added git directory exclusion logic

src/audit_summary.js

@@ -79,12 +79,15 @@ async function getBuildEnvironmentTamperingActions() {
 }
 
 async function checkForBuildTampering() {
+  const workingDir = process.env.GITHUB_WORKSPACE
+  const gitDir = path.join(workingDir, '.git')
+  const absPathGitDir = path.resolve(gitDir)
   const audit = await generateTestResults('audit.json')
 
   const processChangingSourceFiles = audit.filter(
     a =>
       a.tags?.includes('bolt_monitored_wd_changes') &&
-      a.summary?.action === 'opened-file'
+      (a.summary?.action === 'opened-file' || a.summary?.action === 'renamed')
   )
 
   const filePIDMap = {}
@@ -94,9 +97,6 @@ async function checkForBuildTampering() {
     const cwd = log.process?.cwd
     const filePath = log.file?.path
 
-    console.log(filePath)
-    console.log(log)
-
     if (!filePath || !cwd || !pid) {
       continue
     }
@@ -106,6 +106,12 @@ async function checkForBuildTampering() {
       ? filePath
       : path.join(cwd, filePath)
 
+    const absPath = path.resolve(fullFilePath)
+
+    if (absPath.startsWith(absPathGitDir)) {
+      continue
+    }
+
     if (pid && fullFilePath) {
       if (!filePIDMap[fullFilePath]) {
         filePIDMap[fullFilePath] = []

src/scripts/audit.sh

@@ -22,8 +22,6 @@ mv audit.rules /etc/audit/rules.d/
 # Restart auditd service to apply the new rules
 service auditd restart
 
-auditctl -a never,exit -F "dir=$workingDir/.git"
-
 auditctl -w "$workingDir" -p wa -k bolt_monitored_wd_changes
 
-# auditctl -e 2
+auditctl -e 2

src/version.js

@@ -1,4 +1,4 @@
-const releaseVersion = 'v1.7.0-rc.13'
+const releaseVersion = 'v1.7.0-rc.14'
 
 module.exports = {
   releaseVersion