Skip to content

Commit

Permalink
[UPDATE] Pin actions to vx.y.z format (#1469)
Browse files Browse the repository at this point in the history
  • Loading branch information
Devils-Knight authored Nov 19, 2022
1 parent cc5afdc commit b994863
Show file tree
Hide file tree
Showing 7 changed files with 177 additions and 14 deletions.
35 changes: 35 additions & 0 deletions remediation/workflow/pin/pinactions.go
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,11 @@ func pinAction(action, jobName, inputYaml string) (string, bool) {
return inputYaml, updated
}

tagOrBranch, err = getSemanticVersion(client, owner, repo, tagOrBranch, commitSHA)
if err != nil {
return inputYaml, updated
}

pinnedAction := fmt.Sprintf("%s@%s # %s", leftOfAt[0], commitSHA, tagOrBranch)
updated = !strings.EqualFold(action, pinnedAction)
inputYaml = strings.ReplaceAll(inputYaml, action, pinnedAction)
Expand Down Expand Up @@ -100,3 +105,33 @@ func isAllHex(s string) bool {
}
return true
}

func getSemanticVersion(client *github.Client, owner, repo, tagOrBranch, commitSHA string) (string, error) {
tags, _, err := client.Git.ListMatchingRefs(context.Background(), owner, repo, &github.ReferenceListOptions{
Ref: fmt.Sprintf("tags/%s.", tagOrBranch),
ListOptions: github.ListOptions{
PerPage: 100,
},
})
if err != nil {
return "", err
}

for i := len(tags) - 1; i >= 0; i-- {
tag := strings.TrimPrefix(*tags[i].Ref, "refs/tags/")
if *tags[i].Object.Type == "commit" {
if commitSHA == *tags[i].Object.SHA {
return tag, nil
}
} else {
commitsha, _, err := client.Repositories.GetCommitSHA1(context.Background(), owner, repo, tag, "")
if err != nil {
return "", err
}
if commitSHA == commitsha {
return tag, nil
}
}
}
return tagOrBranch, nil
}
128 changes: 128 additions & 0 deletions remediation/workflow/pin/pinactions_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,30 +19,158 @@ func TestPinActions(t *testing.T) {
httpmock.RegisterResponder("GET", "https://api.github.com/repos/peter-evans/close-issue/commits/v1",
httpmock.NewStringResponder(200, `a700eac5bf2a1c7a8cb6da0c13f93ed96fd53dbe`))

httpmock.RegisterResponder("GET", "https://api.github.com/repos/peter-evans/close-issue/git/matching-refs/tags/v1.",
httpmock.NewStringResponder(200,
`[
{
"ref": "refs/tags/v1.0.3",
"object": {
"sha": "a700eac5bf2a1c7a8cb6da0c13f93ed96fd53dbe",
"type": "commit"
}
}
]`))

httpmock.RegisterResponder("GET", "https://api.github.com/repos/actions/checkout/commits/master",
httpmock.NewStringResponder(200, `61b9e3751b92087fd0b06925ba6dd6314e06f089`))

httpmock.RegisterResponder("GET", "https://api.github.com/repos/actions/checkout/git/matching-refs/tags/master.",
httpmock.NewStringResponder(200, `[]`))

httpmock.RegisterResponder("GET", "https://api.github.com/repos/elgohr/Publish-Docker-Github-Action/commits/master",
httpmock.NewStringResponder(200, `8217e91c0369a5342a4ef2d612de87492410a666`))

httpmock.RegisterResponder("GET", "https://api.github.com/repos/elgohr/Publish-Docker-Github-Action/git/matching-refs/tags/master.",
httpmock.NewStringResponder(200, `[]`))

httpmock.RegisterResponder("GET", "https://api.github.com/repos/borales/actions-yarn/commits/v2.3.0",
httpmock.NewStringResponder(200, `4965e1a0f0ae9c422a9a5748ebd1fb5e097d22b9`))

httpmock.RegisterResponder("GET", "https://api.github.com/repos/borales/actions-yarn/git/matching-refs/tags/v2.3.0.",
httpmock.NewStringResponder(200, `[]`))

httpmock.RegisterResponder("GET", "https://api.github.com/repos/actions/checkout/commits/v1",
httpmock.NewStringResponder(200, `544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9`))

