Release v2.2.0 (#245)

dist/post/index.js

@@ -61033,8 +61033,10 @@ function addSummary() {
         }
     });
 }
+const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
 const CONTAINER_MESSAGE = "This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored.";
 const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
+const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
 
 ;// CONCATENATED MODULE: external "node:fs"
 const external_node_fs_namespaceObject = require("node:fs");
@@ -61199,6 +61201,11 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
         console.log(CONTAINER_MESSAGE);
         return;
     }
+    if (String(process.env.STATE_monitorStatusCode) ===
+        STATUS_HARDEN_RUNNER_UNAVAILABLE) {
+        console.log(HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
+        return;
+    }
     external_fs_.writeFileSync("/home/agent/post_event.json", JSON.stringify({ event: "post" }));
     var doneFile = "/home/agent/done.json";
     var counter = 0;

dist/pre/index.js

@@ -14163,8 +14163,10 @@ function addSummary() {
         }
     });
 }
+const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
 const CONTAINER_MESSAGE = "This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored.";
 const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
+const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
 
 // EXTERNAL MODULE: ./node_modules/@actions/tool-cache/lib/tool-cache.js
 var tool_cache = __nccwpck_require__(7784);
@@ -14179,7 +14181,7 @@ function verifyChecksum(downloadPath) {
     const checksum = external_crypto_.createHash("sha256")
         .update(fileBuffer)
         .digest("hex"); // checksum of downloaded file
-    const expectedChecksum = "79f397360470d6e42c73d6c9c5cf485ac9982e56e3e3fdd07f66c59cda4388c8"; // checksum for v0.12.1
+    const expectedChecksum = "10fd5587cfeba6aac4125be78ee32f60d5e780de10929f454525670c4c16935d"; // checksum for v0.12.2
     if (checksum !== expectedChecksum) {
         lib_core.setFailed(`Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`);
     }
@@ -14354,7 +14356,6 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
         var env = "agent";
         var api_url = `https://${env}.api.stepsecurity.io/v1`;
         var web_url = "https://app.stepsecurity.io";
-        console.log(`Step Security Job Correlation ID: ${correlation_id}`);
         const confg = {
             repo: process.env["GITHUB_REPOSITORY"],
             run_id: process.env["GITHUB_RUN_ID"],
@@ -14368,6 +14369,33 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
             disable_file_monitoring: lib_core.getBooleanInput("disable-file-monitoring"),
             private: github.context.payload.repository.private,
         };
+        if (confg.egress_policy !== "audit" && confg.egress_policy !== "block") {
+            lib_core.setFailed("egress-policy must be either audit or block");
+        }
+        if (confg.egress_policy === "block" && confg.allowed_endpoints === "") {
+            lib_core.warning("egress-policy is set to block (default) and allowed-endpoints is empty. No outbound traffic will be allowed for job steps.");
+        }
+        if (confg.disable_telemetry !== true && confg.disable_telemetry !== false) {
+            lib_core.setFailed("disable-telemetry must be a boolean value");
+        }
+        let _http = new lib.HttpClient();
+        let statusCode;
+        _http.requestOptions = { socketTimeout: 3 * 1000 };
+        try {
+            const resp = yield _http.get(`${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`);
+            statusCode = resp.message.statusCode; // adding error code to check whether agent is getting installed or not.
+            external_fs_.appendFileSync(process.env.GITHUB_STATE, `monitorStatusCode=${statusCode}${external_os_.EOL}`, {
+                encoding: "utf8",
+            });
+        }
+        catch (e) {
+            console.log(`error in connecting to ${api_url}: ${e}`);
+        }
+        console.log(`Step Security Job Correlation ID: ${correlation_id}`);
+        if (String(statusCode) === STATUS_HARDEN_RUNNER_UNAVAILABLE) {
+            console.log(HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
+            return;
+        }
         if (isValidEvent()) {
             try {
                 const cacheEntry = yield getCacheEntry([cacheKey], [cacheFile], {
@@ -14386,37 +14414,13 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
                 }
             }
         }
-        if (confg.egress_policy !== "audit" && confg.egress_policy !== "block") {
-            lib_core.setFailed("egress-policy must be either audit or block");
-        }
-        if (confg.egress_policy === "block" && confg.allowed_endpoints === "") {
-            lib_core.warning("egress-policy is set to block (default) and allowed-endpoints is empty. No outbound traffic will be allowed for job steps.");
-        }
-        if (confg.disable_telemetry !== true && confg.disable_telemetry !== false) {
-            lib_core.setFailed("disable-telemetry must be a boolean value");
-        }
-        if (!confg.disable_telemetry) {
-            let _http = new lib.HttpClient();
-            _http.requestOptions = { socketTimeout: 3 * 1000 };
-            try {
-                const resp = yield _http.get(`${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`);
-                if (resp.message.statusCode === 200) {
-                    external_fs_.appendFileSync(process.env.GITHUB_STATE, `monitorStatusCode=${resp.message.statusCode}${external_os_.EOL}`, {
-                        encoding: "utf8",
-                    });
-                }
-            }
-            catch (e) {
-                console.log(`error in connecting to ${api_url}: ${e}`);
-            }
-        }
         const confgStr = JSON.stringify(confg);
         external_child_process_.execSync("sudo mkdir -p /home/agent");
         external_child_process_.execSync("sudo chown -R $USER /home/agent");
         // Note: to avoid github rate limiting
         let token = lib_core.getInput("token");
         let auth = `token ${token}`;
-        const downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.12.1/agent_0.12.1_linux_amd64.tar.gz", undefined, auth);
+        const downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.12.2/agent_0.12.2_linux_amd64.tar.gz", undefined, auth);
         verifyChecksum(downloadPath); // NOTE: verifying agent's checksum, before extracting
         const extractPath = yield tool_cache.extractTar(downloadPath);
         if (!confg.disable_telemetry || confg.egress_policy === "audit") {

