Skip to content

Commit 3effea3

Browse files
mvicknrmvicknr
authored
chore: Add harden runner (#41)
1 parent 7f99949 commit 3effea3

File tree

2 files changed

+40
-14
lines changed

2 files changed

+40
-14
lines changed

.github/workflows/test_action.yml

Lines changed: 30 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,12 @@ jobs:
4242
name: Test Agent Repository Flow (Basic)
4343
runs-on: ubuntu-latest
4444
steps:
45+
- name: Harden Runner
46+
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
47+
with:
48+
disable-sudo: true
49+
egress-policy: audit
50+
4551
- name: Checkout action repository
4652
uses: actions/checkout@v4
4753
with:
@@ -67,9 +73,11 @@ jobs:
6773
6874
- name: Setup mock newrelic-auth-cli
6975
run: |
70-
# Make our mock CLI executable and install to standard location
76+
# Make our mock CLI executable and install to user-writable location
7177
chmod +x .github/mock-newrelic-auth-cli
72-
sudo cp .github/mock-newrelic-auth-cli /usr/local/bin/newrelic-auth-cli
78+
mkdir -p "$HOME/.local/bin"
79+
cp .github/mock-newrelic-auth-cli "$HOME/.local/bin/newrelic-auth-cli"
80+
echo "$HOME/.local/bin" >> $GITHUB_PATH
7381
7482
# Verify it's accessible
7583
which newrelic-auth-cli
@@ -111,6 +119,12 @@ jobs:
111119
ports:
112120
- 5000:5000
113121
steps:
122+
- name: Harden Runner
123+
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
124+
with:
125+
disable-sudo: true
126+
egress-policy: audit
127+
114128
- name: Checkout action repository
115129
uses: actions/checkout@v4
116130
with:
@@ -136,9 +150,11 @@ jobs:
136150
137151
- name: Setup mock newrelic-auth-cli
138152
run: |
139-
# Make our mock CLI executable and install to standard location
153+
# Make our mock CLI executable and install to user-writable location
140154
chmod +x .github/mock-newrelic-auth-cli
141-
sudo cp .github/mock-newrelic-auth-cli /usr/local/bin/newrelic-auth-cli
155+
mkdir -p "$HOME/.local/bin"
156+
cp .github/mock-newrelic-auth-cli "$HOME/.local/bin/newrelic-auth-cli"
157+
echo "$HOME/.local/bin" >> $GITHUB_PATH
142158
143159
# Verify it's accessible
144160
which newrelic-auth-cli
@@ -227,6 +243,12 @@ jobs:
227243
name: Test Documentation Flow (MDX Parsing)
228244
runs-on: ubuntu-latest
229245
steps:
246+
- name: Harden Runner
247+
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
248+
with:
249+
disable-sudo: true
250+
egress-policy: audit
251+
230252
- name: Checkout action repository
231253
uses: actions/checkout@v4
232254
with:
@@ -252,9 +274,11 @@ jobs:
252274
253275
- name: Setup mock newrelic-auth-cli
254276
run: |
255-
# Make our mock CLI executable and install to standard location
277+
# Make our mock CLI executable and install to user-writable location
256278
chmod +x .github/mock-newrelic-auth-cli
257-
sudo cp .github/mock-newrelic-auth-cli /usr/local/bin/newrelic-auth-cli
279+
mkdir -p "$HOME/.local/bin"
280+
cp .github/mock-newrelic-auth-cli "$HOME/.local/bin/newrelic-auth-cli"
281+
echo "$HOME/.local/bin" >> $GITHUB_PATH
258282
259283
# Verify it's accessible
260284
which newrelic-auth-cli

action.yml

Lines changed: 10 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -53,12 +53,12 @@ runs:
5353
echo "ref=${{ inputs.version }}" >> $GITHUB_OUTPUT
5454
5555
- name: Checkout repository
56-
uses: actions/checkout@v4
56+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
5757
with:
5858
ref: ${{ steps.version.outputs.ref }} # When ref is empty (as in docs scenario), this will default to checking out the commit that triggered the action
5959
fetch-depth: ${{ inputs.fetch-depth }}
6060
- name: Setup Go
61-
uses: actions/setup-go@v4
61+
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
6262
with:
6363
go-version-file: '${{ github.action_path }}/go.mod'
6464
cache: ${{ inputs.cache }}
@@ -80,12 +80,14 @@ runs:
8080
fi
8181
8282
echo "::group::Installing newrelic-auth-cli"
83-
LATEST_RELEASE=$(curl -s https://api.github.com/repos/newrelic/newrelic-auth-rs/releases/latest | grep '"tag_name"' | sed -E 's/.*"([^"]+)".*/\1/')
84-
echo "Downloading newrelic-auth-cli version $LATEST_RELEASE"
85-
curl -L "https://github.com/newrelic/newrelic-auth-rs/releases/download/${LATEST_RELEASE}/newrelic-auth-cli_amd64.tar.gz" -o newrelic-auth-cli.tar.gz
86-
tar -xzf newrelic-auth-cli.tar.gz
87-
chmod +x newrelic-auth-cli
88-
sudo mv newrelic-auth-cli /usr/local/bin/
83+
CLI_COMMIT="a6591c5a691d2c6f913d36b509baf4dcdba0868e" # v0.1.3
84+
echo "Downloading newrelic-auth-cli at commit ${CLI_COMMIT}"
85+
curl -L "https://github.com/newrelic/newrelic-auth-rs/archive/${CLI_COMMIT}.tar.gz" -o newrelic-auth-cli.tar.gz
86+
tar -xzf newrelic-auth-cli.tar.gz --strip-components=1
87+
chmod +x newrelic-auth-cli_amd64.tar.gz
88+
mkdir -p "$HOME/.local/bin"
89+
mv newrelic-auth-cli "$HOME/.local/bin/"
90+
echo "$HOME/.local/bin" >> $GITHUB_PATH
8991
echo "::endgroup::"
9092
9193
- name: Authenticate with NewRelic

0 commit comments

Comments
 (0)