";
+
+const policyStoreQueryString = (workflow: string, runId: string, correlationId: string) =>
+  `workflow=${encodeURIComponent(workflow)}&run_id=${encodeURIComponent(runId)}&correlationId=${encodeURIComponent(correlationId)}`;
+
+test("success: fetches policy from store", async () => {
+  const owner = "test-owner";
+  const repo = "test-repo";
+  const workflow = "ci.yml";
+  const runId = "12345";
+  const correlationId = "abc-def";
+  const response = {
+    allowed_endpoints: ["registry.npmjs.org:443", "github.com:443"],
+    egress_policy: "block",
+    disable_sudo: true,
+    disable_file_monitoring: false,
+  };
+
+  nock(`${STEPSECURITY_API_URL}`)
+    .get(`/github/${owner}/${repo}/actions/policies/workflow-policy?${policyStoreQueryString(workflow, runId, correlationId)}`)
+    .reply(200, response);
+
+  const result = await fetchPolicyFromStore(owner, repo, "my-api-key", workflow, runId, correlationId);
+  expect(result).toStrictEqual(response);
+});
+
+test("fetchPolicyFromStore throws when apiKey is empty", async () => {
+  await expect(
+    fetchPolicyFromStore("owner", "repo", "", "ci.yml", "123", "abc")
+  ).rejects.toThrow("[PolicyStoreFetch]: api-key is empty");
+});
+
+test("fetchPolicyFromStore returns null when policy not found (404)", async () => {
+  const owner = "test-owner";
+  const repo = "test-repo";
+  const workflow = "ci.yml";
+  const runId = "12345";
+  const correlationId = "abc-def";
+
+  nock(`${STEPSECURITY_API_URL}`)
+    .get(`/github/${owner}/${repo}/actions/policies/workflow-policy?${policyStoreQueryString(workflow, runId, correlationId)}`)
+    .reply(404, { message: "not found" });
+
+  const result = await fetchPolicyFromStore(owner, repo, "my-api-key", workflow, runId, correlationId);
+  expect(result).toBeNull();
+});
+
+test("fetchPolicyFromStore returns null when API returns empty policy", async () => {
+  const owner = "test-owner";
+  const repo = "nonexistent-repo";
+  const workflow = "ci.yml";
+  const runId = "12345";
+  const correlationId = "abc-def";
+
+  nock(`${STEPSECURITY_API_URL}`)
+    .get(`/github/${owner}/${repo}/actions/policies/workflow-policy?${policyStoreQueryString(workflow, runId, correlationId)}`)
+    .reply(200, { allowed_endpoints: [], egress_policy: "", policy_name: "" });
+
+  const result = await fetchPolicyFromStore(owner, repo, "my-api-key", workflow, runId, correlationId);
+  expect(result).toBeNull();
+});
+
+test("fetchPolicyFromStore retries on failure and succeeds", async () => {
+  const owner = "test-owner";
+  const repo = "test-repo";
+  const workflow = "ci.yml";
+  const runId = "12345";
+  const correlationId = "abc-def";
+  const response = {
+    allowed_endpoints: ["example.com:443"],
+    egress_policy: "audit",
+  };
+
+  nock(`${STEPSECURITY_API_URL}`)
+    .get(`/github/${owner}/${repo}/actions/policies/workflow-policy?${policyStoreQueryString(workflow, runId, correlationId)}`)
+    .replyWithError("timeout");
+  nock(`${STEPSECURITY_API_URL}`)
+    .get(`/github/${owner}/${repo}/actions/policies/workflow-policy?${policyStoreQueryString(workflow, runId, correlationId)}`)
+    .reply(200, response);
+
+  const result = await fetchPolicyFromStore(owner, repo, "my-api-key", workflow, runId, correlationId);
+  expect(result).toStrictEqual(response);
+});
+
+test("fetchPolicyFromStore throws after all retries exhausted", async () => {
+  const owner = "test-owner";
+  const repo = "test-repo";
+  const workflow = "ci.yml";
+  const runId = "12345";
+  const correlationId = "abc-def";
+
+  nock(`${STEPSECURITY_API_URL}`)
+    .get(`/github/${owner}/${repo}/actions/policies/workflow-policy?${policyStoreQueryString(workflow, runId, correlationId)}`)
+    .times(3)
+    .replyWithError("connection refused");
+
+  await expect(
+    fetchPolicyFromStore(owner, repo, "my-api-key", workflow, runId, correlationId)
+  ).rejects.toThrow("[Policy Store Fetch]");
+});
+
+test("fetchPolicyFromStore preserves statusCode from error", async () => {
+  const owner = "test-owner";
+  const repo = "test-repo";
+  const workflow = "ci.yml";
+  const runId = "12345";
+  const correlationId = "abc-def";
+
+  const errorWithStatus = new Error("Unauthorized");
+  (errorWithStatus as any).statusCode = 401;
+
+  nock(`${STEPSECURITY_API_URL}`)
+    .get(`/github/${owner}/${repo}/actions/policies/workflow-policy?${policyStoreQueryString(workflow, runId, correlationId)}`)
+    .times(3)
+    .replyWithError(errorWithStatus);
+
+  try {
+    await fetchPolicyFromStore(owner, repo, "my-api-key", workflow, runId, correlationId);
+    fail("should have thrown");
+  } catch (err) {
+    expect(err.message).toContain("[Policy Store Fetch]");
+  }
+});
+
+test("fetchPolicyFromStore sends correct authorization header", async () => {
+  const owner = "test-owner";
+  const repo = "test-repo";
+  const apiKey = "secret-key-123";
+  const workflow = "ci.yml";
+  const runId = "12345";
+  const correlationId = "abc-def";
+
+  nock(`${STEPSECURITY_API_URL}`, {
+    reqheaders: {
+      Authorization: `vm-api-key ${apiKey}`,
+      Source: "github-actions",
+    },
+  })
+    .get(`/github/${owner}/${repo}/actions/policies/workflow-policy?${policyStoreQueryString(workflow, runId, correlationId)}`)
+    .reply(200, { allowed_endpoints: [], egress_policy: "audit" });
+
+  const result = await fetchPolicyFromStore(owner, repo, apiKey, workflow, runId, correlationId);
+  expect(result).toStrictEqual({
+    allowed_endpoints: [],
+    egress_policy: "audit",
+  });
+});
+
+// ==================== additional mergeConfigs tests ====================
+
+test("mergeConfigs does not override local allowed_endpoints if not empty", () => {
+  let localConfig: Configuration = {
+    repo: "test/repo",
+    run_id: "xyx",
+    correlation_id: "aaaaa",
+    working_directory: "/xyz",
+    api_url: "xyz",
+    telemetry_url: "xyz",
+    allowed_endpoints: "local.endpoint:443",
+    egress_policy: "audit",
+    disable_telemetry: false,
+    disable_sudo: false,
+    disable_sudo_and_containers: false,
+    disable_file_monitoring: false,
+    private: "true",
+    is_github_hosted: true,
+    is_debug: false,
+    one_time_key: "",
+    api_key: "",
+    use_policy_store: false,
+    deploy_on_self_hosted_vm: false,
+  };
+  let policyResponse: PolicyResponse = {
+    allowed_endpoints: ["remote.endpoint:443"],
+    egress_policy: "block",
+  };
+
+  localConfig = mergeConfigs(localConfig, policyResponse);
+  expect(localConfig.allowed_endpoints).toBe("local.endpoint:443");
+  expect(localConfig.egress_policy).toBe("block");
+});
+
+test("mergeConfigs overrides disable_sudo_and_containers from remote", () => {
+  let localConfig: Configuration = {
+    repo: "test/repo",
+    run_id: "xyx",
+    correlation_id: "aaaaa",
+    working_directory: "/xyz",
+    api_url: "xyz",
+    telemetry_url: "xyz",
+    allowed_endpoints: "",
+    egress_policy: "audit",
+    disable_telemetry: false,
+    disable_sudo: false,
+    disable_sudo_and_containers: false,
+    disable_file_monitoring: false,
+    private: "true",
+    is_github_hosted: true,
+    is_debug: false,
+    one_time_key: "",
+    api_key: "",
+    use_policy_store: false,
+    deploy_on_self_hosted_vm: false,
+  };
+  let policyResponse: PolicyResponse = {
+    allowed_endpoints: [],
+    disable_sudo_and_containers: true,
+  };
+
+  localConfig = mergeConfigs(localConfig, policyResponse);
+  expect(localConfig.disable_sudo_and_containers).toBe(true);
+});
+
+test("mergeConfigs does not override fields when remote values are undefined", () => {
+  let localConfig: Configuration = {
+    repo: "test/repo",
+    run_id: "xyx",
+    correlation_id: "aaaaa",
+    working_directory: "/xyz",
+    api_url: "xyz",
+    telemetry_url: "xyz",
+    allowed_endpoints: "",
+    egress_policy: "block",
+    disable_telemetry: false,
+    disable_sudo: true,
+    disable_sudo_and_containers: true,
+    disable_file_monitoring: true,
+    private: "true",
+    is_github_hosted: true,
+    is_debug: false,
+    one_time_key: "",
+    api_key: "",
+    use_policy_store: false,
+    deploy_on_self_hosted_vm: false,
+  };
+  let policyResponse: PolicyResponse = {
+    allowed_endpoints: [],
+  };
+
+  localConfig = mergeConfigs(localConfig, policyResponse);
+  expect(localConfig.disable_sudo).toBe(true);
+  expect(localConfig.disable_sudo_and_containers).toBe(true);
+  expect(localConfig.disable_file_monitoring).toBe(true);
+  expect(localConfig.egress_policy).toBe("block");
+});

