Release v2.6.0 (#346)

action.yml

@@ -1,5 +1,5 @@
-name: "Harden Runner"
-description: "Security agent for GitHub-hosted runner to monitor the build process"
+name: "Harden-Runner"
+description: "Harden-Runner provides runtime security for GitHub-hosted and self-hosted runners"
 inputs:
   allowed-endpoints:
     description: "Only these endpoints will be allowed if egress-policy is set to block"

dist/post/index.js

@@ -61261,6 +61261,7 @@ function addSummary() {
 const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
 const CONTAINER_MESSAGE = "This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored.";
 const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
+const SELF_HOSTED_NO_AGENT_MESSAGE = "This job is running on a self-hosted runner, but the runner does not have Harden-Runner installed. This job will not be monitored.";
 const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
 const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner";
 
@@ -61400,6 +61401,9 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
         removeStepPolicyFiles();
         return;
     }
+    if (process.env.STATE_selfHosted === "true") {
+        return;
+    }
     if (String(process.env.STATE_monitorStatusCode) ===
         STATUS_HARDEN_RUNNER_UNAVAILABLE) {
         console.log(HARDEN_RUNNER_UNAVAILABLE_MESSAGE);

src/cleanup.ts

@@ -37,6 +37,10 @@ import { arcCleanUp, isArcRunner, removeStepPolicyFiles } from "./arc-runner";
     return;
   }
 
+  if (process.env.STATE_selfHosted === "true") {
+    return;
+  }
+
   if (
     String(process.env.STATE_monitorStatusCode) ===
     common.STATUS_HARDEN_RUNNER_UNAVAILABLE

src/common.ts

@@ -164,6 +164,9 @@ export const CONTAINER_MESSAGE =
 export const UBUNTU_MESSAGE =
   "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
 
+export const SELF_HOSTED_NO_AGENT_MESSAGE =
+  "This job is running on a self-hosted runner, but the runner does not have Harden-Runner installed. This job will not be monitored.";
+
 export const HARDEN_RUNNER_UNAVAILABLE_MESSAGE =
   "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
 

src/setup.ts

@@ -134,6 +134,31 @@ import { isArcRunner, sendAllowedEndpoints } from "./arc-runner";
       return;
     }
 
+    const runnerName = process.env.RUNNER_NAME || "";
+    core.info(`RUNNER_NAME: ${runnerName}`);
+    if (!runnerName.startsWith("GitHub Actions")) {
+      fs.appendFileSync(process.env.GITHUB_STATE, `selfHosted=true${EOL}`, {
+        encoding: "utf8",
+      });
+      if (!fs.existsSync("/home/agent/agent")) {
+        core.info(common.SELF_HOSTED_NO_AGENT_MESSAGE);
+        return;
+      }
+      if (confg.egress_policy === "block") {
+        try {
+          if (process.env.USER) {
+            cp.execSync(`sudo chown -R ${process.env.USER} /home/agent`);
+          }
+          const confgStr = JSON.stringify(confg);
+          fs.writeFileSync("/home/agent/block_event.json", confgStr);
+          await sleep(5000);
+        } catch (error) {
+          core.info(`[!] Unable to write block_event.json: ${error}`);
+        }
+      }
+      return;
+    }
+
     let _http = new httpm.HttpClient();
     let statusCode;
     _http.requestOptions = { socketTimeout: 3 * 1000 };