Merge pull request #2506 from step-security/feature/exclude_pin_actions_main

varunsh-coder · web-flow · commit 6fb13bcb0bd3 · 2025-02-04T06:39:18.000-08:00
feature/exclude_pin_actions -&gt; main
diff --git a/remediation/workflow/pin/pinactions.go b/remediation/workflow/pin/pinactions.go
@@ -52,7 +52,7 @@ func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutabl
 	tagOrBranch := leftOfAt[1]
 
 	// skip pinning for exempted actions
-	if actionExists(leftOfAt[0], exemptedActions) {
+	if ActionExists(leftOfAt[0], exemptedActions) {
 		return inputYaml, updated
 	}
 
@@ -196,7 +196,7 @@ func getSemanticVersion(client *github.Client, owner, repo, tagOrBranch, commitS
 }
 
 // Function to check if an action matches any pattern in the list
-func actionExists(actionName string, patterns []string) bool {
+func ActionExists(actionName string, patterns []string) bool {
 	for _, pattern := range patterns {
 		// Use filepath.Match to match the pattern
 		matched, err := filepath.Match(pattern, actionName)
diff --git a/remediation/workflow/secureworkflow.go b/remediation/workflow/secureworkflow.go
@@ -85,6 +85,9 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
 	}
 
 	if addHardenRunner {
+		if pin.ActionExists(HardenRunnerActionPath, exemptedActions) {
+			pinActions = false
+		}
 		secureWorkflowReponse.FinalOutput, addedHardenRunner, _ = hardenrunner.AddAction(secureWorkflowReponse.FinalOutput, HardenRunnerActionPathWithTag, pinActions, pinToImmutable)
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,7 @@ func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutabl`
`52`	`52`	`tagOrBranch := leftOfAt[1]`
`53`	`53`
`54`	`54`	`// skip pinning for exempted actions`
`55`		`- if actionExists(leftOfAt[0], exemptedActions) {`
	`55`	`+ if ActionExists(leftOfAt[0], exemptedActions) {`
`56`	`56`	`return inputYaml, updated`
`57`	`57`	`}`
`58`	`58`
`@@ -196,7 +196,7 @@ func getSemanticVersion(client *github.Client, owner, repo, tagOrBranch, commitS`
`196`	`196`	`}`
`197`	`197`
`198`	`198`	`// Function to check if an action matches any pattern in the list`
`199`		`-func actionExists(actionName string, patterns []string) bool {`
	`199`	`+func ActionExists(actionName string, patterns []string) bool {`
`200`	`200`	`for _, pattern := range patterns {`
`201`	`201`	`// Use filepath.Match to match the pattern`
`202`	`202`	`matched, err := filepath.Match(pattern, actionName)`
Original file line number	Diff line number	Diff line change
`@@ -85,6 +85,9 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d`
`85`	`85`	`}`
`86`	`86`
`87`	`87`	`if addHardenRunner {`
	`88`	`+ if pin.ActionExists(HardenRunnerActionPath, exemptedActions) {`
	`89`	`+ pinActions = false`
	`90`	`+ }`
`88`	`91`	`secureWorkflowReponse.FinalOutput, addedHardenRunner, _ = hardenrunner.AddAction(secureWorkflowReponse.FinalOutput, HardenRunnerActionPathWithTag, pinActions, pinToImmutable)`
`89`	`92`	`}`
`90`	`93`