src/policy-utils.ts

@@ -0,0 +1,141 @@
+import { HttpClient } from "@actions/http-client";
+import { PolicyResponse, Configuration } from "./interfaces";
+import { STEPSECURITY_API_URL } from "./configs";
+
+export async function fetchPolicy(
+  owner: string,
+  policyName: string,
+  idToken: string
+): Promise<PolicyResponse> {
+  if (idToken === "") {
+    throw new Error("[PolicyFetch]: id-token in empty");
+  }
+
+  let policyEndpoint = `${STEPSECURITY_API_URL}/github/${owner}/actions/policies/${policyName}`;
+
+  let httpClient = new HttpClient();
+
+  let headers = {};
+  headers["Authorization"] = `Bearer ${idToken}`;
+  headers["Source"] = "github-actions";
+
+  let response = undefined;
+  let err = undefined;
+
+  let retry = 0;
+  while (retry < 3) {
+    try {
+      console.log(`Attempt: ${retry + 1}`);
+      response = await httpClient.getJson<PolicyResponse>(
+        policyEndpoint,
+        headers
+      );
+      break;
+    } catch (e) {
+      err = e;
+    }
+    retry += 1;
+    await sleep(1000);
+  }
+
+  if (response === undefined && err !== undefined) {
+    // Preserve the original error's statusCode if it exists
+    const error = new Error(`[Policy Fetch] ${err}`);
+    if (err.statusCode !== undefined) {
+      (error as any).statusCode = err.statusCode;
+    }
+    throw error;
+  } else {
+    return response.result;
+  }
+}
+
+export async function fetchPolicyFromStore(
+  owner: string,
+  repo: string,
+  apiKey: string,
+  workflow: string,
+  runId: string,
+  correlationId: string
+): Promise<PolicyResponse | null> {
+  if (apiKey === "") {
+    throw new Error("[PolicyStoreFetch]: api-key is empty");
+  }
+
+  let policyEndpoint = `${STEPSECURITY_API_URL}/github/${owner}/${repo}/actions/policies/workflow-policy?workflow=${encodeURIComponent(workflow)}&run_id=${encodeURIComponent(runId)}&correlationId=${encodeURIComponent(correlationId)}`;
+
+  let httpClient = new HttpClient();
+
+  let headers = {};
+  headers["Authorization"] = `vm-api-key ${apiKey}`;
+  headers["Source"] = "github-actions";
+
+  let response = undefined;
+  let err = undefined;
+
+  let retry = 0;
+  while (retry < 3) {
+    try {
+      console.log(`Attempt: ${retry + 1}`);
+      response = await httpClient.getJson<PolicyResponse>(
+        policyEndpoint,
+        headers
+      );
+      break;
+    } catch (e) {
+      err = e;
+    }
+    retry += 1;
+    await sleep(1000);
+  }
+
+  if (response === undefined && err !== undefined) {
+    const error = new Error(`[Policy Store Fetch] ${err}`);
+    if (err.statusCode !== undefined) {
+      (error as any).statusCode = err.statusCode;
+    }
+    throw error;
+  }
+
+  if (response.statusCode === 404) {
+    return null;
+  }
+
+  const result = response.result;
+  if (!result || (!result.egress_policy && (!result.allowed_endpoints || result.allowed_endpoints.length === 0))) {
+    return null;
+  }
+
+  return result;
+}
+
+export function mergeConfigs(
+  localConfig: Configuration,
+  remoteConfig: PolicyResponse
+) {
+  if (localConfig.allowed_endpoints === "") {
+    localConfig.allowed_endpoints = remoteConfig.allowed_endpoints.join(" ");
+  }
+  if (remoteConfig.disable_sudo !== undefined) {
+    localConfig.disable_sudo = remoteConfig.disable_sudo;
+  }
+
+  if (remoteConfig.disable_sudo_and_containers !== undefined) {
+    localConfig.disable_sudo_and_containers = remoteConfig.disable_sudo_and_containers;
+  }
+
+  if (remoteConfig.disable_file_monitoring !== undefined) {
+    localConfig.disable_file_monitoring = remoteConfig.disable_file_monitoring;
+  }
+  if (remoteConfig.egress_policy !== undefined) {
+    localConfig.egress_policy = remoteConfig.egress_policy;
+  }
+
+  return localConfig;
+}
+
+function sleep(ms: number) {
+  return new Promise((resolve) => {
+    setTimeout(resolve, ms);
+  });
+}

