Merge pull request #606 from step-security/rc-28

varunsh-coder · web-flow · commit 95d9a5deda9d · 2025-11-04T23:36:48.000-08:00
Release v2.13.2
diff --git a/dist/index.js b/dist/index.js
@@ -27698,7 +27698,7 @@ function addSummary() {
     });
 }
 const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
-const CONTAINER_MESSAGE = "This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored.";
+const CONTAINER_MESSAGE = "This job is running in a container. Such jobs can be monitored by installing Harden Runner in a custom VM image for GitHub-hosted runners.";
 const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
 const SELF_HOSTED_RUNNER_MESSAGE = "This job is running on a self-hosted runner.";
 const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
diff --git a/dist/index.js.map b/dist/index.js.map
diff --git a/dist/post/index.js b/dist/post/index.js
@@ -27705,7 +27705,7 @@ function addSummary() {
     });
 }
 const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
-const CONTAINER_MESSAGE = "This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored.";
+const CONTAINER_MESSAGE = "This job is running in a container. Such jobs can be monitored by installing Harden Runner in a custom VM image for GitHub-hosted runners.";
 const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
 const SELF_HOSTED_RUNNER_MESSAGE = "This job is running on a self-hosted runner.";
 const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
@@ -27867,6 +27867,9 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
     if (process.env.STATE_selfHosted === "true") {
         return;
     }
+    if (process.env.STATE_customVMImage === "true") {
+        return;
+    }
     if (process.env.STATE_isTLS === "false" && process.arch === "arm64") {
         return;
     }
diff --git a/dist/post/index.js.map b/dist/post/index.js.map
diff --git a/dist/pre/index.js b/dist/pre/index.js
@@ -85248,7 +85248,7 @@ function addSummary() {
     });
 }
 const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
-const CONTAINER_MESSAGE = "This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored.";
+const CONTAINER_MESSAGE = "This job is running in a container. Such jobs can be monitored by installing Harden Runner in a custom VM image for GitHub-hosted runners.";
 const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
 const SELF_HOSTED_RUNNER_MESSAGE = "This job is running on a self-hosted runner.";
 const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
@@ -85495,8 +85495,8 @@ var external_crypto_ = __nccwpck_require__(6982);
 
 const CHECKSUMS = {
     tls: {
-        amd64: "2430b850e0e4d67a2f3b626f02d2827226ee16406da6af0c47ae7b18e18bd2b8",
-        arm64: "a3c89271e697ab39557ba8011cac7a2df690b5d27b4584d5d5abdf8845a6ce6c",
+        amd64: "603d6a0dabb60a7c8f651d7f5b53258fa64162424a77da9884d9032b3e71d6b1",
+        arm64: "fdc7504a3210dc67fc8393969b0f3c98df593c7884c83ed6d1c0ec84070801aa",
     },
     non_tls: {
         amd64: "336093af8ebe969567b66fd035af3bd4f7e1c723ce680d6b4b5b2a1f79bc329e", // v0.14.2
@@ -85549,7 +85549,7 @@ function installAgent(isTLS, configStr) {
             encoding: "utf8",
         });
         if (isTLS) {
-            downloadPath = yield tool_cache.downloadTool(`https://github.com/step-security/agent-ebpf/releases/download/v1.6.23/harden-runner_1.6.23_linux_${variant}.tar.gz`, undefined, auth);
+            downloadPath = yield tool_cache.downloadTool(`https://github.com/step-security/agent-ebpf/releases/download/v1.7.6/harden-runner_1.7.6_linux_${variant}.tar.gz`, undefined, auth);
         }
         else {
             if (variant === "arm64") {
@@ -85764,6 +85764,17 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
             }
             return;
         }
+        if (isGithubHosted() && process.env.STEP_SECURITY_HARDEN_RUNNER === "true") {
+            external_fs_.appendFileSync(process.env.GITHUB_STATE, `customVMImage=true${external_os_.EOL}`, {
+                encoding: "utf8",
+            });
+            lib_core.info("This job is running on a custom VM image with Harden Runner installed.");
+            if (confg.egress_policy === "block") {
+                sendAllowedEndpoints(confg.allowed_endpoints);
+                yield setup_sleep(5000);
+            }
+            return;
+        }
         let _http = new lib.HttpClient();
         let statusCode;
         _http.requestOptions = { socketTimeout: 3 * 1000 };
diff --git a/dist/pre/index.js.map b/dist/pre/index.js.map
diff --git a/docs/limitations.md b/docs/limitations.md
@@ -3,7 +3,7 @@
 ### GitHub-Hosted Runners
 
 * Only Ubuntu VM is supported. Windows and MacOS GitHub-hosted runners are not supported. There is a discussion about that [here](https://github.com/step-security/harden-runner/discussions/121).
-* Harden-Runner is not supported when [job is run in a container](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container) as it needs sudo access on the Ubuntu VM to run. It can be used to monitor jobs that use containers to run steps. The limitation is if the entire job is run in a container. That is not common for GitHub Actions workflows, as most of them run directly on `ubuntu-latest`. Note: This is not a limitation for Self-Hosted runners.
+* Harden-Runner is not supported when [job is run in a container](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container) with built-in labels such as `ubuntu-latest`, as it needs sudo access on the Ubuntu VM to run. The limitation is if the entire job is run in a container. However, such jobs can be monitored when using custom VM images with GitHub-hosted runners. This is also not a limitation for Self-Hosted runners.
 
