Merge pull request #565 from step-security/rc-24

Release v2.13.0

Author: varunsh-coder

dist/index.js

@@ -27615,7 +27615,7 @@ var external_fs_ = __nccwpck_require__(5747);
 ;// CONCATENATED MODULE: ./src/configs.ts
 const STEPSECURITY_ENV = "agent"; // agent or int
 const configs_STEPSECURITY_API_URL = `https://${STEPSECURITY_ENV}.api.stepsecurity.io/v1`;
-const configs_STEPSECURITY_WEB_URL = "https://app.stepsecurity.io";
+const STEPSECURITY_WEB_URL = "https://app.stepsecurity.io";
 
 ;// CONCATENATED MODULE: ./src/common.ts
 var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
@@ -27658,14 +27658,13 @@ const processLogLine = (line, tableEntries) => {
     }
 };
 function addSummary() {
+    var _a;
     return __awaiter(this, void 0, void 0, function* () {
         if (process.env.STATE_addSummary !== "true") {
             return;
         }
-        const web_url = STEPSECURITY_WEB_URL;
-        const insights_url = `${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}`;
-        const log = "/home/agent/agent.log";
-        if (!fs.existsSync(log)) {
+        const correlation_id = process.env.STATE_correlation_id;
+        if (!correlation_id) {
             return;
         }
         let needsSubscription = false;
@@ -27691,62 +27690,29 @@ function addSummary() {
                 .write();
             return;
         }
-        const content = fs.readFileSync(log, "utf-8");
-        const lines = content.split("\n");
-        let tableEntries = [];
-        for (const line of lines) {
-            processLogLine(line, tableEntries);
-        }
-        if (tableEntries.length === 0) {
+        // Extract owner and repo from GITHUB_REPOSITORY (format: owner/repo)
+        const [owner, repo] = ((_a = process.env["GITHUB_REPOSITORY"]) === null || _a === void 0 ? void 0 : _a.split("/")) || [];
+        const run_id = process.env["GITHUB_RUN_ID"];
+        if (!owner || !repo || !run_id || !correlation_id) {
             return;
         }
-        const insightsRow = `<p><b><a href="${insights_url}">📄 View Full Report</a></b></p>`;
-        yield core.summary.addSeparator().addRaw(`<h2>🛡 StepSecurity Report</h2>`);
-        tableEntries.sort((a, b) => {
-            if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") {
-                return -1;
-            }
-            else if (a.status !== "❌ Blocked" && b.status === "❌ Blocked") {
-                return 1;
-            }
-            else {
-                return 0;
+        // Fetch job summary from API
+        const apiUrl = `${STEPSECURITY_API_URL}/github/${owner}/${repo}/actions/runs/${run_id}/correlation/${correlation_id}/job-markdown-summary`;
+        try {
+            const response = yield fetch(apiUrl);
+            if (!response.ok) {
+                console.error(`Failed to fetch job summary: ${response.status} ${response.statusText}`);
+                return;
             }
-        });
-        tableEntries = tableEntries.slice(0, 3);
-        yield core.summary.addRaw(`
-  <blockquote>
-  <p>Preview of the outbound network calls during this workflow run.</p></blockquote>
-  <h3>Network Calls</h3>
-  <table>
-    <thead>
-      <tr>
-        <th>Process</th>
-        <th>Destination</th>
-        <th>Status</th>
-      </tr>
-    </thead>
-    <tbody>
-      ${tableEntries
-            .map((entry) => `<tr>
-          <td><code>${entry.process}</code></td>
-          <td>${entry.domain.replace(/\.$/, "")}</td>
-          <td>${entry.status}</td>
-        </tr>`)
-            .join("")}
-      <tr>
-        <td><code>...</code></td>
-        <td><code>...</code></td>
-        <td><code>...</code></td>
-      </tr>
-    </tbody>
-  </table>
-  ${insightsRow}
-`);
-        yield core.summary
-            .addRaw(`<p><i>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a>.</i></p>`)
-            .addSeparator()
-            .write();
+            const markdownSummary = yield response.text();
+            // Render the markdown summary using core.summary.addRaw
+            yield core.summary.addRaw(markdownSummary).write();
+            return;
+        }
+        catch (error) {
+            console.error(`Error fetching job summary: ${error}`);
+            return;
+        }
     });
 }
 const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
@@ -27871,7 +27837,7 @@ var src_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argu
         console.log("Telemetry will not be sent to StepSecurity API as disable-telemetry is set to true");
     }
     else {
-        var web_url = configs_STEPSECURITY_WEB_URL;
+        var web_url = STEPSECURITY_WEB_URL;
         printInfo(web_url);
     }
 }))();

