fixed file tampering

.gitignore

@@ -106,4 +106,4 @@ bin/
 
 src/generated/
 
-audit.json
+audit*.json

src/audit_summary.js

@@ -1,4 +1,5 @@
 const core = require('@actions/core')
+const path = require('path')
 
 const { generateTestResults, getUniqueBy } = require('./summary_utils')
 
@@ -77,6 +78,45 @@ async function getBuildEnvironmentTamperingActions() {
   )
 }
 
+async function checkForBuildTampering() {
+  const boltPID = core.getState('boltPID')
+  const githubRunnerPID = core.getState('githubRunnerPID')
+  const audit = await generateTestResults('audit.json')
+
+  const processChangingSourceFiles = audit.filter(a =>
+    a.tags?.includes('bolt_monitored_wd_changes')
+  )
+
+  const filePIDMap = {}
+  const tamperedFiles = []
+
+  for (const log of processChangingSourceFiles) {
+    const pid = log.process?.pid
+    const cwd = log.process.cwd
+    const filePath = log.file.path
+
+    // Check if the file path is already absolute
+    const fullFilePath = path.isAbsolute(filePath)
+      ? filePath
+      : path.join(cwd, filePath)
+
+    if (pid && fullFilePath) {
+      if (!filePIDMap[fullFilePath]) {
+        filePIDMap[fullFilePath] = []
+      }
+      filePIDMap[fullFilePath].push(pid)
+    }
+
+    for (const [file, pids] of Object.entries(filePIDMap)) {
+      if (pids.length > 1) {
+        tamperedFiles.push(file)
+      }
+    }
+  }
+
+  return tamperedFiles
+}
+
 async function getSudoCallingActions() {
   const boltPID = core.getState('boltPID')
   const githubRunnerPID = core.getState('githubRunnerPID')
@@ -191,5 +231,6 @@ async function getAuditSummary() {
 }
 
 module.exports = {
-  getAuditSummary
+  getAuditSummary,
+  checkForBuildTampering
 }

src/summary.js

@@ -1,7 +1,7 @@
 const core = require('@actions/core')
 const { DefaultArtifactClient } = require('@actions/artifact')
 const { exec } = require('@actions/exec')
-const { getAuditSummary } = require('./audit_summary')
+const { getAuditSummary, checkForBuildTampering } = require('./audit_summary')
 const fs = require('fs')
 const YAML = require('yaml')
 const {
@@ -249,6 +249,13 @@ async function generateSummary() {
 
   const auditSummary = await getAuditSummary()
 
+  const tamperedFiles = await checkForBuildTampering()
+
+  const tamperedFilesData = [
+    [{ data: 'Tampered Files', header: true }],
+    ...tamperedFiles.map(file => [file])
+  ]
+
   const auditSummaryRaw = auditSummary.zeroState
     ? auditSummary.zeroState
     : getRawCollapsible(auditSummary)
@@ -321,6 +328,15 @@ ${configTableString}
     }
   }
 
+  if (tamperedFiles.length > 0) {
+    summary = summary.addHeading('🚨 File tampering detected', 3).addRaw(`
+  > [!CAUTION]
+  > Source files were edited after being fetched from the repository. This may be a security risk. Investigate further.
+        `)
+
+    summary = summary.addTable(tamperedFilesData)
+  }
+
   summary = summary.addRaw(auditSummaryRaw)
 
   summary = summary.addHeading('Egress Traffic', 3)
@@ -347,7 +363,7 @@ ${unknownDestinationsTableString}
     )
     .addRaw(
       `
-<details>
+<details open>
   <summary>
 ${knownDestinationsHeaderString}
   </summary>

src/version.js

@@ -1,4 +1,4 @@
-const releaseVersion = 'v1.7.0-rc.3'
+const releaseVersion = 'v1.7.0-rc.4'
 
 module.exports = {
   releaseVersion