diff --git a/remediation/workflow/pin/pinactions.go b/remediation/workflow/pin/pinactions.go index 035d3c83..b7a93dfe 100644 --- a/remediation/workflow/pin/pinactions.go +++ b/remediation/workflow/pin/pinactions.go @@ -68,7 +68,7 @@ func pinAction(action, jobName, inputYaml string) (string, bool) { return inputYaml, updated } - pinnedAction := fmt.Sprintf("%s@%s", leftOfAt[0], commitSHA) + pinnedAction := fmt.Sprintf("%s@%s # %s", leftOfAt[0], commitSHA, tagOrBranch) updated = !strings.EqualFold(action, pinnedAction) inputYaml = strings.ReplaceAll(inputYaml, action, pinnedAction) return inputYaml, updated diff --git a/testfiles/pinactions/output/basic.yml b/testfiles/pinactions/output/basic.yml index 92410b76..16af4640 100644 --- a/testfiles/pinactions/output/basic.yml +++ b/testfiles/pinactions/output/basic.yml @@ -10,7 +10,7 @@ jobs: steps: - name: Close Issue - uses: peter-evans/close-issue@a700eac5bf2a1c7a8cb6da0c13f93ed96fd53dbe + uses: peter-evans/close-issue@a700eac5bf2a1c7a8cb6da0c13f93ed96fd53dbe # v1 with: issue-number: 1 comment: Auto-closing issue \ No newline at end of file diff --git a/testfiles/pinactions/output/branch.yml b/testfiles/pinactions/output/branch.yml index 8f0476c1..713ba32b 100644 --- a/testfiles/pinactions/output/branch.yml +++ b/testfiles/pinactions/output/branch.yml @@ -4,9 +4,9 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 + - uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 # master - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@8217e91c0369a5342a4ef2d612de87492410a666 + uses: elgohr/Publish-Docker-Github-Action@8217e91c0369a5342a4ef2d612de87492410a666 # master with: name: docker.pkg.github.com/elgohr/publish-docker-github-action/publish-docker-github-action username: ${{ github.actor }} @@ -15,8 +15,8 @@ jobs: build1: runs-on: ubuntu-latest steps: - - uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 - - uses: borales/actions-yarn@4965e1a0f0ae9c422a9a5748ebd1fb5e097d22b9 + - uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 # master + - uses: borales/actions-yarn@4965e1a0f0ae9c422a9a5748ebd1fb5e097d22b9 # v2.3.0 with: auth-token: ${{ secrets.GITHUB_TOKEN }} registry-url: npm.pkg.github.com \ No newline at end of file diff --git a/testfiles/pinactions/output/dockeraction.yml b/testfiles/pinactions/output/dockeraction.yml index 9169bae0..462079bf 100644 --- a/testfiles/pinactions/output/dockeraction.yml +++ b/testfiles/pinactions/output/dockeraction.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 + uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1 - name: Integration test uses: docker://ghcr.io/step-security/integration-test/int:latest env: diff --git a/testfiles/pinactions/output/localaction.yml b/testfiles/pinactions/output/localaction.yml index 3cd1ac60..7595f306 100644 --- a/testfiles/pinactions/output/localaction.yml +++ b/testfiles/pinactions/output/localaction.yml @@ -11,10 +11,10 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e + - uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e # v1 with: node-version: 12.x - - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 + - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1 - run: npm ci - run: npm run build - run: npm run format-check @@ -32,7 +32,7 @@ jobs: steps: # Clone this repo - name: Checkout - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 + uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1 # Basic checkout - name: Checkout basic @@ -150,7 +150,7 @@ jobs: steps: # Clone this repo - name: Checkout - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 + uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1 # Basic checkout using git - name: Checkout basic @@ -182,7 +182,7 @@ jobs: steps: # Clone this repo - name: Checkout - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 + uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1 # Basic checkout using git - name: Checkout basic diff --git a/testfiles/pinactions/output/multipleactions.yml b/testfiles/pinactions/output/multipleactions.yml index dd50cf4c..dbec7a55 100644 --- a/testfiles/pinactions/output/multipleactions.yml +++ b/testfiles/pinactions/output/multipleactions.yml @@ -4,13 +4,13 @@ jobs: publish: runs-on: ubuntu-latest steps: - - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 - - uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e + - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1 + - uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e # v1 with: node-version: 10 - run: npm install - run: npm test - - uses: JS-DevTools/npm-publish@0f451a94170d1699fd50710966d48fb26194d939 + - uses: JS-DevTools/npm-publish@0f451a94170d1699fd50710966d48fb26194d939 # v1 with: token: ${{ secrets.GITHUB_TOKEN }} registry: https://npm.pkg.github.com \ No newline at end of file diff --git a/testfiles/pinactions/output/multiplejobs.yml b/testfiles/pinactions/output/multiplejobs.yml index d1b0ec13..d27fe09b 100644 --- a/testfiles/pinactions/output/multiplejobs.yml +++ b/testfiles/pinactions/output/multiplejobs.yml @@ -8,7 +8,7 @@ jobs: name: build, pack & publish runs-on: ubuntu-latest steps: - - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 + - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1 # - name: Setup dotnet # uses: actions/setup-dotnet@v1 @@ -18,7 +18,7 @@ jobs: # Publish - name: publish on version change id: publish_nuget - uses: brandedoutcast/publish-nuget@c12b8546b67672ee38ac87bea491ac94a587f7cc + uses: brandedoutcast/publish-nuget@c12b8546b67672ee38ac87bea491ac94a587f7cc # v2 with: PROJECT_FILE_PATH: Core/Core.csproj NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} @@ -27,7 +27,7 @@ jobs: name: build, pack & publish runs-on: ubuntu-latest steps: - - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 + - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1 # - name: Setup dotnet # uses: actions/setup-dotnet@v1 @@ -37,7 +37,7 @@ jobs: # Publish - name: publish on version change id: publish_nuget - uses: rohith/publish-nuget@c12b8546b67672ee38ac87bea491ac94a587f7cc + uses: rohith/publish-nuget@c12b8546b67672ee38ac87bea491ac94a587f7cc # v2 with: PROJECT_FILE_PATH: Core/Core.csproj NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} diff --git a/testfiles/secureworkflow/output/allscenarios.yml b/testfiles/secureworkflow/output/allscenarios.yml index 3486a2bb..fc34b570 100644 --- a/testfiles/secureworkflow/output/allscenarios.yml +++ b/testfiles/secureworkflow/output/allscenarios.yml @@ -15,12 +15,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@7206db2ec98c5538323a6d70e51f965d55c11c87 + uses: step-security/harden-runner@7206db2ec98c5538323a6d70e51f965d55c11c87 # v1 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 - - uses: github/super-linter@34b2f8032d759425f6b42ea2e52231b33ae05401 + - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1 + - uses: github/super-linter@34b2f8032d759425f6b42ea2e52231b33ae05401 # v3 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} DISABLE_ERRORS: true \ No newline at end of file diff --git a/testfiles/secureworkflow/output/missingaction.yml b/testfiles/secureworkflow/output/missingaction.yml index 3a966a1e..5c2c015c 100644 --- a/testfiles/secureworkflow/output/missingaction.yml +++ b/testfiles/secureworkflow/output/missingaction.yml @@ -9,12 +9,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@7206db2ec98c5538323a6d70e51f965d55c11c87 + uses: step-security/harden-runner@7206db2ec98c5538323a6d70e51f965d55c11c87 # v1 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - uses: actions/missingaction@v2 - - uses: github/super-linter@34b2f8032d759425f6b42ea2e52231b33ae05401 + - uses: github/super-linter@34b2f8032d759425f6b42ea2e52231b33ae05401 # v3 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} DISABLE_ERRORS: true \ No newline at end of file diff --git a/testfiles/secureworkflow/output/nohardenrunner.yml b/testfiles/secureworkflow/output/nohardenrunner.yml index 45136564..09601d0e 100644 --- a/testfiles/secureworkflow/output/nohardenrunner.yml +++ b/testfiles/secureworkflow/output/nohardenrunner.yml @@ -14,8 +14,8 @@ jobs: statuses: write # for github/super-linter to mark status of each linter run runs-on: ubuntu-latest steps: - - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 - - uses: github/super-linter@34b2f8032d759425f6b42ea2e52231b33ae05401 + - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1 + - uses: github/super-linter@34b2f8032d759425f6b42ea2e52231b33ae05401 # v3 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} DISABLE_ERRORS: true \ No newline at end of file diff --git a/testfiles/secureworkflow/output/noperms.yml b/testfiles/secureworkflow/output/noperms.yml index edc1ea24..308d5b85 100644 --- a/testfiles/secureworkflow/output/noperms.yml +++ b/testfiles/secureworkflow/output/noperms.yml @@ -9,12 +9,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@7206db2ec98c5538323a6d70e51f965d55c11c87 + uses: step-security/harden-runner@7206db2ec98c5538323a6d70e51f965d55c11c87 # v1 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 - - uses: github/super-linter@34b2f8032d759425f6b42ea2e52231b33ae05401 + - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1 + - uses: github/super-linter@34b2f8032d759425f6b42ea2e52231b33ae05401 # v3 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} DISABLE_ERRORS: true \ No newline at end of file