Merge pull request #498 from step-security/rc-18

Release v2.11.0

.github/workflows/publish-immutable-actions.yml

@@ -0,0 +1,28 @@
+name: 'Publish Immutable Action Version'
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: read
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
+      - name: Checking out
+        uses: actions/checkout@v4
+      - name: Publish
+        id: publish
+        uses: actions/[email protected]

.github/workflows/runs-on.yml

@@ -0,0 +1,176 @@
+name: RunsOn Tests
+
+on: 
+  workflow_dispatch:
+
+jobs:
+  test-host-outbound:
+    runs-on:
+      - runs-on=${{ github.run_id }}
+      - runner=2cpu-linux-x64
+      - image=ubuntu22-stepsecurity-x64
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@rc
+        with:
+          egress-policy: audit
+          allowed-endpoints: >
+            github.com:443
+            goreleaser.com:443
+            
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run outbound calls from host
+        run: |
+          start_time=$(date +%s)
+          end_time=$((start_time + 90))  # 5 minutes = 300 seconds
+          
+          while [ $(date +%s) -lt $end_time ]; do
+            curl -I https://www.google.com
+            curl -I https://goreleaser.com
+            sleep 10  # wait 10 seconds between calls
+          done
+  
+  test-docker-outbound:
+    runs-on:
+      - runs-on=${{ github.run_id }}
+      - runner=2cpu-linux-x64
+      - image=ubuntu22-stepsecurity-x64
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@rc
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            archive.ubuntu.com:80
+            github.com:443
+            goreleaser.com:443
+            production.cloudflare.docker.com:443
+            docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com:443
+            *.docker.io:443
+            security.ubuntu.com:80
+         
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run outbound calls from within Docker container
+        continue-on-error: true
+        run: |
+          # Start the container
+          docker run --rm -d --name test-container ubuntu:latest sleep 90
+          
+          # Install curl in the container
+          docker exec test-container apt-get update
+          docker exec test-container apt-get install -y curl
+          
+          # Print /etc/resolv.conf from the container
+          docker exec test-container cat /etc/resolv.conf
+          
+          # Make outbound calls
+          for i in {1..9}; do
+            docker exec test-container curl -I https://www.google.com
+            docker exec test-container curl -I https://goreleaser.com
+            sleep 10  # wait 10 seconds between calls
+          done
+          
+          # Stop the container
+          docker stop test-container
+
+      
+  test-docker-build-outbound:
+    runs-on:
+      - runs-on=${{ github.run_id }}
+      - runner=2cpu-linux-x64
+      - image=ubuntu22-stepsecurity-x64
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@rc
+        with:
+          egress-policy: audit
+          allowed-endpoints: >
+            archive.ubuntu.com:80
+            auth.docker.io:443
+            github.com:443
+            goreleaser.com:443
+            production.cloudflare.docker.com:443
+            docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com:443
+            registry-1.docker.io:443
+            security.ubuntu.com:80
+            
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Build Docker image and test outbound calls during build
+        continue-on-error: true
+        run: |
+          # Create a Dockerfile that installs curl and makes outbound calls
+          cat <<EOF > Dockerfile
+          FROM ubuntu:latest
+          RUN apt-get update && apt-get install -y curl
+          RUN for i in {1..9}; do curl -I https://www.google.com && curl -I https://goreleaser.com; sleep 10; done
+          EOF
+          
+          # Build the Docker image
+          docker build -t test-image .
+          
+          # Print /etc/resolv.conf from the build container (temporary container used during build)
+          container_id=$(docker create test-image)
+          docker start $container_id
+          docker exec $container_id cat /etc/resolv.conf
+          docker stop $container_id
+          docker rm $container_id
+
+      - name: Print Docker logs with journalctl
+        run: |
+            sudo journalctl -u docker.service --no-pager 
+        shell: bash
+
+  test-long-running-docker:
+    runs-on:
+      - runs-on=${{ github.run_id }}
+      - runner=2cpu-linux-x64
+      - image=ubuntu22-stepsecurity-x64
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@rc
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            archive.ubuntu.com:80
+            auth.docker.io:443
+            github.com:443
+            goreleaser.com:443
+            production.cloudflare.docker.com:443
+            registry-1.docker.io:443
+            docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com:443
+            security.ubuntu.com:80
+            
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run long-running Docker container with outbound calls
+        continue-on-error: true
+        run: |
+          # Start the long-running container
+          docker run --rm -d --name long-running-container ubuntu:latest bash -c "
+            apt-get update && apt-get install -y curl && 
+            while true; do 
+              curl -I https://www.google.com; 
+              curl -I https://goreleaser.com; 
+              sleep 10; 
+            done
+          "
+          
+          # Print /etc/resolv.conf from the container
+          docker exec long-running-container cat /etc/resolv.conf
+          
+          # Let the container run for 5 minutes
+          sleep 90
+          
+          # Stop the container
+          docker stop long-running-container
+     
+

README.md

@@ -111,7 +111,7 @@ Includes all features in the **Community** tier, plus:
 
 For a detailed comparison and more information, please visit our [Pricing Page](https://www.stepsecurity.io/pricing).
 
-Explore the full feature set in the [Features Documentation](https://docs.stepsecurity.io/harden-runner/how-tos/enable-runtime-security/).
+Explore the full feature set in the [Features Documentation](https://docs.stepsecurity.io/harden-runner).
 
 ---
 

src/checksum.ts

@@ -4,8 +4,8 @@ import * as fs from "fs";
 
 const CHECKSUMS = {
   tls: {
-    amd64: "4e4def9320e212cf2a9be8be062671349a7c6f3c95a56cfcb47de356eab0832f", // v1.3.6
-    arm64: "ba046c02bfe55b5ffb0b27ab9f644616c1683dbbb2bc2abc9deba8edf28d89d0",
+    amd64: "38e7ed97ced6fe0c1cf0fb5ee3b3d521dfe28d5ddf1cdca72d130c8d1b4a314e", // v1.4.2
+    arm64: "f67c80cc578c996d4f882c14fcdb63df57927d907cd22f1ec65f9fa940c08cf3",
   },
   non_tls: {
     amd64: "a9f1842e3d7f3d38c143dbe8ffe1948e6c8173cd04da072d9f9d128bb400844a", // v0.13.7

src/install-agent.ts

@@ -25,7 +25,7 @@ export async function installAgent(
 
   if (isTLS) {
     downloadPath = await tc.downloadTool(
-      `https://packages.stepsecurity.io/github-hosted/harden-runner_1.3.6_linux_${variant}.tar.gz`
+      `https://packages.stepsecurity.io/github-hosted/harden-runner_1.4.2_linux_${variant}.tar.gz`
     );
   } else {
     if (variant === "arm64") {