src/setup.ts

@@ -5,63 +5,184 @@ import * as httpm from "@actions/http-client";
 import * as path from "path";
 import { v4 as uuidv4 } from "uuid";
 import * as common from "./common";
-import * as tc from "@actions/tool-cache";
-import { verifyChecksum } from "./checksum";
 import isDocker from "is-docker";
+import { context } from "@actions/github";
+import { EOL } from "os";
 import {
-  cacheFile,
+  ArtifactCacheEntry,
   cacheKey,
+  cacheFile,
   CompressionMethod,
-  getCacheEntry,
   isValidEvent,
 } from "./cache";
+import { Configuration, PolicyResponse } from "./interfaces";
+import { fetchPolicy, fetchPolicyFromStore, mergeConfigs } from "./policy-utils";
+import * as cache from "@actions/cache";
+import { getCacheEntry } from "@actions/cache/lib/internal/cacheHttpClient";
+import * as cacheTwirpClient from "@actions/cache/lib/internal/shared/cacheTwirpClient";
+import { GetCacheEntryDownloadURLRequest } from "@actions/cache/lib/generated/results/api/v1/cache";
+import { getCacheServiceVersion } from "@actions/cache/lib/internal/config";
+
+import * as utils from "@actions/cache/lib/internal/cacheUtils";
+import { isARCRunner, sendAllowedEndpoints } from "./arc-runner";
+import {
+  STEPSECURITY_API_URL,
+  STEPSECURITY_TELEMETRY_URL,
+  STEPSECURITY_WEB_URL,
+} from "./configs";
+import { isGithubHosted, isTLSEnabled } from "./tls-inspect";
+import {
+  installAgent,
+  installAgentBravo,
+  installMacosAgent,
+  installWindowsAgent,
+} from "./install-agent";
+
+import { chownForFolder, detectThirdPartyRunnerProvider, isAgentInstalled, isPlatformSupported, shouldDeployAgentOnSelfHosted } from "./utils";
+import { buildBravoConfig } from "./bravo-config";
+
+interface MonitorResponse {
+  runner_ip_address?: string;
+  one_time_key?: string;
+  monitoring_started?: boolean;
+}
 
 (async () => {
   try {
-    if (process.platform !== "linux") {
-      console.log(common.UBUNTU_MESSAGE);
+    console.log("[harden-runner] pre-step");
+
+    const customProperties = context?.payload?.repository?.custom_properties || {};
+    if (customProperties["skip-harden-runner"] === "true") {
+      console.log("Skipping harden-runner: custom property 'skip-harden-runner' is set to 'true'");
       return;
     }
-    if (isDocker()) {
+
+    if (!isPlatformSupported(process.platform)) {
+      console.log(common.UNSUPPORTED_RUNNER_MESSAGE);
+      return;
+    }
+    if (isGithubHosted() && isDocker()) {
       console.log(common.CONTAINER_MESSAGE);
       return;
     }
 
+    if (isGithubHosted() && process.platform === "linux" && !process.env.USER) {
+      console.log(common.UBUNTU_SLIM_MESSAGE);
+      return;
+    }
+
     var correlation_id = uuidv4();
-    var env = "agent";
-    var api_url = `https://${env}.api.stepsecurity.io/v1`;
-    var web_url = "https://app.stepsecurity.io";
+    var api_url = STEPSECURITY_API_URL;
+    var web_url = STEPSECURITY_WEB_URL;
 
-    console.log(`Step Security Job Correlation ID: ${correlation_id}`);
-
-    const confg = {
+    let confg: Configuration = {
       repo: process.env["GITHUB_REPOSITORY"],
       run_id: process.env["GITHUB_RUN_ID"],
       correlation_id: correlation_id,
       working_directory: process.env["GITHUB_WORKSPACE"],
       api_url: api_url,
+      telemetry_url: STEPSECURITY_TELEMETRY_URL,
       allowed_endpoints: core.getInput("allowed-endpoints"),
       egress_policy: core.getInput("egress-policy"),
       disable_telemetry: core.getBooleanInput("disable-telemetry"),
+      disable_sudo: core.getBooleanInput("disable-sudo"),
+      disable_sudo_and_containers: core.getBooleanInput(
+        "disable-sudo-and-containers"
+      ),
+      disable_file_monitoring: core.getBooleanInput("disable-file-monitoring"),
+      private: context?.payload?.repository?.private || false,
+      is_github_hosted: isGithubHosted(),
+      is_debug: core.isDebug(),
+      one_time_key: "",
+      api_key: core.getInput("api-key"),
+      use_policy_store: core.getBooleanInput("use-policy-store"),
+      deploy_on_self_hosted_vm: core.getBooleanInput("deploy-on-self-hosted-vm"),
     };
 