dist/index.js.map

@@ -27660,14 +27660,13 @@ const processLogLine = (line, tableEntries) => {
     }
 };
 function addSummary() {
+    var _a;
     return __awaiter(this, void 0, void 0, function* () {
         if (process.env.STATE_addSummary !== "true") {
             return;
         }
-        const web_url = STEPSECURITY_WEB_URL;
-        const insights_url = `${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}`;
-        const log = "/home/agent/agent.log";
-        if (!external_fs_.existsSync(log)) {
+        const correlation_id = process.env.STATE_correlation_id;
+        if (!correlation_id) {
             return;
         }
         let needsSubscription = false;
@@ -27691,61 +27690,29 @@ function addSummary() {
                 .write();
             return;
         }
-        const content = external_fs_.readFileSync(log, "utf-8");
-        const lines = content.split("\n");
-        let tableEntries = [];
-        for (const line of lines) {
-            processLogLine(line, tableEntries);
-        }
-        if (tableEntries.length === 0) {
+        // Extract owner and repo from GITHUB_REPOSITORY (format: owner/repo)
+        const [owner, repo] = ((_a = process.env["GITHUB_REPOSITORY"]) === null || _a === void 0 ? void 0 : _a.split("/")) || [];
+        const run_id = process.env["GITHUB_RUN_ID"];
+        if (!owner || !repo || !run_id || !correlation_id) {
             return;
         }
-        const insightsRow = `<p><b><a href="${insights_url}">📄 View Full Report</a></b></p>`;
-        yield lib_core.summary.addSeparator().addRaw(`<h2>🛡 StepSecurity Report</h2>`);
-        tableEntries.sort((a, b) => {
-            if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") {
-                return -1;
-            }
-            else if (a.status !== "❌ Blocked" && b.status === "❌ Blocked") {
-                return 1;
-            }
-            else {
-                return 0;
+        // Fetch job summary from API
+        const apiUrl = `${configs_STEPSECURITY_API_URL}/github/${owner}/${repo}/actions/runs/${run_id}/correlation/${correlation_id}/job-markdown-summary`;
+        try {
+            const response = yield fetch(apiUrl);
+            if (!response.ok) {
+                console.error(`Failed to fetch job summary: ${response.status} ${response.statusText}`);
+                return;
             }
-        });
-        tableEntries = tableEntries.slice(0, 3);
-        yield lib_core.summary.addRaw(`
-  <blockquote>
-  <p>Preview of the outbound network calls during this workflow run.</p></blockquote>
-  <h3>Network Calls</h3>
-  <table>
-    <thead>
-      <tr>
-        <th>Process</th>
-        <th>Destination</th>
-        <th>Status</th>
-      </tr>
-    </thead>
-    <tbody>
-      ${tableEntries
-            .map((entry) => `<tr>
-          <td><code>${entry.process}</code></td>
-          <td>${entry.domain.replace(/\.$/, "")}</td>
-          <td>${entry.status}</td>
-        </tr>`)
-            .join("")}
-      <tr>
-        <td><code>...</code></td>
-        <td><code>...</code></td>
-        <td><code>...</code></td>
-      </tr>
-    </tbody>
-  </table>
-  ${insightsRow}
-`);
-        yield lib_core.summary.addRaw(`<p><i>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a>.</i></p>`)
-            .addSeparator()
-            .write();
+            const markdownSummary = yield response.text();
+            // Render the markdown summary using core.summary.addRaw
+            yield lib_core.summary.addRaw(markdownSummary).write();
+            return;
+        }
+        catch (error) {
+            console.error(`Error fetching job summary: ${error}`);
+            return;
+        }
     });
 }
 const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";

dist/post/index.js

@@ -87641,8 +87641,8 @@ const parse = dist/* parse */.Qc;
 
