Skip to content

Commit

Permalink
Release v2.5.0 (#325)
Browse files Browse the repository at this point in the history
  • Loading branch information
varunsh-coder authored Jul 24, 2023
1 parent aa817ef commit cba0d00
Show file tree
Hide file tree
Showing 24 changed files with 1,017 additions and 382 deletions.
33 changes: 33 additions & 0 deletions .eslintrc.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
module.exports = {
"env": {
"browser": true,
"es2021": true
},
"extends": [
"eslint:recommended",
"plugin:@typescript-eslint/recommended"
],
"overrides": [
{
"env": {
"node": true
},
"files": [
".eslintrc.{js,cjs}"
],
"parserOptions": {
"sourceType": "script"
}
}
],
"parser": "@typescript-eslint/parser",
"parserOptions": {
"ecmaVersion": "latest",
"sourceType": "module"
},
"plugins": [
"@typescript-eslint"
],
"rules": {
}
}
2 changes: 1 addition & 1 deletion .github/workflows/canary.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
steps:
- uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v1
with:
allowed-endpoints:
allowed-endpoints:
api.github.com:443
github.com:443

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
#
# This Action will scan dependency manifest files that change as part of a Pull Request,
# surfacing known-vulnerable versions of the packages declared or updated in the PR.
# Once installed, if the workflow run is marked as required,
# Once installed, if the workflow run is marked as required,
# PRs introducing known-vulnerable packages will be blocked from merging.
#
# Source repository: https://github.com/actions/dependency-review-action
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/recurring-int-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ on:

permissions:
contents: read

jobs:
int-tests:
name: int tests
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ jobs:
steps:
- uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845
with:
allowed-endpoints:
allowed-endpoints:
api.github.com:443
github.com:443

Expand Down
2 changes: 1 addition & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -104,4 +104,4 @@ typings/
.tern-port

# vscode files
.vscode
.vscode
1 change: 1 addition & 0 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
exclude: ^dist/
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.16.3
Expand Down
23 changes: 10 additions & 13 deletions dist/index.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/index.js.map

Large diffs are not rendered by default.

90 changes: 65 additions & 25 deletions dist/post/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -61193,10 +61193,10 @@ function addSummary() {
}
if (needsSubscription) {
yield core.summary.addSeparator()
.addRaw(`<h2>GitHub Actions Runtime Security is disabled</h2>`);
.addRaw(`<h2>⚠️ Your GitHub Actions Runtime Security is currently disabled!</h2>`);
yield core.summary.addRaw(`
<p>You are seeing this markdown since this workflow uses the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a> by StepSecurity in a private repository, but your organization has not signed up for a free trial or a paid subscription.</p>
<p>To start a free trial, install the <a href="https://github.com/apps/stepsecurity-actions-security">StepSecurity Actions Security GitHub App</a> or reach out to us via our <a href="https://www.stepsecurity.io/contact">contact form.</a></p>
<p>It appears that you're using the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a> by StepSecurity within a private repository. However, runtime security is not enabled as your organization hasn't signed up for a free trial or a paid subscription yet.</p>
<p>To enable runtime security, start a free trial today by installing the <a href="https://github.com/apps/stepsecurity-actions-security">StepSecurity Actions Security GitHub App</a>. For more information or assistance, feel free to reach out to us through our <a href="https://www.stepsecurity.io/contact">contact form</a>.</p>
`)
.addSeparator()
.write();
Expand All @@ -61211,11 +61211,8 @@ function addSummary() {
if (tableEntries.length === 0) {
return;
}
let insightsRow = `<tr>
<td colspan="3" align="center"><a href="${insights_url}">🛡️ Check out the full report and recommended policy at StepSecurity</a></td>
</tr>`;
yield core.summary.addSeparator().addRaw(`<h2><a href="${insights_url}">StepSecurity Report</a></h2>
<h3>GitHub Actions Runtime Security</h3>`);
const insightsRow = `<h4><a href="${insights_url}">View Full Runtime Security Report & Recommended Policy</a></h4>`;
yield core.summary.addSeparator().addRaw(`<h2>StepSecurity Report</h2>`);
tableEntries.sort((a, b) => {
if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") {
return -1;
Expand All @@ -61229,12 +61226,13 @@ function addSummary() {
});
tableEntries = tableEntries.slice(0, 3);
yield core.summary.addRaw(`
<p>Preview of the network events that occurred on the GitHub-hosted runner during this workflow run.</p>
<h3>🌐 Network Events</h3>
<table>
<thead>
<tr>
<th>Process</th>
<th>Endpoint</th>
<th>Destination</th>
<th>Status</th>
</tr>
</thead>
Expand All @@ -61251,13 +61249,11 @@ function addSummary() {
<td>...</td>
<td>...</td>
</tr>
${insightsRow}
</tbody>
</table>
${insightsRow}
`);
yield core.summary.addSeparator()
.addRaw(`<blockquote>You are seeing this markdown since this workflow uses the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a>.
Harden-Runner is a security agent for GitHub-hosted runners to block egress traffic & detect code overwrite to prevent breaches.</blockquote>`)
yield core.summary.addRaw(`<p>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a></p>`)
.addSeparator()
.write();
});
Expand All @@ -61266,6 +61262,7 @@ const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
const CONTAINER_MESSAGE = "This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored.";
const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner";