-    if (isValidEvent()) {
+    if (confg.api_key !== "") {
+      core.setSecret(confg.api_key);
+    }
+
+    let policyName = core.getInput("policy");
+    if (confg.use_policy_store) {
+      console.log(`Fetching policy from policy store`);
+      if (confg.api_key === "") {
+        core.warning(
+          "api-key is not set while use-policy-store is true. Defaulting to audit mode."
+        );
+        confg.egress_policy = "audit";
+      } else {
+        try {
+          const repoName = (process.env["GITHUB_REPOSITORY"] || "").split("/")[1] || "";
+          const workflowRef = process.env["GITHUB_WORKFLOW_REF"] || "";
+          const workflow = workflowRef.replace(/.*\.github\/workflows\//, "").replace(/@.*/, "");
+          let result: PolicyResponse | null = await fetchPolicyFromStore(
+            context.repo.owner,
+            repoName,
+            confg.api_key,
+            workflow,
+            confg.run_id,
+            confg.correlation_id
+          );
+          if (result !== null) {
+            core.info(`Policy found: ${result.policy_name || "unnamed"}`);
+            confg = mergeConfigs(confg, result);
+          } else {
+            core.info("No policy found in policy store. Defaulting to audit mode.");
+            confg.egress_policy = "audit";
+          }
+        } catch (err) {
+          core.info(`[!] ${err}`);
+          if (err.statusCode >= 400 && err.statusCode < 500) {
+            core.info("Policy not found in policy store. Defaulting to audit mode.");
+            confg.egress_policy = "audit";
+          } else {
+            core.error(`Unexpected error fetching from policy store: ${err}. Falling back to audit mode.`);
+            confg.egress_policy = "audit";
+          }
+        }
+      }
+    } else if (policyName !== "") {
+      console.log(`Fetching policy from API with name: ${policyName}`);
       try {
-        const cacheEntry = await getCacheEntry([cacheKey], [cacheFile], {
-          compressionMethod: CompressionMethod.ZstdWithoutLong,
-        });
-        const url = new URL(cacheEntry.archiveLocation);
-        core.info(`Adding cacheHost: ${url.hostname}:443 to allowed-endpoints`);
-        confg.allowed_endpoints += ` ${url.hostname}:443`;
-      } catch (exception) {
-        // some exception has occurred.
-        core.info("Unable to fetch cacheURL");
-        if (confg.egress_policy === "block") {
-          core.info("Switching egress-policy to audit mode");
-          confg.egress_policy = "audit";
+        let idToken: string = await core.getIDToken();
+        let result: PolicyResponse = await fetchPolicy(
+          context.repo.owner,
+          policyName,
+          idToken
+        );
+        confg = mergeConfigs(confg, result);
+      } catch (err) {
+        core.info(`[!] ${err}`);
+        // Only fail the job if ID token is not available
+        if (err.message && err.message.includes('Unable to get ACTIONS_ID_TOKEN_REQUEST')) {
+          core.setFailed('Policy store requires id-token write permission as it uses OIDC to fetch the policy from StepSecurity API. Please add "id-token: write" to your job permissions.');
+        } else {
+          // Handle different HTTP status codes
+          if (err.statusCode >= 400 && err.statusCode < 500) {
+            core.error('Policy not found');
+          } else {
+            core.error(`Unexpected error occurred: ${err}. Falling back to egress policy audit`);
+            confg.egress_policy = 'audit';
+          }
         }
       }
     }
+    fs.appendFileSync(
+      process.env.GITHUB_STATE,
+      `disableSudo=${confg.disable_sudo}${EOL}`,
+      {
+        encoding: "utf8",
+      }
+    );
+    fs.appendFileSync(
+      process.env.GITHUB_STATE,
+      `disableSudoAndContainers=${confg.disable_sudo_and_containers}${EOL}`,
+      {
+        encoding: "utf8",
+      }
+    );
+    core.info(`[!] Current Configuration: \n${JSON.stringify(confg)}\n`);
 
     if (confg.egress_policy !== "audit" && confg.egress_policy !== "block") {
       core.setFailed("egress-policy must be either audit or block");
@@ -77,87 +198,407 @@ import {
       core.setFailed("disable-telemetry must be a boolean value");
     }
 
-    if (!confg.disable_telemetry) {
-      let _http = new httpm.HttpClient();
-      _http.requestOptions = { socketTimeout: 3 * 1000 };
+    if (isValidEvent() && confg.egress_policy === "block") {
       try {
-        await _http.get(
-          `${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`
+        const cacheResult = await cache.saveCache(
+          [path.join(__dirname, "cache.txt")],
+          cacheKey
         );
-      } catch (e) {
-        console.log(`error in connecting to ${api_url}: ${e}`);
+        console.log(cacheResult);
+      } catch (exception) {
+        console.log(exception);
+      }
+
+      const cacheServiceVersion: string = getCacheServiceVersion();
+
+      switch (cacheServiceVersion) {
+        case "v2":
+          core.info(`cache version: v2`);
+          try {
+            const cacheFilePath = path.join(__dirname, "cache.txt");
+            core.info(`cacheFilePath ${cacheFilePath}`);
+
+            const twirpClient = cacheTwirpClient.internalCacheTwirpClient();
+            const compressionMethod = await utils.getCompressionMethod();
+
+            const request: GetCacheEntryDownloadURLRequest = {
+              key: cacheKey,
+              restoreKeys: [],
+              version: utils.getCacheVersion(
+                [cacheFilePath],
+                compressionMethod,
+                false
+              ),
+            };
+
+            const response = await twirpClient.GetCacheEntryDownloadURL(
+              request
+            );
+
+            const url = new URL(response.signedDownloadUrl);
+            core.info(
+              `Adding cacheHost: ${url.hostname}:443 to allowed-endpoints`
+            );
+
+            confg.allowed_endpoints += ` ${url.hostname}:443`;
+          } catch (e) {
+            core.info(`Unable to fetch cacheURL ${e}`);
+            if (confg.egress_policy === "block") {
+              core.info("Switching egress-policy to audit mode");
+              confg.egress_policy = "audit";
+            }
+          }
+          break;
+
+        case "v1":
+          core.info(`cache version: v1`);
+
+          try {
+            const compressionMethod: CompressionMethod =
+              await utils.getCompressionMethod();
+            const cacheFilePath = path.join(__dirname, "cache.txt");
+            core.info(`cacheFilePath ${cacheFilePath}`);
+
+            const cacheEntry: ArtifactCacheEntry = await getCacheEntry(
+              [cacheKey],
+              [cacheFilePath],
+              {
+                compressionMethod: compressionMethod,
+              }
+            );
+            const url = new URL(cacheEntry.archiveLocation);
+            core.info(
+              `Adding cacheHost: ${url.hostname}:443 to allowed-endpoints`
+            );
+
+            confg.allowed_endpoints += ` ${url.hostname}:443`;
+          } catch (exception) {
+            // some exception has occurred.
+            core.info(`Unable to fetch cacheURL ${exception}`);
+            if (confg.egress_policy === "block") {
+              core.info("Switching egress-policy to audit mode");
+              confg.egress_policy = "audit";
+            }
+          }
       }
     }
 