 ;// CONCATENATED MODULE: ./src/configs.ts
 const STEPSECURITY_ENV = "agent"; // agent or int
-const STEPSECURITY_API_URL = `https://${STEPSECURITY_ENV}.api.stepsecurity.io/v1`;
-const configs_STEPSECURITY_WEB_URL = "https://app.stepsecurity.io";
+const configs_STEPSECURITY_API_URL = `https://${STEPSECURITY_ENV}.api.stepsecurity.io/v1`;
+const STEPSECURITY_WEB_URL = "https://app.stepsecurity.io";
 
 ;// CONCATENATED MODULE: ./src/common.ts
 var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
@@ -87685,14 +87685,13 @@ const processLogLine = (line, tableEntries) => {
     }
 };
 function addSummary() {
+    var _a;
     return __awaiter(this, void 0, void 0, function* () {
         if (process.env.STATE_addSummary !== "true") {
             return;
         }
-        const web_url = STEPSECURITY_WEB_URL;
-        const insights_url = `${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}`;
-        const log = "/home/agent/agent.log";
-        if (!fs.existsSync(log)) {
+        const correlation_id = process.env.STATE_correlation_id;
+        if (!correlation_id) {
             return;
         }
         let needsSubscription = false;
@@ -87718,62 +87717,29 @@ function addSummary() {
                 .write();
             return;
         }
-        const content = fs.readFileSync(log, "utf-8");
-        const lines = content.split("\n");
-        let tableEntries = [];
-        for (const line of lines) {
-            processLogLine(line, tableEntries);
-        }
-        if (tableEntries.length === 0) {
+        // Extract owner and repo from GITHUB_REPOSITORY (format: owner/repo)
+        const [owner, repo] = ((_a = process.env["GITHUB_REPOSITORY"]) === null || _a === void 0 ? void 0 : _a.split("/")) || [];
+        const run_id = process.env["GITHUB_RUN_ID"];
+        if (!owner || !repo || !run_id || !correlation_id) {
             return;
         }
-        const insightsRow = `<p><b><a href="${insights_url}">📄 View Full Report</a></b></p>`;
-        yield core.summary.addSeparator().addRaw(`<h2>🛡 StepSecurity Report</h2>`);
-        tableEntries.sort((a, b) => {
-            if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") {
-                return -1;
-            }
-            else if (a.status !== "❌ Blocked" && b.status === "❌ Blocked") {
-                return 1;
-            }
-            else {
-                return 0;
+        // Fetch job summary from API
+        const apiUrl = `${STEPSECURITY_API_URL}/github/${owner}/${repo}/actions/runs/${run_id}/correlation/${correlation_id}/job-markdown-summary`;
+        try {
+            const response = yield fetch(apiUrl);
+            if (!response.ok) {
+                console.error(`Failed to fetch job summary: ${response.status} ${response.statusText}`);
+                return;
             }
-        });
-        tableEntries = tableEntries.slice(0, 3);
-        yield core.summary.addRaw(`
-  <blockquote>
-  <p>Preview of the outbound network calls during this workflow run.</p></blockquote>
-  <h3>Network Calls</h3>
-  <table>
-    <thead>
-      <tr>
-        <th>Process</th>
-        <th>Destination</th>
-        <th>Status</th>
-      </tr>
-    </thead>
-    <tbody>
-      ${tableEntries
-            .map((entry) => `<tr>
-          <td><code>${entry.process}</code></td>
-          <td>${entry.domain.replace(/\.$/, "")}</td>
-          <td>${entry.status}</td>
-        </tr>`)
-            .join("")}
-      <tr>
-        <td><code>...</code></td>
-        <td><code>...</code></td>
-        <td><code>...</code></td>
-      </tr>
-    </tbody>
-  </table>
-  ${insightsRow}
-`);
-        yield core.summary
-            .addRaw(`<p><i>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a>.</i></p>`)
-            .addSeparator()
-            .write();
+            const markdownSummary = yield response.text();
+            // Render the markdown summary using core.summary.addRaw
+            yield core.summary.addRaw(markdownSummary).write();
+            return;
+        }
+        catch (error) {
+            console.error(`Error fetching job summary: ${error}`);
+            return;
+        }
     });
 }
 const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
@@ -87855,7 +87821,7 @@ function fetchPolicy(owner, policyName, idToken) {
         if (idToken === "") {
             throw new Error("[PolicyFetch]: id-token in empty");
         }
-        let policyEndpoint = `${STEPSECURITY_API_URL}/github/${owner}/actions/policies/${policyName}`;
+        let policyEndpoint = `${configs_STEPSECURITY_API_URL}/github/${owner}/actions/policies/${policyName}`;
         let httpClient = new lib.HttpClient();
         let headers = {};
         headers["Authorization"] = `Bearer ${idToken}`;
@@ -87978,7 +87944,7 @@ var tls_inspect_awaiter = (undefined && undefined.__awaiter) || function (thisAr
 