;// CONCATENATED MODULE: external "node:fs"
const external_node_fs_namespaceObject = require("node:fs");
Expand Down Expand Up @@ -61322,6 +61319,45 @@ function isValidEvent() {
// EXTERNAL MODULE: external "path"
var external_path_ = __nccwpck_require__(5622);
var external_path_default = /*#__PURE__*/__nccwpck_require__.n(external_path_);
;// CONCATENATED MODULE: ./src/arc-runner.ts

function isArcRunner() {
const runnerUserAgent = process.env["GITHUB_ACTIONS_RUNNER_EXTRA_USER_AGENT"];
if (!runnerUserAgent) {
return false;
}
return runnerUserAgent.includes("actions-runner-controller/");
}
function getRunnerTempDir() {
const isTest = process.env["isTest"];
if (isTest === "1") {
return "/tmp";
}
return process.env["RUNNER_TEMP"] || "/tmp";
}
function sendAllowedEndpoints(endpoints) {
const allowedEndpoints = endpoints.split(" "); // endpoints are space separated
for (const endpoint of allowedEndpoints) {
if (endpoint) {
const encodedEndpoint = Buffer.from(endpoint).toString("base64");
cp.execSync(`echo "${endpoint}" > "${getRunnerTempDir()}/step_policy_endpoint_${encodedEndpoint}"`);
}
}
if (allowedEndpoints.length > 0) {
applyPolicy(allowedEndpoints.length);
}
}
function applyPolicy(count) {
const fileName = `step_policy_apply_${count}`;
cp.execSync(`echo "${fileName}" > "${getRunnerTempDir()}/${fileName}"`);
}
function removeStepPolicyFiles() {
external_child_process_.execSync(`rm ${getRunnerTempDir()}/step_policy_*`);
}
function arcCleanUp() {
external_child_process_.execSync(`echo "cleanup" > "${getRunnerTempDir()}/step_policy_cleanup"`);
}

;// CONCATENATED MODULE: ./src/cleanup.ts
var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
Expand All @@ -61339,6 +61375,7 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _




(() => cleanup_awaiter(void 0, void 0, void 0, function* () {
if (process.platform !== "linux") {
console.log(UBUNTU_MESSAGE);
Expand All @@ -61348,6 +61385,21 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
console.log(CONTAINER_MESSAGE);
return;
}
if (isValidEvent()) {
try {
const cacheResult = yield cache.saveCache([external_path_default().join(__dirname, "cache.txt")], cacheKey);
console.log(cacheResult);
}
catch (exception) {
console.log(exception);
}
}
if (isArcRunner()) {
console.log(`[!] ${ARC_RUNNER_MESSAGE}`);
arcCleanUp();
removeStepPolicyFiles();
return;
}
if (String(process.env.STATE_monitorStatusCode) ===
STATUS_HARDEN_RUNNER_UNAVAILABLE) {
console.log(HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
Expand Down Expand Up @@ -61389,18 +61441,6 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
console.log("Service log:");
console.log(journalLog);
}
if (isValidEvent()) {
try {
const cmd = "cp";
const args = [external_path_default().join(__dirname, "cache.txt"), cacheFile];
external_child_process_.execFileSync(cmd, args);
const cacheResult = yield cache.saveCache([cacheFile], cacheKey);
console.log(cacheResult);
}
catch (exception) {
console.log(exception);
}
}
try {
yield addSummary();
}
Expand Down
2 changes: 1 addition & 1 deletion dist/post/index.js.map

Large diffs are not rendered by default.

Loading

0 comments on commit cba0d00

Please sign in to comment.