-    const confgStr = JSON.stringify(confg);
-    cp.execSync("sudo mkdir -p /home/agent");
-    cp.execSync("sudo chown -R $USER /home/agent");
-
-    // Note: to avoid github rate limiting
-    let token = core.getInput("token");
-    let auth = `token ${token}`;
-
-    const downloadPath: string = await tc.downloadTool(
-      "https://github.com/step-security/agent/releases/download/v0.11.0/agent_0.11.0_linux_amd64.tar.gz",
-      undefined,
-      auth
-    );
-
-    verifyChecksum(downloadPath); // NOTE: verifying agent's checksum, before extracting
-    const extractPath = await tc.extractTar(downloadPath);
-
     if (!confg.disable_telemetry || confg.egress_policy === "audit") {
       common.printInfo(web_url);
     }
 
-    let cmd = "cp",
-      args = [path.join(extractPath, "agent"), "/home/agent/agent"];
-    cp.execFileSync(cmd, args);
-    cp.execSync("chmod +x /home/agent/agent");
+    if (isARCRunner()) {
+      console.log(`[!] ${common.ARC_RUNNER_MESSAGE}`);
+      if (confg.egress_policy === "block") {
+        sendAllowedEndpoints(confg.allowed_endpoints);
+        await sleep(10000);
+      }
+      return;
+    }
 
-    fs.writeFileSync("/home/agent/agent.json", confgStr);
+    const runnerName = process.env.RUNNER_NAME || "";
+    core.info(`RUNNER_NAME: ${runnerName}`);
+    if (!isGithubHosted()) {
+      const thirdPartyProvider = detectThirdPartyRunnerProvider();
+      if (thirdPartyProvider) {
+        const providerLabel = thirdPartyProvider.charAt(0).toUpperCase() + thirdPartyProvider.slice(1);
+        if (process.platform !== "linux") {
+          core.info(`Detected ${providerLabel} runner on ${process.platform}. Bravo agent is Linux-only, skipping install.`);
+          return;
+        }
+        core.info(`Detected ${providerLabel} runner environment. Installing agent-bravo.`);
+        confg.correlation_id = runnerName || confg.correlation_id;
+        await callMonitorEndpoint(api_url, confg);
+        await installAgentForBravo(context.repo.owner, confg);
+        return;
+      }
 
-    cmd = "sudo";
-    args = [
-      "cp",
-      path.join(__dirname, "agent.service"),
-      "/etc/systemd/system/agent.service",
-    ];
-    cp.execFileSync(cmd, args);
-    cp.execSync("sudo systemctl daemon-reload");
-    cp.execSync("sudo service agent start", { timeout: 15000 });
+      fs.appendFileSync(process.env.GITHUB_STATE, `selfHosted=true${EOL}`, {
+        encoding: "utf8",
+      });
 
