step-security · varunsh-coder · Dec 5, 2022 · Nov 30, 2022
diff --git a/remediation/workflow/hardenrunner/addaction.go b/remediation/workflow/hardenrunner/addaction.go
@@ -6,6 +6,7 @@ import (
 
 	metadata "github.com/step-security/secure-workflows/remediation/workflow/metadata"
 	"github.com/step-security/secure-workflows/remediation/workflow/permissions"
+	"github.com/step-security/secure-workflows/remediation/workflow/pin"
 	"gopkg.in/yaml.v3"
 )
 
@@ -14,7 +15,7 @@ const (
 	HardenRunnerActionName = "Harden Runner"
 )
 
-func AddAction(inputYaml, action string) (string, bool, error) {
+func AddAction(inputYaml, action string, pinActions bool) (string, bool, error) {
 	workflow := metadata.Workflow{}
 	updated := false
 	err := yaml.Unmarshal([]byte(inputYaml), &workflow)
@@ -45,6 +46,10 @@ func AddAction(inputYaml, action string) (string, bool, error) {
 		}
 	}
 
+	if updated && pinActions {
+		out, _ = pin.PinAction(action, out)
+	}
+
 	return out, updated, nil
 }
 

diff --git a/remediation/workflow/hardenrunner/addaction_test.go b/remediation/workflow/hardenrunner/addaction_test.go
@@ -32,7 +32,7 @@ func TestAddAction(t *testing.T) {
 			if err != nil {
 				t.Fatalf("error reading test file")
 			}
-			got, gotUpdated, err := AddAction(string(input), tt.args.action)
+			got, gotUpdated, err := AddAction(string(input), tt.args.action, false)
 
 			if gotUpdated != tt.wantUpdated {
 				t.Errorf("AddAction() updated = %v, wantUpdated %v", gotUpdated, tt.wantUpdated)

diff --git a/remediation/workflow/pin/pinactions.go b/remediation/workflow/pin/pinactions.go
@@ -22,12 +22,12 @@ func PinActions(inputYaml string) (string, bool, error) {
 
 	out := inputYaml
 
-	for jobName, job := range workflow.Jobs {
+	for _, job := range workflow.Jobs {
 
 		for _, step := range job.Steps {
 			if len(step.Uses) > 0 {
 				localUpdated := false
-				out, localUpdated = pinAction(step.Uses, jobName, out)
+				out, localUpdated = PinAction(step.Uses, out)
 				updated = updated || localUpdated
 			}
 		}
@@ -36,7 +36,7 @@ func PinActions(inputYaml string) (string, bool, error) {
 	return out, updated, nil
 }
 
-func pinAction(action, jobName, inputYaml string) (string, bool) {
+func PinAction(action, inputYaml string) (string, bool) {
 
 	updated := false
 	if !strings.Contains(action, "@") || strings.HasPrefix(action, "docker://") {

diff --git a/remediation/workflow/secureworkflow.go b/remediation/workflow/secureworkflow.go
@@ -66,17 +66,17 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
 		addedPermissions = !secureWorkflowReponse.HasErrors
 	}
 
-	if addHardenRunner {
-		secureWorkflowReponse.FinalOutput, addedHardenRunner, _ = hardenrunner.AddAction(secureWorkflowReponse.FinalOutput, HardenRunnerActionPathWithTag)
-	}
-
 	if pinActions {
 		pinnedAction, pinnedDocker := false, false
 		secureWorkflowReponse.FinalOutput, pinnedAction, _ = pin.PinActions(secureWorkflowReponse.FinalOutput)
 		secureWorkflowReponse.FinalOutput, pinnedDocker, _ = pin.PinDocker(secureWorkflowReponse.FinalOutput)
 		pinnedActions = pinnedAction || pinnedDocker
 	}
 
+	if addHardenRunner {
+		secureWorkflowReponse.FinalOutput, addedHardenRunner, _ = hardenrunner.AddAction(secureWorkflowReponse.FinalOutput, HardenRunnerActionPathWithTag, pinActions)
+	}
+
 	// Setting appropriate flags
 	secureWorkflowReponse.PinnedActions = pinnedActions
 	secureWorkflowReponse.AddedHardenRunner = addedHardenRunner