diff --git a/remediation/workflow/pin/pinactions.go b/remediation/workflow/pin/pinactions.go index b35d6e15a..fcc30c3a9 100644 --- a/remediation/workflow/pin/pinactions.go +++ b/remediation/workflow/pin/pinactions.go @@ -4,7 +4,6 @@ import ( "context" "fmt" "os" - "path/filepath" "regexp" "strings" @@ -229,8 +228,15 @@ func getSemanticVersion(client *github.Client, owner, repo, tagOrBranch, commitS // Function to check if an action matches any pattern in the list func ActionExists(actionName string, patterns []string) bool { for _, pattern := range patterns { - // Use filepath.Match to match the pattern - matched, err := filepath.Match(pattern, actionName) + // Convert glob pattern to regex for path matching + // Replace * with [^/]* to match within a path segment + // Replace **/ with .* to match across path segments + regexPattern := strings.ReplaceAll(pattern, "**", "§§") + regexPattern = strings.ReplaceAll(regexPattern, "*", "[^/]*") + regexPattern = strings.ReplaceAll(regexPattern, "§§", ".*") + regexPattern = "^" + regexPattern + "($|/)" + + matched, err := regexp.MatchString(regexPattern, actionName) if err != nil { // Handle invalid patterns fmt.Printf("Error matching pattern: %v\n", err) diff --git a/remediation/workflow/pin/pinactions_test.go b/remediation/workflow/pin/pinactions_test.go index 37a842cbe..98c2c0976 100644 --- a/remediation/workflow/pin/pinactions_test.go +++ b/remediation/workflow/pin/pinactions_test.go @@ -293,7 +293,7 @@ func TestPinActions(t *testing.T) { {fileName: "actionwithcomment.yml", wantUpdated: true, pinToImmutable: true}, {fileName: "repeatedactionwithcomment.yml", wantUpdated: true, pinToImmutable: true}, {fileName: "immutableaction-1.yml", wantUpdated: true, pinToImmutable: true}, - {fileName: "exemptaction.yml", wantUpdated: true, exemptedActions: []string{"actions/checkout", "rohith/*"}, pinToImmutable: true}, + {fileName: "exemptaction.yml", wantUpdated: true, exemptedActions: []string{"actions/checkout", "rohith/*", "praveen/*", "aman-*/*", "*/seperate*"}, pinToImmutable: true}, {fileName: "donotpintoimmutable.yml", wantUpdated: true, pinToImmutable: false}, {fileName: "invertedcommas.yml", wantUpdated: true, pinToImmutable: false}, } @@ -345,3 +345,36 @@ func Test_isAbsolute(t *testing.T) { }) } } + +func TestActionExists(t *testing.T) { + result := ActionExists("actions/checkout", []string{"actions/checkout"}) + t.Log(result) + if !result { + t.Errorf("ActionExists returned false for actions/checkout") + } + + result = ActionExists("actions/checkout", []string{"actions/*"}) + t.Log(result) + if !result { + t.Errorf("ActionExists returned false for actions/checkout") + } + + result = ActionExists("actions/checkout/something", []string{"actions/*"}) + t.Log(result) + if !result { + t.Errorf("ActionExists returned true for actions/checkout/something") + } + + result = ActionExists("step-security/checkout/something", []string{"step-*/*"}) + t.Log(result) + if !result { + t.Errorf("ActionExists returned true for actions/checkout/something") + } + + result = ActionExists("step-security/checkout-release/something", []string{"*/checkout-*"}) + t.Log(result) + if !result { + t.Errorf("ActionExists returned true for actions/checkout/something") + } + +} diff --git a/testfiles/pinactions/input/exemptaction.yml b/testfiles/pinactions/input/exemptaction.yml index 3a80dc799..dd23d2093 100644 --- a/testfiles/pinactions/input/exemptaction.yml +++ b/testfiles/pinactions/input/exemptaction.yml @@ -38,6 +38,30 @@ jobs: - name: publish on version change id: publish_nuget uses: rohith/publish-nuget@v2 + with: + PROJECT_FILE_PATH: Core/Core.csproj + NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} + NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json + + - name: publish on version change 2 + id: publish_nuget + uses: praveen/publish-nuget/to-version@v2 + with: + PROJECT_FILE_PATH: Core/Core.csproj + NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} + NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json + + - name: publish on version change 3 + id: publish_nuget + uses: aman-action/move/to-main@v2 + with: + PROJECT_FILE_PATH: Core/Core.csproj + NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} + NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json + + - name: publish on version change 2 + id: publish_nuget + uses: smith/seperate/from-version@v2 with: PROJECT_FILE_PATH: Core/Core.csproj NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} diff --git a/testfiles/pinactions/output/exemptaction.yml b/testfiles/pinactions/output/exemptaction.yml index 4c986d6fd..dba5fa6ef 100644 --- a/testfiles/pinactions/output/exemptaction.yml +++ b/testfiles/pinactions/output/exemptaction.yml @@ -38,6 +38,30 @@ jobs: - name: publish on version change id: publish_nuget uses: rohith/publish-nuget@v2 + with: + PROJECT_FILE_PATH: Core/Core.csproj + NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} + NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json + + - name: publish on version change 2 + id: publish_nuget + uses: praveen/publish-nuget/to-version@v2 + with: + PROJECT_FILE_PATH: Core/Core.csproj + NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} + NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json + + - name: publish on version change 3 + id: publish_nuget + uses: aman-action/move/to-main@v2 + with: + PROJECT_FILE_PATH: Core/Core.csproj + NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} + NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json + + - name: publish on version change 2 + id: publish_nuget + uses: smith/seperate/from-version@v2 with: PROJECT_FILE_PATH: Core/Core.csproj NUGET_KEY: ${{ secrets.GITHUB_TOKEN }}