-    // Check that the file exists locally
-    var statusFile = "/home/agent/agent.status";
-    var logFile = "/home/agent/agent.log";
-    var counter = 0;
-    while (true) {
-      if (!fs.existsSync(statusFile)) {
-        counter++;
-        if (counter > 30) {
-          console.log("timed out");
-          if (fs.existsSync(logFile)) {
-            var content = fs.readFileSync(logFile, "utf-8");
-            console.log(content);
+      core.info(common.SELF_HOSTED_RUNNER_MESSAGE);
+
+      const inContainer = isDocker();
+      const alreadyInstalled = isAgentInstalled(process.platform);
+
+      if (shouldDeployAgentOnSelfHosted(confg.deploy_on_self_hosted_vm, inContainer, alreadyInstalled)) {
+        if (process.platform !== "linux") {
+          core.info("deploy-on-self-hosted-vm is only supported on Linux. Skipping agent deployment.");
+        } else {
+          core.info("deploy-on-self-hosted-vm is enabled. Installing agent on self-hosted runner.");
+          await installAgentForSelfHosted(context.repo.owner, confg);
+        }
+      } else {
+        if (confg.deploy_on_self_hosted_vm && inContainer) {
+          core.info("Skipping agent deployment: running inside a container.");
+        }
+        if (confg.deploy_on_self_hosted_vm && alreadyInstalled) {
+          core.info("Agent already installed on self-hosted runner, skipping installation.");
+        }
+      }
+
+      if (confg.egress_policy === "block" && !confg.deploy_on_self_hosted_vm) {
+        sendAllowedEndpoints(confg.allowed_endpoints);
+        await sleep(5000);
+      }
+      return;
+    }
+
+    if (isGithubHosted() && process.env.STEP_SECURITY_HARDEN_RUNNER === "true") {
+      fs.appendFileSync(process.env.GITHUB_STATE, `customVMImage=true${EOL}`, {
+        encoding: "utf8",
+      });
+
+      core.info("This job is running on a custom VM image with Harden Runner installed.");
+
+      if (confg.egress_policy === "block") {
+        sendAllowedEndpoints(confg.allowed_endpoints);
+        await sleep(5000);
+      }
+      return;
+    }
+
+    if (isGithubHosted() && isAgentInstalled(process.platform)) {
+      console.log("Agent already installed, skipping installation");
+      return;
+    }
+
+    let _http = new httpm.HttpClient();
+    let statusCode: number | undefined;
+    _http.requestOptions = { socketTimeout: 3 * 1000 };
+    let addSummary = "false";
+    try {
+      const monitorRequestData = {
+        correlation_id: correlation_id,
+        job: process.env["GITHUB_JOB"],
+      };
+      const resp = await _http.postJson<MonitorResponse>(
+        `${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`,
+        monitorRequestData
+      );
+
+      const responseData = resp.result;
+      statusCode = resp.statusCode; // adding error code to check whether agent is getting installed or not.
+      fs.appendFileSync(
+        process.env.GITHUB_STATE,
+        `monitorStatusCode=${statusCode}${EOL}`,
+        {
+          encoding: "utf8",
+        }
+      );
+
+      if (statusCode === 200 && responseData) {
+        console.log(`Runner IP Address: ${responseData.runner_ip_address}`);
+        confg.one_time_key = responseData.one_time_key;
+        addSummary = responseData.monitoring_started ? "true" : "false";
+      }
+    } catch (e) {
+      console.log(`error in connecting to ${api_url}: ${e}`);
+    }
+    fs.appendFileSync(
+      process.env.GITHUB_STATE,
+      `addSummary=${addSummary}${EOL}`,
+      {
+        encoding: "utf8",
+      }
+    );
+    fs.appendFileSync(
+      process.env.GITHUB_STATE,
+      `correlation_id=${correlation_id}${EOL}`,
+      {
+        encoding: "utf8",
+      }
+    );
+
+    console.log(`Step Security Job Correlation ID: ${correlation_id}`);
+    if (String(statusCode) === common.STATUS_HARDEN_RUNNER_UNAVAILABLE) {
+      console.log(common.HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
+      return;
+    }
+
+    const { api_key, use_policy_store, ...agentConfig } = confg;
+    const configStr = JSON.stringify(agentConfig);
+
+    // platform specific
+    let statusFile = "";
+    let logFile = "";
+    let agentInstalled = false;
+
+    switch (process.platform) {
+      case "linux":
+        statusFile = "/home/agent/agent.status";
+        logFile = "/home/agent/agent.log";
+
+        cp.execSync("sudo mkdir -p /home/agent");
+        chownForFolder(process.env.USER, "/home/agent");
+
+        let isTLS = await isTLSEnabled(context.repo.owner);
+        agentInstalled = await installAgent(isTLS, configStr);
+
+        break;
+      case "win32":
+        core.info("Installing Windows Agent...");
+        agentInstalled = await installWindowsAgent(configStr);
+
+        const agentDir = process.env.STATE_agentDir || "C:\\agent";
+        statusFile = path.join(agentDir, "agent.status");
+        logFile = path.join(agentDir, "agent.log");
+
+        break;
+      case "darwin":
+        const installed = await installMacosAgent(configStr);
+        if (!installed) {
+          core.warning("😭 macos agent installation failed");
+        }
+        return; // early return
+      default:
+        throw new Error(
+          `Setup failed because of unsupported platform: ${process.platform}`
+        );
+    }
+
+    if (agentInstalled) {
+      var counter = 0;
+      while (true) {
+        if (!fs.existsSync(statusFile)) {
+          counter++;
+          if (counter > 30) {
+            console.log("timed out");
+            if (fs.existsSync(logFile)) {
+              var content = fs.readFileSync(logFile, "utf-8");
+              console.log(content);
+            }
+            break;
           }
+          await sleep(300);
+        } // The file *does* exist
+        else {
+          // Read the file
+          var content = fs.readFileSync(statusFile, "utf-8");
+          console.log(content);
           break;
         }
-        await sleep(300);
-      } // The file *does* exist
-      else {
-        // Read the file
-        var content = fs.readFileSync(statusFile, "utf-8");
-        console.log(content);
-        break;
       }
     }
   } catch (error) {
     core.setFailed(error.message);
   }
+  // see https://github.com/ruby/setup-ruby/issues/543
+  process.exit(0);
 })();
 
-function sleep(ms) {
+export function sleep(ms: number) {
   return new Promise((resolve) => {
     setTimeout(resolve, ms);
   });
 }
+
+async function callMonitorEndpoint(api_url: string, confg: Configuration) {
+  const _http = new httpm.HttpClient();
+  _http.requestOptions = { socketTimeout: 3 * 1000 };
+  let statusCode: number | undefined;
+  let addSummary = "false";
+  try {
+    const monitorRequestData = {
+      correlation_id: confg.correlation_id,
+      job: process.env["GITHUB_JOB"],
+    };
+    const resp = await _http.postJson<MonitorResponse>(
+      `${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`,
+      monitorRequestData
+    );
+    statusCode = resp.statusCode;
+    if (resp.statusCode === 200 && resp.result) {
+      console.log(`Runner IP Address: ${resp.result.runner_ip_address}`);
+      confg.one_time_key = resp.result.one_time_key;
+      addSummary = resp.result.monitoring_started ? "true" : "false";
+    }
+  } catch (e) {
+    console.log(`error in connecting to ${api_url}: ${e}`);
+  }
+  fs.appendFileSync(process.env.GITHUB_STATE, `monitorStatusCode=${statusCode}${EOL}`, { encoding: "utf8" });
+  fs.appendFileSync(process.env.GITHUB_STATE, `addSummary=${addSummary}${EOL}`, { encoding: "utf8" });
+  fs.appendFileSync(process.env.GITHUB_STATE, `correlation_id=${confg.correlation_id}${EOL}`, { encoding: "utf8" });
+}
+
+export async function installAgentForSelfHosted(owner: string, confg: Configuration) {
+  try {
+    console.log("Installing Harden Runner agent for self-hosted runner");
+
+    let isTLS = await isTLSEnabled(owner);
+
+    if (!isTLS) {
+      console.log("TLS is not enabled for this organization. Agent installation skipped for self-hosted runner.");
+      return;
+    }
+
+    const selfHostedConfig = {
+      customer: owner,
+      working_directory: confg.working_directory,
+      api_url: confg.api_url,
+      api_key: uuidv4(),
+      allowed_endpoints: confg.allowed_endpoints,
+      egress_policy: confg.egress_policy,
+      disable_telemetry: confg.disable_telemetry,
+      disable_sudo: confg.disable_sudo,
+      disable_sudo_and_containers: confg.disable_sudo_and_containers,
+      disable_file_monitoring: confg.disable_file_monitoring,
+      is_github_hosted: false,
+    };
+    const selfHostedConfigStr = JSON.stringify(selfHostedConfig);
+
+    cp.execSync("sudo mkdir -p /home/agent");
+    chownForFolder(process.env.USER, "/home/agent");
+
+    const agentInstalled = await installAgent(isTLS, selfHostedConfigStr);
+
+    if (agentInstalled) {
+      const statusFile = "/home/agent/agent.status";
+      const logFile = "/home/agent/agent.log";
+      let counter = 0;
+      while (true) {
+        if (!fs.existsSync(statusFile)) {
+          counter++;
+          if (counter > 30) {
+            console.log("timed out");
+            if (fs.existsSync(logFile)) {
+              const content = fs.readFileSync(logFile, "utf-8");
+              console.log(content);
+            }
+            break;
+          }
+          await sleep(300);
+        } else {
+          const content = fs.readFileSync(statusFile, "utf-8");
+          console.log(content);
+          break;
+        }
+      }
+    }
+  } catch (error) {
+    console.log(`Failed to install agent for self-hosted runner: ${error.message}`);
+  }
+}
+
+export async function installAgentForBravo(owner: string, confg: Configuration) {
+  try {
+    console.log("Installing Harden Runner bravo agent for third-party runner");
+
+    let isTLS = await isTLSEnabled(owner);
+
+    if (!isTLS) {
+      console.log("TLS is not enabled for this organization. Bravo agent installation skipped.");
+      return;
+    }
+
+    const bravoConfigStr = JSON.stringify(buildBravoConfig(confg));
+
+    cp.execSync("sudo mkdir -p /home/agent");
+    chownForFolder(process.env.USER, "/home/agent");
+
+    await installAgentBravo(bravoConfigStr);
+  } catch (error) {
+    console.log(`Failed to install bravo agent: ${error.message}`);
+  }
+}

