Feature/deploy on self hosted vm#658
Conversation
…sted runners Installs the Harden Runner agent on self-hosted Linux VMs when enabled. Skipped if running in a container or agent is already installed. Recommended only for ephemeral runners when baking the agent into the VM image is not possible. Includes unit tests.
…atted, lodash, picomatch
…v2.17.0 reference
Tests failed on CI because the runner had agent.status present. Mock fs.existsSync to make tests environment-independent.
There was a problem hiding this comment.
Pull request overview
Adds an opt-in capability to deploy the Harden Runner agent directly onto Linux self-hosted runner VMs, alongside updating the Linux TLS agent version/checksums and refreshing bundled dependencies/docs.
Changes:
- Introduces
deploy-on-self-hosted-vminput and self-hosted runner flow to install the agent when enabled (Linux only, not in containers, and not already installed). - Adds helper logic (
shouldDeployAgentOnSelfHosted) and unit tests around the deployment decision and platform/installation checks. - Bumps Linux TLS agent artifact to v1.8.0 (with updated checksums) and updates generated
distbundles / lockfile.
Reviewed changes
Copilot reviewed 9 out of 16 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| src/utils.ts | Adds shouldDeployAgentOnSelfHosted helper used by self-hosted deployment logic. |
| src/setup.ts | Reads new input, conditionally installs agent on self-hosted runners, and adds installAgentForSelfHosted. |
| src/setup.test.ts | Adds Jest coverage for the new helper and existing utils behaviors. |
| src/policy-utils.test.ts | Extends test configs to include the new deploy_on_self_hosted_vm configuration field. |
| src/interfaces.ts | Adds deploy_on_self_hosted_vm to Configuration. |
| src/install-agent.ts | Updates TLS Linux agent download URL/version to v1.8.0. |
| src/checksum.ts | Updates TLS checksums corresponding to the v1.8.0 agent artifact. |
| README.md | Updates marketing links, usage snippet version pin, and environment table wording. |
| package-lock.json | Updates transitive dependencies and adds path-expression-matcher. |
| dist/pre/index.js | Regenerated bundle reflecting new self-hosted deploy logic and dependency updates. |
| dist/index.js | Regenerated bundle reflecting the new util helper. |
| dist/post/index.js | Regenerated bundle reflecting the new util helper. |
| action.yml | Adds deploy-on-self-hosted-vm input definition and description. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if (shouldDeployAgentOnSelfHosted(confg.deploy_on_self_hosted_vm, isDocker(), isAgentInstalled(process.platform))) { | ||
| if (process.platform !== "linux") { | ||
| core.info("deploy-on-self-hosted-vm is only supported on Linux. Skipping agent deployment."); | ||
| } else { | ||
| core.info("deploy-on-self-hosted-vm is enabled. Installing agent on self-hosted runner."); | ||
| await installAgentForSelfHosted(context.repo.owner, confg); | ||
| } | ||
| } else { | ||
| if (confg.deploy_on_self_hosted_vm && isDocker()) { | ||
| core.info("Skipping agent deployment: running inside a container."); | ||
| } | ||
| if (confg.deploy_on_self_hosted_vm && isAgentInstalled(process.platform)) { | ||
| core.info("Agent already installed on self-hosted runner, skipping installation."); | ||
| } | ||
| } |
There was a problem hiding this comment.
In this self-hosted runner branch, isDocker() and isAgentInstalled(process.platform) are evaluated multiple times. This duplicates work and can lead to inconsistent logging if the installation status changes between calls. Consider computing const inContainer = isDocker() and const alreadyInstalled = isAgentInstalled(process.platform) once and reusing them for both the shouldDeployAgentOnSelfHosted(...) call and the subsequent log conditions.
| import { shouldDeployAgentOnSelfHosted, isAgentInstalled, isPlatformSupported, getAnnotationLogs } from "./utils"; | ||
| import * as fs from "fs"; | ||
|
|
||
| jest.mock("fs", () => ({ | ||
| ...jest.requireActual("fs"), |
There was a problem hiding this comment.
This test file is named setup.test.ts but it primarily exercises utilities from src/utils.ts (e.g., shouldDeployAgentOnSelfHosted, isAgentInstalled, isPlatformSupported, getAnnotationLogs). Renaming it to something like utils.test.ts (or splitting by module) would make the test intent clearer and help future maintainers find coverage for setup.ts vs utils.ts.
… test file Compute isDocker() and isAgentInstalled() once and reuse for both the deploy check and logging. Rename setup.test.ts to utils.test.ts to match the module it tests.
The agent needs an api_key to authenticate with the API for uploading process and file events. Generate a random UUID as api_key matching the approach used in the self-hosted branch.
When the agent is installed via deploy-on-self-hosted-vm, the config already contains egress_policy and allowed_endpoints. Skip the sendAllowedEndpoints echo to avoid a second applyEgressPolicy that may interfere with the config-based block policy.
No description provided.