.github/workflows/canary.yml

@@ -22,7 +22,7 @@ jobs:
     permissions:
       contents: write
     steps:
-    - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v1
+    - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v1
       with:
         egress-policy: audit
         allowed-endpoints:

.github/workflows/code-review.yml

@@ -11,7 +11,7 @@ jobs:
       pull-requests: read
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           disable-sudo: true
           egress-policy: block

.github/workflows/codeql-analysis.yml

@@ -41,7 +41,7 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
@@ -50,7 +50,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a
+      uses: github/codeql-action/init@2d790406f505036ef40ecba973cc774a50395aac
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -61,7 +61,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@cdcdbb579706841c47f7063dda365e292e5cad7a
+      uses: github/codeql-action/autobuild@2d790406f505036ef40ecba973cc774a50395aac
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -75,4 +75,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a
+      uses: github/codeql-action/analyze@2d790406f505036ef40ecba973cc774a50395aac

.github/workflows/dependency-review.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           egress-policy: audit
 

.github/workflows/recurring-int-tests.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
@@ -28,7 +28,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 

.github/workflows/release.yml

@@ -25,7 +25,7 @@ jobs:
     permissions:
       contents: write
     steps:
-    - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
+    - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
       with:
         egress-policy: audit
         allowed-endpoints:

.github/workflows/scorecards.yml

@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           egress-policy: audit
 
@@ -62,6 +62,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # tag=v1.0.26
+        uses: github/codeql-action/upload-sarif@2d790406f505036ef40ecba973cc774a50395aac # tag=v1.0.26
         with:
           sarif_file: results.sarif

.github/workflows/test.yml

@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           disable-sudo: true
           egress-policy: audit
@@ -39,7 +39,7 @@ jobs:
         run: npm test -- --coverage
       - uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
       - name: Publish Test Results
-        uses: step-security/publish-unit-test-result-action@v1
+        uses: step-security/publish-unit-test-result-action@v2
         if: always()
         with:
           files: |

src/checksum.ts

@@ -14,7 +14,7 @@ export function verifyChecksum(downloadPath: string, is_tls: boolean) {
 
   if (is_tls) {
     expectedChecksum =
-      "e45b85e29216eb1d217aad368bdb056bbd868a308925e7b2cf9133b06ab435d0"; // checksum for tls_agent
+      "fa9defcf9e125a62cb29747574d6a07aee4f04153e7bce4a3c7ce29681469e92"; // checksum for tls_agent
   }
 
   if (checksum !== expectedChecksum) {

src/cleanup.ts

@@ -5,6 +5,8 @@ import isDocker from "is-docker";
 import { arcCleanUp, isArcRunner, removeStepPolicyFiles } from "./arc-runner";
 
 (async () => {
+  console.log("[harden-runner] post-step");
+
   if (process.platform !== "linux") {
     console.log(common.UBUNTU_MESSAGE);
     return;

src/common.ts

@@ -35,8 +35,15 @@ export const processLogLine = (
     if (matches) {
       const [ipAddress, domain, pid, process] = matches.slice(1);
 
-      // Check if all values are non-empty
-      if (pid && process && domain && ipAddress) {
+      // Check if all values are non-empty and domain does not end with specified patterns
+      if (
+        pid &&
+        process &&
+        domain &&
+        ipAddress &&
+        !domain.endsWith(".actions.githubusercontent.com.") &&
+        !domain.endsWith(".blob.core.windows.net.")
+      ) {
         const status = ipAddress.startsWith("54.185.253.63")
           ? "❌ Blocked"
           : "✅ Allowed";
@@ -173,4 +180,4 @@ export const HARDEN_RUNNER_UNAVAILABLE_MESSAGE =
   "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
 
 export const ARC_RUNNER_MESSAGE =
-  "Workflow is currently being executed in ARC based runner";
+  "Workflow is currently being executed in ARC based runner";

src/index.ts

@@ -4,6 +4,8 @@ import isDocker from "is-docker";
 import { STEPSECURITY_WEB_URL } from "./configs";
 
 (async () => {
+  console.log("[harden-runner] main-step");
+
   if (process.platform !== "linux") {
     console.log(common.UBUNTU_MESSAGE);
     return;

src/setup.ts

@@ -34,6 +34,8 @@ interface MonitorResponse {
 
 (async () => {
   try {
+    console.log("[harden-runner] pre-step");
+
     if (process.platform !== "linux") {
       console.log(common.UBUNTU_MESSAGE);
       return;
@@ -234,7 +236,7 @@ interface MonitorResponse {
 
     if (await isTLSEnabled(context.repo.owner)) {
       downloadPath = await tc.downloadTool(
-        "https://packages.stepsecurity.io/github-hosted/harden-runner_1.2.2_linux_amd64.tar.gz"
+        "https://packages.stepsecurity.io/github-hosted/harden-runner_1.2.3_linux_amd64.tar.gz"
       );
       verifyChecksum(downloadPath, true); // NOTE: verifying tls_agent's checksum, before extracting
     } else {