src/tls-inspect.test.ts

@@ -0,0 +1,29 @@
+import nock from "nock";
+import { STEPSECURITY_API_URL } from "./configs";
+import { isTLSEnabled } from "./tls-inspect";
+
+test("tls-inspect enabled", async () => {
+  let owner = "h0x0er";
+  let expected = true;
+
+  const resp = nock(`${STEPSECURITY_API_URL}`)
+    .get(`/github/${owner}/actions/tls-inspection-status`)
+    .reply(200, "");
+
+  let got = await isTLSEnabled(owner);
+
+  expect(got).toEqual(expected);
+});
+
+test("tls-inspect not enabled", async () => {
+  let owner = "step-security";
+  let expected = false;
+
+  const resp = nock(`${STEPSECURITY_API_URL}`)
+    .get(`/github/${owner}/actions/tls-inspection-status`)
+    .reply(401, "");
+
+  let got = await isTLSEnabled(owner);
+
+  expect(got).toEqual(expected);
+});

src/tls-inspect.ts

@@ -0,0 +1,29 @@
+import { HttpClient } from "@actions/http-client";
+import { STEPSECURITY_API_URL } from "./configs";
+import * as core from "@actions/core";
+
+export async function isTLSEnabled(owner: string): Promise<boolean> {
+  let tlsStatusEndpoint = `${STEPSECURITY_API_URL}/github/${owner}/actions/tls-inspection-status`;
+  let httpClient = new HttpClient();
+  httpClient.requestOptions = { socketTimeout: 3 * 1000 };
+  core.info(`[!] Checking TLS_STATUS: ${owner}`);
+  let isEnabled = false;
+  try {
+    let resp = await httpClient.get(tlsStatusEndpoint);
+    if (resp.message.statusCode === 200) {
+      isEnabled = true;
+      core.info(`[!] TLS_ENABLED: ${owner}`);
+    } else {
+      core.info(`[!] TLS_NOT_ENABLED: ${owner}`);
+    }
+  } catch (e) {
+    core.info(`[!] Unable to check TLS_STATUS`);
+  }
+
+  return isEnabled;
+}
+
+export function isGithubHosted() {
+  const runnerEnvironment = process.env.RUNNER_ENVIRONMENT || "";
+  return runnerEnvironment === "github-hosted";
+}

