Merge pull request #455 from step-security/rc-12

Release v2.10.0
step-security · Sep 10, 2024 · 446798f · 446798f
2 parents 951b485 + f0d3b1e
commit 446798f
Show file tree

Hide file tree

Showing 12 changed files with 251 additions and 144 deletions.
diff --git a/dist/index.js b/dist/index.js
diff --git a/dist/index.js.map b/dist/index.js.map
diff --git a/dist/post/index.js b/dist/post/index.js
diff --git a/dist/post/index.js.map b/dist/post/index.js.map
diff --git a/dist/pre/index.js b/dist/pre/index.js
diff --git a/dist/pre/index.js.map b/dist/pre/index.js.map
diff --git a/src/checksum.ts b/src/checksum.ts
@@ -2,19 +2,33 @@ import * as core from "@actions/core";
 import * as crypto from "crypto";
 import * as fs from "fs";
 
-export function verifyChecksum(downloadPath: string, is_tls: boolean) {
+const CHECKSUMS = {
+  tls: {
+    amd64: "0bd500769646f0a90c0dfe9ac59699d5165bed549a9870c031b861146af337b2", // v1.3.2
+    arm64: "c2448ac205fd90f46abba31c13cf34c3b997824881502f736315fb08ac0a5a5c",
+  },
+  non_tls: {
+    amd64: "a9f1842e3d7f3d38c143dbe8ffe1948e6c8173cd04da072d9f9d128bb400844a", // v0.13.7
+  },
+};
+
+export function verifyChecksum(
+  downloadPath: string,
+  isTLS: boolean,
+  variant: string
+) {
   const fileBuffer: Buffer = fs.readFileSync(downloadPath);
   const checksum: string = crypto
     .createHash("sha256")
     .update(fileBuffer)
     .digest("hex"); // checksum of downloaded file
 
-  let expectedChecksum: string =
-    "a9f1842e3d7f3d38c143dbe8ffe1948e6c8173cd04da072d9f9d128bb400844a"; // checksum for v0.13.7
+  let expectedChecksum: string = "";
 
-  if (is_tls) {
-    expectedChecksum =
-      "fa9defcf9e125a62cb29747574d6a07aee4f04153e7bce4a3c7ce29681469e92"; // checksum for tls_agent
+  if (isTLS) {
+    expectedChecksum = CHECKSUMS["tls"][variant];
+  } else {
+    expectedChecksum = CHECKSUMS["non_tls"][variant];
   }
 
   if (checksum !== expectedChecksum) {

diff --git a/src/cleanup.ts b/src/cleanup.ts
@@ -27,6 +27,10 @@ import { arcCleanUp, isArcRunner, removeStepPolicyFiles } from "./arc-runner";
     return;
   }
 
+  if (process.env.STATE_isTLS === "false" && process.arch === "arm64") {
+    return;
+  }
+
   if (
     String(process.env.STATE_monitorStatusCode) ===
     common.STATUS_HARDEN_RUNNER_UNAVAILABLE

diff --git a/src/common.ts b/src/common.ts
@@ -180,4 +180,7 @@ export const HARDEN_RUNNER_UNAVAILABLE_MESSAGE =
   "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
 
 export const ARC_RUNNER_MESSAGE =
-  "Workflow is currently being executed in ARC based runner";
+  "Workflow is currently being executed in ARC based runner.";
+
+export const ARM64_RUNNER_MESSAGE =
+  "ARM runners are not supported in the Harden-Runner community tier.";
diff --git a/src/index.ts b/src/index.ts
@@ -23,6 +23,10 @@ import { STEPSECURITY_WEB_URL } from "./configs";
     return;
   }
 
+  if (process.env.STATE_isTLS === "false" && process.arch === "arm64") {
+    return;
+  }
+
   if (
     core.getBooleanInput("disable-telemetry") &&
     core.getInput("egress-policy") === "block"

diff --git a/src/install-agent.ts b/src/install-agent.ts
@@ -0,0 +1,65 @@
+import * as tc from "@actions/tool-cache";
+import * as core from "@actions/core";
+import * as cp from "child_process";
+import * as path from "path";
+import * as fs from "fs";
+import { verifyChecksum } from "./checksum";
+import { EOL } from "os";
+import { ARM64_RUNNER_MESSAGE } from "./common";
+
+export async function installAgent(
+  isTLS: boolean,
+  configStr: string
+): Promise<boolean> {
+  // Note: to avoid github rate limiting
+  const token = core.getInput("token", { required: true });
+  const auth = `token ${token}`;
+
+  const variant = process.arch === "x64" ? "amd64" : "arm64";
+
+  let downloadPath: string;
+
+  fs.appendFileSync(process.env.GITHUB_STATE, `isTLS=${isTLS}${EOL}`, {
+    encoding: "utf8",
+  });
+
+  if (isTLS) {
+    downloadPath = await tc.downloadTool(
+      `https://packages.stepsecurity.io/github-hosted/harden-runner_1.3.2_linux_${variant}.tar.gz`
+    );
+  } else {
+    if (variant === "arm64") {
+      console.log(ARM64_RUNNER_MESSAGE);
+      return false;
+    }
+    downloadPath = await tc.downloadTool(
+      "https://github.com/step-security/agent/releases/download/v0.13.7/agent_0.13.7_linux_amd64.tar.gz",
+      undefined,
+      auth
+    );
+  }
+
+  verifyChecksum(downloadPath, isTLS, variant);
+
+  const extractPath = await tc.extractTar(downloadPath);
+
+  let cmd = "cp",
+    args = [path.join(extractPath, "agent"), "/home/agent/agent"];
+
+  cp.execFileSync(cmd, args);
+
+  cp.execSync("chmod +x /home/agent/agent");
+
+  fs.writeFileSync("/home/agent/agent.json", configStr);
+
+  cmd = "sudo";
+  args = [
+    "cp",
+    path.join(__dirname, "agent.service"),
+    "/etc/systemd/system/agent.service",
+  ];
+  cp.execFileSync(cmd, args);
+  cp.execSync("sudo systemctl daemon-reload");
+  cp.execSync("sudo service agent start", { timeout: 15000 });
+  return true;
+}