From 971e8b25200715e203e8dd43d05c729bea7b83e0 Mon Sep 17 00:00:00 2001 From: Balijepalli Vamshi Krishna Date: Thu, 20 Nov 2025 13:20:30 +0530 Subject: [PATCH 1/5] update wildcard function --- remediation/workflow/pin/pinactions.go | 12 ++++++++--- remediation/workflow/pin/pinactions_test.go | 22 +++++++++++++++++++- testfiles/pinactions/input/exemptaction.yml | 8 +++++++ testfiles/pinactions/output/exemptaction.yml | 8 +++++++ 4 files changed, 46 insertions(+), 4 deletions(-) diff --git a/remediation/workflow/pin/pinactions.go b/remediation/workflow/pin/pinactions.go index a72854936..6f1845fe1 100644 --- a/remediation/workflow/pin/pinactions.go +++ b/remediation/workflow/pin/pinactions.go @@ -5,7 +5,6 @@ import ( "fmt" "log" "os" - "path/filepath" "regexp" "strings" @@ -261,8 +260,15 @@ func getSemanticVersion(client *github.Client, owner, repo, tagOrBranch, commitS // Function to check if an action matches any pattern in the list func ActionExists(actionName string, patterns []string) bool { for _, pattern := range patterns { - // Use filepath.Match to match the pattern - matched, err := filepath.Match(pattern, actionName) + // Convert glob pattern to regex for path matching + // Replace * with [^/]* to match within a path segment + // Replace **/ with .* to match across path segments + regexPattern := strings.ReplaceAll(pattern, "**", "§§") + regexPattern = strings.ReplaceAll(regexPattern, "*", "[^/]*") + regexPattern = strings.ReplaceAll(regexPattern, "§§", ".*") + regexPattern = "^" + regexPattern + "($|/)" + + matched, err := regexp.MatchString(regexPattern, actionName) if err != nil { // Handle invalid patterns fmt.Printf("Error matching pattern: %v\n", err) diff --git a/remediation/workflow/pin/pinactions_test.go b/remediation/workflow/pin/pinactions_test.go index c600cda43..81209a7ea 100644 --- a/remediation/workflow/pin/pinactions_test.go +++ b/remediation/workflow/pin/pinactions_test.go @@ -308,7 +308,7 @@ func TestPinActions(t *testing.T) { {fileName: "actionwithcomment.yml", wantUpdated: true, pinToImmutable: true}, {fileName: "repeatedactionwithcomment.yml", wantUpdated: true, pinToImmutable: true}, {fileName: "immutableaction-1.yml", wantUpdated: true, pinToImmutable: true}, - {fileName: "exemptaction.yml", wantUpdated: true, exemptedActions: []string{"actions/checkout", "rohith/*"}, pinToImmutable: true}, + {fileName: "exemptaction.yml", wantUpdated: true, exemptedActions: []string{"actions/checkout", "rohith/*", "praveen/*"}, pinToImmutable: true}, {fileName: "donotpintoimmutable.yml", wantUpdated: true, pinToImmutable: false}, {fileName: "invertedcommas.yml", wantUpdated: true, pinToImmutable: false}, {fileName: "pinusingmap.yml", wantUpdated: true, pinToImmutable: true}, @@ -374,3 +374,23 @@ func Test_isAbsolute(t *testing.T) { }) } } + +func TestActionExists(t *testing.T) { + result := ActionExists("actions/checkout", []string{"actions/checkout"}) + t.Log(result) + if !result { + t.Errorf("ActionExists returned false for actions/checkout") + } + + result = ActionExists("actions/checkout", []string{"actions/*"}) + t.Log(result) + if !result { + t.Errorf("ActionExists returned false for actions/checkout") + } + + result = ActionExists("actions/checkout/something", []string{"actions/*"}) + t.Log(result) + if !result { + t.Errorf("ActionExists returned true for actions/checkout/something") + } +} diff --git a/testfiles/pinactions/input/exemptaction.yml b/testfiles/pinactions/input/exemptaction.yml index 3a80dc799..d23c4082e 100644 --- a/testfiles/pinactions/input/exemptaction.yml +++ b/testfiles/pinactions/input/exemptaction.yml @@ -38,6 +38,14 @@ jobs: - name: publish on version change id: publish_nuget uses: rohith/publish-nuget@v2 + with: + PROJECT_FILE_PATH: Core/Core.csproj + NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} + NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json + + - name: publish on version change 2 + id: publish_nuget + uses: praveen/publish-nuget/to-version@v2 with: PROJECT_FILE_PATH: Core/Core.csproj NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} diff --git a/testfiles/pinactions/output/exemptaction.yml b/testfiles/pinactions/output/exemptaction.yml index 4c986d6fd..0be1c581a 100644 --- a/testfiles/pinactions/output/exemptaction.yml +++ b/testfiles/pinactions/output/exemptaction.yml @@ -38,6 +38,14 @@ jobs: - name: publish on version change id: publish_nuget uses: rohith/publish-nuget@v2 + with: + PROJECT_FILE_PATH: Core/Core.csproj + NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} + NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json + + - name: publish on version change 2 + id: publish_nuget + uses: praveen/publish-nuget/to-version@v2 with: PROJECT_FILE_PATH: Core/Core.csproj NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} From 56e10cb6e2f233878df3d0c7ba8cdf1aea69f8ab Mon Sep 17 00:00:00 2001 From: Balijepalli Vamshi Krishna Date: Thu, 20 Nov 2025 16:48:10 +0530 Subject: [PATCH 2/5] addd test cases --- remediation/workflow/pin/pinactions_test.go | 40 +++++++---- testfiles/pinactions/input/exemptaction.yml | 16 +++++ testfiles/pinactions/output/exemptaction.yml | 16 +++++ .../pinactions/output/exemptaction.yml.failed | 68 +++++++++++++++++++ 4 files changed, 126 insertions(+), 14 deletions(-) create mode 100644 testfiles/pinactions/output/exemptaction.yml.failed diff --git a/remediation/workflow/pin/pinactions_test.go b/remediation/workflow/pin/pinactions_test.go index 81209a7ea..b60009cfb 100644 --- a/remediation/workflow/pin/pinactions_test.go +++ b/remediation/workflow/pin/pinactions_test.go @@ -298,20 +298,19 @@ func TestPinActions(t *testing.T) { exemptedActions []string pinToImmutable bool }{ - {fileName: "alreadypinned.yml", wantUpdated: false, pinToImmutable: true}, - {fileName: "branch.yml", wantUpdated: true, pinToImmutable: true}, - {fileName: "localaction.yml", wantUpdated: true, pinToImmutable: true}, - {fileName: "multiplejobs.yml", wantUpdated: true, pinToImmutable: true}, - {fileName: "basic.yml", wantUpdated: true, pinToImmutable: true}, - {fileName: "dockeraction.yml", wantUpdated: true, pinToImmutable: true}, - {fileName: "multipleactions.yml", wantUpdated: true, pinToImmutable: true}, - {fileName: "actionwithcomment.yml", wantUpdated: true, pinToImmutable: true}, - {fileName: "repeatedactionwithcomment.yml", wantUpdated: true, pinToImmutable: true}, - {fileName: "immutableaction-1.yml", wantUpdated: true, pinToImmutable: true}, - {fileName: "exemptaction.yml", wantUpdated: true, exemptedActions: []string{"actions/checkout", "rohith/*", "praveen/*"}, pinToImmutable: true}, - {fileName: "donotpintoimmutable.yml", wantUpdated: true, pinToImmutable: false}, - {fileName: "invertedcommas.yml", wantUpdated: true, pinToImmutable: false}, - {fileName: "pinusingmap.yml", wantUpdated: true, pinToImmutable: true}, + // {fileName: "alreadypinned.yml", wantUpdated: false, pinToImmutable: true}, + // {fileName: "branch.yml", wantUpdated: true, pinToImmutable: true}, + // {fileName: "localaction.yml", wantUpdated: true, pinToImmutable: true}, + // {fileName: "multiplejobs.yml", wantUpdated: true, pinToImmutable: true}, + // {fileName: "basic.yml", wantUpdated: true, pinToImmutable: true}, + // {fileName: "dockeraction.yml", wantUpdated: true, pinToImmutable: true}, + // {fileName: "multipleactions.yml", wantUpdated: true, pinToImmutable: true}, + // {fileName: "actionwithcomment.yml", wantUpdated: true, pinToImmutable: true}, + // {fileName: "repeatedactionwithcomment.yml", wantUpdated: true, pinToImmutable: true}, + // {fileName: "immutableaction-1.yml", wantUpdated: true, pinToImmutable: true}, + {fileName: "exemptaction.yml", wantUpdated: true, exemptedActions: []string{"actions/checkout", "rohith/*", "praveen/*", "aman-*/*", "*/seperate*"}, pinToImmutable: true}, + // {fileName: "donotpintoimmutable.yml", wantUpdated: true, pinToImmutable: false}, + // {fileName: "invertedcommas.yml", wantUpdated: true, pinToImmutable: false}, } for _, tt := range tests { @@ -393,4 +392,17 @@ func TestActionExists(t *testing.T) { if !result { t.Errorf("ActionExists returned true for actions/checkout/something") } + + result = ActionExists("step-security/checkout/something", []string{"step-*/*"}) + t.Log(result) + if !result { + t.Errorf("ActionExists returned true for actions/checkout/something") + } + + result = ActionExists("step-security/checkout-release/something", []string{"*/checkout-*"}) + t.Log(result) + if !result { + t.Errorf("ActionExists returned true for actions/checkout/something") + } + } diff --git a/testfiles/pinactions/input/exemptaction.yml