httpmock.RegisterResponder("GET", "https://api.github.com/repos/actions/checkout/git/matching-refs/tags/v1.",
httpmock.NewStringResponder(200,
`[
{
"ref": "refs/tags/v1.0.0",
"node_id": "MDM6UmVmMTk3ODE0NjI5OnJlZnMvdGFncy92MS4wLjA=",
"url": "https://api.github.com/repos/actions/checkout/git/refs/tags/v1.0.0",
"object": {
"sha": "af513c7a016048ae468971c52ed77d9562c7c819",
"type": "commit",
"url": "https://api.github.com/repos/actions/checkout/git/commits/af513c7a016048ae468971c52ed77d9562c7c819"
}
},
{
"ref": "refs/tags/v1.1.0",
"node_id": "MDM6UmVmMTk3ODE0NjI5OnJlZnMvdGFncy92MS4xLjA=",
"url": "https://api.github.com/repos/actions/checkout/git/refs/tags/v1.1.0",
"object": {
"sha": "ec3afacf7f605c9fc12c70bc1c9e1708ddb99eca",
"type": "tag",
"url": "https://api.github.com/repos/actions/checkout/git/tags/ec3afacf7f605c9fc12c70bc1c9e1708ddb99eca"
}
},
{
"ref": "refs/tags/v1.2.0",
"node_id": "MDM6UmVmMTk3ODE0NjI5OnJlZnMvdGFncy92MS4yLjA=",
"url": "https://api.github.com/repos/actions/checkout/git/refs/tags/v1.2.0",
"object": {
"sha": "a2ca40438991a1ab62db1b7cad0fd4e36a2ac254",
"type": "tag",
"url": "https://api.github.com/repos/actions/checkout/git/tags/a2ca40438991a1ab62db1b7cad0fd4e36a2ac254"
}
}
]`),
)

httpmock.RegisterResponder("GET", "https://api.github.com/repos/actions/checkout/commits/v1.2.0",
httpmock.NewStringResponder(200, `544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9`))

httpmock.RegisterResponder("GET", "https://api.github.com/repos/actions/setup-node/commits/v1",
httpmock.NewStringResponder(200, `f1f314fca9dfce2769ece7d933488f076716723e`))

httpmock.RegisterResponder("GET", "https://api.github.com/repos/actions/setup-node/git/matching-refs/tags/v1.",
httpmock.NewStringResponder(200,
`[
{
"ref": "refs/tags/v1.4.6",
"object": {
"sha": "f1f314fca9dfce2769ece7d933488f076716723e",
"type": "commit"
}
}
]`))

httpmock.RegisterResponder("GET", "https://api.github.com/repos/JS-DevTools/npm-publish/commits/v1",
httpmock.NewStringResponder(200, `0f451a94170d1699fd50710966d48fb26194d939`))

httpmock.RegisterResponder("GET", "https://api.github.com/repos/JS-DevTools/npm-publish/git/matching-refs/tags/v1.",
httpmock.NewStringResponder(200,
`[
{
"ref": "refs/tags/v1.4.3",
"object": {
"sha": "0f451a94170d1699fd50710966d48fb26194d939",
"type": "commit"
}
}
]`))

httpmock.RegisterResponder("GET", "https://api.github.com/repos/brandedoutcast/publish-nuget/commits/v2",
httpmock.NewStringResponder(200, `c12b8546b67672ee38ac87bea491ac94a587f7cc`))

httpmock.RegisterResponder("GET", "https://api.github.com/repos/brandedoutcast/publish-nuget/git/matching-refs/tags/v2.",
httpmock.NewStringResponder(200,
`[
{
"ref": "refs/tags/v2.5.3",
"node_id": "MDM6UmVmMjI4MTk2ODk5OnJlZnMvdGFncy92Mi41LjM=",
"url": "https://api.github.com/repos/brandedoutcast/publish-nuget/git/refs/tags/v2.5.3",
"object": {
"sha": "4637c3bdd3fb4c052235299664c57b14c398cbd0",
"type": "commit",
"url": "https://api.github.com/repos/brandedoutcast/publish-nuget/git/commits/4637c3bdd3fb4c052235299664c57b14c398cbd0"
}
},
{
"ref": "refs/tags/v2.5.4",
"node_id": "MDM6UmVmMjI4MTk2ODk5OnJlZnMvdGFncy92Mi41LjQ=",
"url": "https://api.github.com/repos/brandedoutcast/publish-nuget/git/refs/tags/v2.5.4",
"object": {
"sha": "108c10b32aa03efa5f71af6a233dc2e8e32845cb",
"type": "commit",
"url": "https://api.github.com/repos/brandedoutcast/publish-nuget/git/commits/108c10b32aa03efa5f71af6a233dc2e8e32845cb"
}
},
{
"ref": "refs/tags/v2.5.5",
"object": {
"sha": "c12b8546b67672ee38ac87bea491ac94a587f7cc",
"type": "commit"
}
}
]`))

