From 5caa8e9d2d611adb8e7407d32b5aeb45651b98a4 Mon Sep 17 00:00:00 2001
From: Lorenzo Nicora <nicorlor@amazon.co.uk>
Date: Sun, 13 Jul 2025 18:50:43 +0200
Subject: [PATCH] Fix check-arns workflow

---
 .github/workflows/check-arns.yml | 39 ++++++++++++++++++++++++++++----
 1 file changed, 34 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/check-arns.yml b/.github/workflows/check-arns.yml
index e858080..0ceeac3 100644
--- a/.github/workflows/check-arns.yml
+++ b/.github/workflows/check-arns.yml
@@ -13,12 +13,41 @@ jobs:
         run: |
           # Find files containing ARN patterns with actual account IDs
           # Exclude .git directory, markdown files, and this workflow file itself
-          if grep -r --include="*" --exclude="*.md" --exclude-dir=".git" --exclude=".github/workflows/check-arns.yml" -E 'arn:aws:[^:]+:[^:]+:[0-9]{12}:' .; then
-            echo "ERROR: Found unsanitized ARNs in the repository"
+          # Allow test account ID 123456789012 in test resource directories
+          
+          exposed_arns_found=false
+          
+          # Check all files except excluded ones
+          while IFS= read -r -d '' file; do
+            # Skip if file is in src/test/resources directory
+            if [[ "$file" == *"/src/test/resources/"* ]]; then
+              # In test resources, only flag ARNs that are NOT using the test account ID
+              # First find all ARNs, then filter out the test account ID
+              if grep -E 'arn:aws:[^:]+:[^:]+:[0-9]{12}:' "$file" | grep -v '123456789012' | grep -q .; then
+                echo "ERROR: Found non-test ARN in test resources file: $file"
+                echo "Non-test ARNs found:"
+                grep -n -E 'arn:aws:[^:]+:[^:]+:[0-9]{12}:' "$file" | grep -v '123456789012'
+                exposed_arns_found=true
+              fi
+            else
+              # In non-test files, flag any ARN with any account ID
+              if grep -q -E 'arn:aws:[^:]+:[^:]+:[0-9]{12}:' "$file"; then
+                echo "ERROR: Found unsanitized ARN in file: $file"
+                grep -n -E 'arn:aws:[^:]+:[^:]+:[0-9]{12}:' "$file"
+                exposed_arns_found=true
+              fi
+            fi
+          done < <(find . -type f \
+            -not -path "./.git/*" \
+            -not -name "*.md" \
+            -not -path "./.github/workflows/check-arns.yml" \
+            -print0)
+          
+          if [ "$exposed_arns_found" = true ]; then
+            echo ""
             echo "Please replace account IDs with a placeholder such as <account-id>"
-            echo "Files with exposed ARNs:"
-            grep -r --include="*" --exclude="*.md" --exclude-dir=".git" --exclude=".github/workflows/check-arns.yml" -l -E 'arn:aws:[^:]+:[^:]+:[0-9]{12}:' .
+            echo "Note: Test account ID 123456789012 is allowed in src/test/resources directories"
             exit 1
           fi
           
-          echo "All files checked - no exposed ARNs found"
\ No newline at end of file
+          echo "All files checked - no exposed ARNs found (test account ID 123456789012 allowed in test resources)"
\ No newline at end of file