 function isTLSEnabled(owner) {
     return tls_inspect_awaiter(this, void 0, void 0, function* () {
-        let tlsStatusEndpoint = `${STEPSECURITY_API_URL}/github/${owner}/actions/tls-inspection-status`;
+        let tlsStatusEndpoint = `${configs_STEPSECURITY_API_URL}/github/${owner}/actions/tls-inspection-status`;
         let httpClient = new lib.HttpClient();
         httpClient.requestOptions = { socketTimeout: 3 * 1000 };
         lib_core.info(`[!] Checking TLS_STATUS: ${owner}`);
@@ -88014,8 +87980,8 @@ var external_crypto_ = __nccwpck_require__(6417);
 
 const CHECKSUMS = {
     tls: {
-        amd64: "3f2dc32f300071289650d1f9cbd3c04527ff8cc13e213eeccb70d4d6d2a0c8d5",
-        arm64: "96967e419b358b664658fa218b712fdb439ffb8eef3bb7b170f122d1e96b4779",
+        amd64: "5c02a40df6e2c926c92ffc6bf02ca8a301649d44541ca57e40a87948fb0d3f2e",
+        arm64: "b953784a468343c44a1a3ef4ec984c738a9a1e84aaf6932a2bb9dbf7ac7eab29",
     },
     non_tls: {
         amd64: "336093af8ebe969567b66fd035af3bd4f7e1c723ce680d6b4b5b2a1f79bc329e", // v0.14.2
@@ -88068,7 +88034,7 @@ function installAgent(isTLS, configStr) {
             encoding: "utf8",
         });
         if (isTLS) {
-            downloadPath = yield tool_cache.downloadTool(`https://packages.stepsecurity.io/github-hosted/harden-runner_1.6.15_linux_${variant}.tar.gz`);
+            downloadPath = yield tool_cache.downloadTool(`https://packages.stepsecurity.io/github-hosted/harden-runner_1.6.18_linux_${variant}.tar.gz`);
         }
         else {
             if (variant === "arm64") {
@@ -88140,8 +88106,8 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
             return;
         }
         var correlation_id = v4();
-        var api_url = STEPSECURITY_API_URL;
-        var web_url = configs_STEPSECURITY_WEB_URL;
+        var api_url = configs_STEPSECURITY_API_URL;
+        var web_url = STEPSECURITY_WEB_URL;
         let confg = {
             repo: process.env["GITHUB_REPOSITORY"],
             run_id: process.env["GITHUB_RUN_ID"],
@@ -88297,6 +88263,9 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
         external_fs_.appendFileSync(process.env.GITHUB_STATE, `addSummary=${addSummary}${external_os_.EOL}`, {
             encoding: "utf8",
         });
+        external_fs_.appendFileSync(process.env.GITHUB_STATE, `correlation_id=${correlation_id}${external_os_.EOL}`, {
+            encoding: "utf8",
+        });
         console.log(`Step Security Job Correlation ID: ${correlation_id}`);
         if (String(statusCode) === STATUS_HARDEN_RUNNER_UNAVAILABLE) {
             console.log(HARDEN_RUNNER_UNAVAILABLE_MESSAGE);