package.json

@@ -1,6 +1,6 @@
 {
   "name": "step-security-harden-runner",
-  "version": "2.1.0",
+  "version": "2.2.0",
   "description": "Security agent for GitHub-hosted runner to monitor the build process",
   "main": "index.js",
   "scripts": {

src/checksum.ts

@@ -10,7 +10,7 @@ export function verifyChecksum(downloadPath: string) {
     .digest("hex"); // checksum of downloaded file
 
   const expectedChecksum: string =
-    "79f397360470d6e42c73d6c9c5cf485ac9982e56e3e3fdd07f66c59cda4388c8"; // checksum for v0.12.1
+    "10fd5587cfeba6aac4125be78ee32f60d5e780de10929f454525670c4c16935d"; // checksum for v0.12.2
 
   if (checksum !== expectedChecksum) {
     core.setFailed(

src/cleanup.ts

@@ -17,6 +17,14 @@ import path from "path";
     return;
   }
 
+  if (
+    String(process.env.STATE_monitorStatusCode) ===
+    common.STATUS_HARDEN_RUNNER_UNAVAILABLE
+  ) {
+    console.log(common.HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
+    return;
+  }
+
   fs.writeFileSync(
     "/home/agent/post_event.json",
     JSON.stringify({ event: "post" })

src/common.ts

@@ -21,16 +21,19 @@ export async function addSummary() {
         "StepSecurity Harden-Runner",
         { width: "200" }
       )
-      .addLink(
-        "View security insights and recommended policy",
-        insights_url
-      )
+      .addLink("View security insights and recommended policy", insights_url)
       .addSeparator()
       .write();
   }
 }
+
+export const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
+
 export const CONTAINER_MESSAGE =
   "This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored.";
 
 export const UBUNTU_MESSAGE =
   "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
+
+export const HARDEN_RUNNER_UNAVAILABLE_MESSAGE =
+  "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";

src/index.ts

@@ -12,6 +12,14 @@ import isDocker from "is-docker";
     return;
   }
 
+  if (
+    String(process.env.STATE_monitorStatusCode) ===
+    common.STATUS_HARDEN_RUNNER_UNAVAILABLE
+  ) {
+    console.log(common.HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
+    return;
+  }
+
   if (
     core.getBooleanInput("disable-telemetry") &&
     core.getInput("egress-policy") === "block"

src/setup.ts

@@ -34,8 +34,6 @@ import {
     var api_url = `https://${env}.api.stepsecurity.io/v1`;
     var web_url = "https://app.stepsecurity.io";
 