src/utils.test.ts

@@ -0,0 +1,158 @@
+import { shouldDeployAgentOnSelfHosted, isAgentInstalled, isPlatformSupported, getAnnotationLogs, detectThirdPartyRunnerProvider } from "./utils";
+import * as fs from "fs";
+
+jest.mock("fs", () => ({
+  ...jest.requireActual("fs"),
+  existsSync: jest.fn(),
+}));
+
+const mockedExistsSync = fs.existsSync as jest.MockedFunction<typeof fs.existsSync>;
+
+describe("shouldDeployAgentOnSelfHosted", () => {
+  test("returns true when deploy flag is true, not container, agent not installed", () => {
+    expect(shouldDeployAgentOnSelfHosted(true, false, false)).toBe(true);
+  });
+
+  test("returns false when deploy flag is false", () => {
+    expect(shouldDeployAgentOnSelfHosted(false, false, false)).toBe(false);
+  });
+
+  test("returns false when running in a container", () => {
+    expect(shouldDeployAgentOnSelfHosted(true, true, false)).toBe(false);
+  });
+
+  test("returns false when agent is already installed", () => {
+    expect(shouldDeployAgentOnSelfHosted(true, false, true)).toBe(false);
+  });
+
+  test("returns false when in container and agent installed", () => {
+    expect(shouldDeployAgentOnSelfHosted(true, true, true)).toBe(false);
+  });
+
+  test("returns false when all conditions are negative", () => {
+    expect(shouldDeployAgentOnSelfHosted(false, true, true)).toBe(false);
+  });
+});
+
+describe("isAgentInstalled", () => {
+  afterEach(() => {
+    mockedExistsSync.mockReset();
+  });
+
+  test("returns false for linux when status file does not exist", () => {
+    mockedExistsSync.mockReturnValue(false);
+    expect(isAgentInstalled("linux")).toBe(false);
+    expect(mockedExistsSync).toHaveBeenCalledWith("/home/agent/agent.status");
+  });
+
+  test("returns true for linux when status file exists", () => {
+    mockedExistsSync.mockReturnValue(true);
+    expect(isAgentInstalled("linux")).toBe(true);
+  });
+
+  test("returns false for win32 when status file does not exist", () => {
+    mockedExistsSync.mockReturnValue(false);
+    expect(isAgentInstalled("win32")).toBe(false);
+    expect(mockedExistsSync).toHaveBeenCalledWith("C:\\agent\\agent.status");
+  });
+
+  test("returns false for darwin when status file does not exist", () => {
+    mockedExistsSync.mockReturnValue(false);
+    expect(isAgentInstalled("darwin")).toBe(false);
+    expect(mockedExistsSync).toHaveBeenCalledWith("/opt/step-security/agent.status");
+  });
+
+  test("returns false for unsupported platform", () => {
+    expect(isAgentInstalled("freebsd" as NodeJS.Platform)).toBe(false);
+  });
+});
+
+describe("isPlatformSupported", () => {
+  test("returns true for linux", () => {
+    expect(isPlatformSupported("linux")).toBe(true);
+  });
+
+  test("returns true for win32", () => {
+    expect(isPlatformSupported("win32")).toBe(true);
+  });
+
+  test("returns true for darwin", () => {
+    expect(isPlatformSupported("darwin")).toBe(true);
+  });
+
+  test("returns false for unsupported platform", () => {
+    expect(isPlatformSupported("freebsd" as NodeJS.Platform)).toBe(false);
+  });
+});
+
+describe("getAnnotationLogs", () => {
+  test("throws for unsupported platform", () => {
+    expect(() => getAnnotationLogs("freebsd" as NodeJS.Platform)).toThrow("platform not supported");
+  });
+});
+
+describe("detectThirdPartyRunnerProvider", () => {
+  const originalEnv = process.env;
+
+  beforeEach(() => {
+    process.env = { ...originalEnv };
+    delete process.env.DEPOT_RUNNER;
+    delete process.env.NAMESPACE_GITHUB_RUNTIME;
+    delete process.env.RUNNER_NAME;
+  });
+
+  afterAll(() => {
+    process.env = originalEnv;
+  });
+
+  test("returns depot when DEPOT_RUNNER=1", () => {
+    process.env.DEPOT_RUNNER = "1";
+    expect(detectThirdPartyRunnerProvider()).toBe("depot");
+  });
+
+  test("returns null when DEPOT_RUNNER=0", () => {
+    process.env.DEPOT_RUNNER = "0";
+    expect(detectThirdPartyRunnerProvider()).toBeNull();
+  });
+
+  test("returns namespace when NAMESPACE_GITHUB_RUNTIME is set", () => {
+    process.env.NAMESPACE_GITHUB_RUNTIME = "something";
+    expect(detectThirdPartyRunnerProvider()).toBe("namespace");
+  });
+
+  test("returns warp for RUNNER_NAME prefix warp-", () => {
+    process.env.RUNNER_NAME = "warp-4x-x64-abc";
+    expect(detectThirdPartyRunnerProvider()).toBe("warp");
+  });
+
+  test("returns blacksmith for RUNNER_NAME prefix blacksmith-", () => {
+    process.env.RUNNER_NAME = "blacksmith-01kpj-4vcpu";
+    expect(detectThirdPartyRunnerProvider()).toBe("blacksmith");
+  });
+
+  test("returns null when no env vars match", () => {
+    expect(detectThirdPartyRunnerProvider()).toBeNull();
+  });
+
+  test("returns null for a non-matching RUNNER_NAME", () => {
+    process.env.RUNNER_NAME = "GitHub Actions 1";
+    expect(detectThirdPartyRunnerProvider()).toBeNull();
+  });
+
+  test("depot takes precedence over namespace", () => {
+    process.env.DEPOT_RUNNER = "1";
+    process.env.NAMESPACE_GITHUB_RUNTIME = "something";
+    expect(detectThirdPartyRunnerProvider()).toBe("depot");
+  });
+
+  test("namespace takes precedence over warp runner name prefix", () => {
+    process.env.NAMESPACE_GITHUB_RUNTIME = "something";
+    process.env.RUNNER_NAME = "warp-x";
+    expect(detectThirdPartyRunnerProvider()).toBe("namespace");
+  });
+
+  test("warp takes precedence over blacksmith when both prefixes seen (warp wins on name check order)", () => {
+    process.env.RUNNER_NAME = "warp-x";
+    expect(detectThirdPartyRunnerProvider()).toBe("warp");
+  });
+});

src/utils.ts

@@ -0,0 +1,65 @@
+import * as cp from "child_process";
+import * as fs from "fs";
+
+export function isPlatformSupported(platform: NodeJS.Platform) {
+  switch (platform) {
+    case "linux":
+    case "win32":
+    case "darwin":
+      return true;
+
+    default:
+      return false;
+  }
+}
+
+export function chownForFolder(newOwner: string, target: string) {
+  let cmd = "sudo";
+  let args = ["chown", "-R", newOwner, target];
+  cp.execFileSync(cmd, args);
+}
+
+export function isAgentInstalled(platform: NodeJS.Platform) {
+  switch (platform) {
+    case "linux":
+      return fs.existsSync("/home/agent/agent.status");
+    case "win32":
+      return fs.existsSync("C:\\agent\\agent.status");
+    case "darwin":
+      return fs.existsSync("/opt/step-security/agent.status");
+    default:
+      return false;
+  }
+}
+
+export function shouldDeployAgentOnSelfHosted(
+  deployOnSelfHostedVm: boolean,
+  isContainer: boolean,
+  agentAlreadyInstalled: boolean
+): boolean {
+  return deployOnSelfHostedVm && !isContainer && !agentAlreadyInstalled;
+}
+
+export type ThirdPartyRunnerProvider = "depot" | "namespace" | "warp" | "blacksmith";
+
+export function detectThirdPartyRunnerProvider(): ThirdPartyRunnerProvider | null {
+  if (process.env["DEPOT_RUNNER"] === "1") return "depot";
+  if (process.env["NAMESPACE_GITHUB_RUNTIME"]) return "namespace";
+  const runnerName = process.env["RUNNER_NAME"] ?? "";
+  if (runnerName.startsWith("warp-")) return "warp";
+  if (runnerName.startsWith("blacksmith-")) return "blacksmith";
+  return null;
+}
+
+export function getAnnotationLogs(platform: NodeJS.Platform) {
+  switch (platform) {
+    case "linux":
+      return fs.readFileSync("/home/agent/annotation.log", "utf8");
+    case "win32":
+      return fs.readFileSync("C:\\agent\\annotation.log", "utf8");
+    case "darwin":
+      return fs.readFileSync("/opt/step-security/annotation.log", "utf8");
+    default:
+      throw new Error("platform not supported");
+  }
+}

tsconfig.json

@@ -14,4 +14,4 @@
     "exclude": [
       "src/**/*.test.ts"
     ]
-  }
+  }