httpmock.RegisterResponder("GET", "https://api.github.com/repos/rohith/publish-nuget/commits/v2",
httpmock.NewStringResponder(200, `c12b8546b67672ee38ac87bea491ac94a587f7cc`))

httpmock.RegisterResponder("GET", "https://api.github.com/repos/rohith/publish-nuget/git/matching-refs/tags/v2.",
httpmock.NewStringResponder(200,
`[
{
"ref": "refs/tags/v2.5.5",
"object": {
"sha": "c12b8546b67672ee38ac87bea491ac94a587f7cc",
"type": "commit"
}
}
]`))

tests := []struct {
fileName string
wantUpdated bool
Expand Down
2 changes: 1 addition & 1 deletion testfiles/pinactions/output/basic.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ jobs:

steps:
- name: Close Issue
uses: peter-evans/close-issue@a700eac5bf2a1c7a8cb6da0c13f93ed96fd53dbe # v1
uses: peter-evans/close-issue@a700eac5bf2a1c7a8cb6da0c13f93ed96fd53dbe # v1.0.3
with:
issue-number: 1
comment: Auto-closing issue
2 changes: 1 addition & 1 deletion testfiles/pinactions/output/dockeraction.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1
uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1.2.0
- name: Integration test
uses: docker://ghcr.io/step-security/integration-test/int:latest
env:
Expand Down
10 changes: 5 additions & 5 deletions testfiles/pinactions/output/localaction.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,10 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e # v1
- uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e # v1.4.6
with:
node-version: 12.x
- uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1
- uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1.2.0
- run: npm ci
- run: npm run build
- run: npm run format-check
Expand All @@ -32,7 +32,7 @@ jobs:
steps:
# Clone this repo
- name: Checkout
uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1
uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1.2.0

# Basic checkout
- name: Checkout basic
Expand Down Expand Up @@ -150,7 +150,7 @@ jobs:
steps:
# Clone this repo
- name: Checkout
uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1
uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1.2.0

# Basic checkout using git
- name: Checkout basic
Expand Down Expand Up @@ -182,7 +182,7 @@ jobs:
steps:
# Clone this repo
- name: Checkout
uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1
uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1.2.0

# Basic checkout using git
- name: Checkout basic
Expand Down
6 changes: 3 additions & 3 deletions testfiles/pinactions/output/multipleactions.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,13 @@ jobs:
publish:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1
- uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e # v1
- uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1.2.0
- uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e # v1.4.6
with:
node-version: 10
- run: npm install
- run: npm test
- uses: JS-DevTools/npm-publish@0f451a94170d1699fd50710966d48fb26194d939 # v1
- uses: JS-DevTools/npm-publish@0f451a94170d1699fd50710966d48fb26194d939 # v1.4.3
with:
token: ${{ secrets.GITHUB_TOKEN }}
registry: https://npm.pkg.github.com
8 changes: 4 additions & 4 deletions testfiles/pinactions/output/multiplejobs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ jobs:
name: build, pack & publish
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1
- uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1.2.0

# - name: Setup dotnet
# uses: actions/setup-dotnet@v1
Expand All @@ -18,7 +18,7 @@ jobs:
# Publish
- name: publish on version change
id: publish_nuget
uses: brandedoutcast/publish-nuget@c12b8546b67672ee38ac87bea491ac94a587f7cc # v2
uses: brandedoutcast/publish-nuget@c12b8546b67672ee38ac87bea491ac94a587f7cc # v2.5.5
with:
PROJECT_FILE_PATH: Core/Core.csproj
NUGET_KEY: ${{ secrets.GITHUB_TOKEN }}
Expand All @@ -27,7 +27,7 @@ jobs:
name: build, pack & publish
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1
- uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1.2.0

# - name: Setup dotnet
# uses: actions/setup-dotnet@v1
Expand All @@ -37,7 +37,7 @@ jobs:
# Publish
- name: publish on version change
id: publish_nuget
uses: rohith/publish-nuget@c12b8546b67672ee38ac87bea491ac94a587f7cc # v2
uses: rohith/publish-nuget@c12b8546b67672ee38ac87bea491ac94a587f7cc # v2.5.5
with:
PROJECT_FILE_PATH: Core/Core.csproj
NUGET_KEY: ${{ secrets.GITHUB_TOKEN }}
Expand Down

0 comments on commit b994863

Please sign in to comment.