-    console.log(`Step Security Job Correlation ID: ${correlation_id}`);
-
     const confg = {
       repo: process.env["GITHUB_REPOSITORY"],
       run_id: process.env["GITHUB_RUN_ID"],
@@ -50,24 +48,6 @@ import {
       private: context.payload.repository.private,
     };
 
-    if (isValidEvent()) {
-      try {
-        const cacheEntry = await getCacheEntry([cacheKey], [cacheFile], {
-          compressionMethod: CompressionMethod.ZstdWithoutLong,
-        });
-        const url = new URL(cacheEntry.archiveLocation);
-        core.info(`Adding cacheHost: ${url.hostname}:443 to allowed-endpoints`);
-        confg.allowed_endpoints += ` ${url.hostname}:443`;
-      } catch (exception) {
-        // some exception has occurred.
-        core.info("Unable to fetch cacheURL");
-        if (confg.egress_policy === "block") {
-          core.info("Switching egress-policy to audit mode");
-          confg.egress_policy = "audit";
-        }
-      }
-    }
-
     if (confg.egress_policy !== "audit" && confg.egress_policy !== "block") {
       core.setFailed("egress-policy must be either audit or block");
     }
@@ -82,25 +62,47 @@ import {
       core.setFailed("disable-telemetry must be a boolean value");
     }
 
-    if (!confg.disable_telemetry) {
-      let _http = new httpm.HttpClient();
-      _http.requestOptions = { socketTimeout: 3 * 1000 };
+    let _http = new httpm.HttpClient();
+    let statusCode;
+    _http.requestOptions = { socketTimeout: 3 * 1000 };
+    try {
+      const resp: httpm.HttpClientResponse = await _http.get(
+        `${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`
+      );
+      statusCode = resp.message.statusCode; // adding error code to check whether agent is getting installed or not.
+      fs.appendFileSync(
+        process.env.GITHUB_STATE,
+        `monitorStatusCode=${statusCode}${EOL}`,
+        {
+          encoding: "utf8",
+        }
+      );
+    } catch (e) {
+      console.log(`error in connecting to ${api_url}: ${e}`);
+    }
+
+    console.log(`Step Security Job Correlation ID: ${correlation_id}`);
+
+    if (String(statusCode) === common.STATUS_HARDEN_RUNNER_UNAVAILABLE) {
+      console.log(common.HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
+      return;
+    }
+
+    if (isValidEvent()) {
       try {
-        const resp: httpm.HttpClientResponse = await _http.get(
-          `${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`
-        );
-        if(resp.message.statusCode === 200){
-          fs.appendFileSync(
-            process.env.GITHUB_STATE,
-            `monitorStatusCode=${resp.message.statusCode}${EOL}`,
-            {
-              encoding: "utf8",
-            }
-          );
+        const cacheEntry = await getCacheEntry([cacheKey], [cacheFile], {
+          compressionMethod: CompressionMethod.ZstdWithoutLong,
+        });
+        const url = new URL(cacheEntry.archiveLocation);
+        core.info(`Adding cacheHost: ${url.hostname}:443 to allowed-endpoints`);
+        confg.allowed_endpoints += ` ${url.hostname}:443`;
+      } catch (exception) {
+        // some exception has occurred.
+        core.info("Unable to fetch cacheURL");
+        if (confg.egress_policy === "block") {
+          core.info("Switching egress-policy to audit mode");
+          confg.egress_policy = "audit";
         }
-
-      } catch (e) {
-        console.log(`error in connecting to ${api_url}: ${e}`);
       }
     }
 
@@ -113,7 +115,7 @@ import {
     let auth = `token ${token}`;
 
     const downloadPath: string = await tc.downloadTool(
-      "https://github.com/step-security/agent/releases/download/v0.12.1/agent_0.12.1_linux_amd64.tar.gz",
+      "https://github.com/step-security/agent/releases/download/v0.12.2/agent_0.12.2_linux_amd64.tar.gz",
       undefined,
       auth
     );