 ### Self-Hosted Actions Runner Controller (ARC) Runners
 
diff --git a/src/checksum.ts b/src/checksum.ts
@@ -4,8 +4,8 @@ import * as fs from "fs";
 
 const CHECKSUMS = {
   tls: {
-    amd64: "2430b850e0e4d67a2f3b626f02d2827226ee16406da6af0c47ae7b18e18bd2b8", // v1.6.23
-    arm64: "a3c89271e697ab39557ba8011cac7a2df690b5d27b4584d5d5abdf8845a6ce6c",
+    amd64: "603d6a0dabb60a7c8f651d7f5b53258fa64162424a77da9884d9032b3e71d6b1", // v1.7.6
+    arm64: "fdc7504a3210dc67fc8393969b0f3c98df593c7884c83ed6d1c0ec84070801aa",
   },
   non_tls: {
     amd64: "336093af8ebe969567b66fd035af3bd4f7e1c723ce680d6b4b5b2a1f79bc329e", // v0.14.2
diff --git a/src/cleanup.ts b/src/cleanup.ts
@@ -25,6 +25,10 @@ import { isGithubHosted } from "./tls-inspect";
     return;
   }
 
+  if (process.env.STATE_customVMImage === "true") {
+    return;
+  }
+
   if (process.env.STATE_isTLS === "false" && process.arch === "arm64") {
     return;
   }
diff --git a/src/common.ts b/src/common.ts
@@ -126,7 +126,7 @@ export async function addSummary() {
 export const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
 
 export const CONTAINER_MESSAGE =
-  "This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored.";
+  "This job is running in a container. Such jobs can be monitored by installing Harden Runner in a custom VM image for GitHub-hosted runners.";
 
 export const UBUNTU_MESSAGE =
   "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
diff --git a/src/install-agent.ts b/src/install-agent.ts
@@ -25,7 +25,7 @@ export async function installAgent(
 
   if (isTLS) {
     downloadPath = await tc.downloadTool(
-      `https://github.com/step-security/agent-ebpf/releases/download/v1.6.23/harden-runner_1.6.23_linux_${variant}.tar.gz`,
+      `https://github.com/step-security/agent-ebpf/releases/download/v1.7.6/harden-runner_1.7.6_linux_${variant}.tar.gz`,
       undefined,
       auth
     );
diff --git a/src/setup.ts b/src/setup.ts
@@ -243,6 +243,20 @@ interface MonitorResponse {
       return;
     }
 
+    if (isGithubHosted() && process.env.STEP_SECURITY_HARDEN_RUNNER === "true") {
+      fs.appendFileSync(process.env.GITHUB_STATE, `customVMImage=true${EOL}`, {
+        encoding: "utf8",
+      });
+
+      core.info("This job is running on a custom VM image with Harden Runner installed.");
+
+      if (confg.egress_policy === "block") {
+        sendAllowedEndpoints(confg.allowed_endpoints);
+        await sleep(5000);
+      }
+      return;
+    }
+
     let _http = new httpm.HttpClient();
     let statusCode: number | undefined;
     _http.requestOptions = { socketTimeout: 3 * 1000 };

Original file line number	Diff line number	Diff line change
`@@ -27698,7 +27698,7 @@ function addSummary() {`
`27698`	`27698`	`});`
`27699`	`27699`	`}`
`27700`	`27700`	`const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";`
`27701`		`-const CONTAINER_MESSAGE = "This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored.";`
	`27701`	`+const CONTAINER_MESSAGE = "This job is running in a container. Such jobs can be monitored by installing Harden Runner in a custom VM image for GitHub-hosted runners.";`
`27702`	`27702`	`const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";`
`27703`	`27703`	`const SELF_HOSTED_RUNNER_MESSAGE = "This job is running on a self-hosted runner.";`
`27704`	`27704`	`const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";`
Original file line number	Diff line number	Diff line change
`@@ -27705,7 +27705,7 @@ function addSummary() {`
`27705`	`27705`	`});`
`27706`	`27706`	`}`
`27707`	`27707`	`const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";`
`27708`		`-const CONTAINER_MESSAGE = "This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored.";`
	`27708`	`+const CONTAINER_MESSAGE = "This job is running in a container. Such jobs can be monitored by installing Harden Runner in a custom VM image for GitHub-hosted runners.";`
`27709`	`27709`	`const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";`
`27710`	`27710`	`const SELF_HOSTED_RUNNER_MESSAGE = "This job is running on a self-hosted runner.";`
`27711`	`27711`	`const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";`
`@@ -27867,6 +27867,9 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) \|\| function (thisArg, _`
`27867`	`27867`	`if (process.env.STATE_selfHosted === "true") {`
`27868`	`27868`	`return;`
`27869`	`27869`	`}`
	`27870`	`+ if (process.env.STATE_customVMImage === "true") {`
	`27871`	`+ return;`
	`27872`	`+ }`
`27870`	`27873`	`if (process.env.STATE_isTLS === "false" && process.arch === "arm64") {`
`27871`	`27874`	`return;`
`27872`	`27875`	`}`
Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,10 @@ import { isGithubHosted } from "./tls-inspect";`
`25`	`25`	`return;`
`26`	`26`	`}`
`27`	`27`
	`28`	`+ if (process.env.STATE_customVMImage === "true") {`
	`29`	`+ return;`
	`30`	`+ }`
	`31`	`+`
`28`	`32`	`if (process.env.STATE_isTLS === "false" && process.arch === "arm64") {`
`29`	`33`	`return;`
`30`	`34`	`}`