b/testfiles/pinactions/input/exemptaction.yml index d23c4082e..dd23d2093 100644 --- a/testfiles/pinactions/input/exemptaction.yml +++ b/testfiles/pinactions/input/exemptaction.yml @@ -46,6 +46,22 @@ jobs: - name: publish on version change 2 id: publish_nuget uses: praveen/publish-nuget/to-version@v2 + with: + PROJECT_FILE_PATH: Core/Core.csproj + NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} + NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json + + - name: publish on version change 3 + id: publish_nuget + uses: aman-action/move/to-main@v2 + with: + PROJECT_FILE_PATH: Core/Core.csproj + NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} + NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json + + - name: publish on version change 2 + id: publish_nuget + uses: smith/seperate/from-version@v2 with: PROJECT_FILE_PATH: Core/Core.csproj NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} diff --git a/testfiles/pinactions/output/exemptaction.yml b/testfiles/pinactions/output/exemptaction.yml index 0be1c581a..dba5fa6ef 100644 --- a/testfiles/pinactions/output/exemptaction.yml +++ b/testfiles/pinactions/output/exemptaction.yml @@ -46,6 +46,22 @@ jobs: - name: publish on version change 2 id: publish_nuget uses: praveen/publish-nuget/to-version@v2 + with: + PROJECT_FILE_PATH: Core/Core.csproj + NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} + NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json + + - name: publish on version change 3 + id: publish_nuget + uses: aman-action/move/to-main@v2 + with: + PROJECT_FILE_PATH: Core/Core.csproj + NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} + NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json + + - name: publish on version change 2 + id: publish_nuget + uses: smith/seperate/from-version@v2 with: PROJECT_FILE_PATH: Core/Core.csproj NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} diff --git a/testfiles/pinactions/output/exemptaction.yml.failed b/testfiles/pinactions/output/exemptaction.yml.failed new file mode 100644 index 000000000..e7c6055d0 --- /dev/null +++ b/testfiles/pinactions/output/exemptaction.yml.failed @@ -0,0 +1,68 @@ +name: publish to nuget +on: + push: + branches: + - master # Default release branch +jobs: + publish: + name: build, pack & publish + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + + # - name: Setup dotnet + # uses: actions/setup-dotnet@v1 + # with: + # dotnet-version: 3.1.200 + + # Publish + - name: publish on version change + id: publish_nuget + uses: brandedoutcast/publish-nuget@v2 + with: + PROJECT_FILE_PATH: Core/Core.csproj + NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} + NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json + publish1: + name: build, pack & publish + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + + # - name: Setup dotnet + # uses: actions/setup-dotnet@v1 + # with: + # dotnet-version: 3.1.200 + + # Publish + - name: publish on version change + id: publish_nuget + uses: rohith/publish-nuget@v2 + with: + PROJECT_FILE_PATH: Core/Core.csproj + NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} + NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json + + - name: publish on version change 2 + id: publish_nuget + uses: praveen/publish-nuget/to-version@v2 + with: + PROJECT_FILE_PATH: Core/Core.csproj + NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} + NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json + + - name: publish on version change 3 + id: publish_nuget + uses: aman-action/move/to-main@v2 + with: + PROJECT_FILE_PATH: Core/Core.csproj + NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} + NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json + + - name: publish on version change 2 + id: publish_nuget + uses: smith/publish/from-version@v2 + with: + PROJECT_FILE_PATH: Core/Core.csproj + NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} + NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json \ No newline at end of file From aa7260bb0d96fc0b9c40b20ef6811d220996e885 Mon Sep 17 00:00:00 2001 From: Balijepalli Vamshi Krishna Date: Thu, 20 Nov 2025 16:50:52 +0530 Subject: [PATCH 3/5] add more test cases --- remediation/workflow/pin/pinactions_test.go | 24 +++---- .../pinactions/output/exemptaction.yml.failed | 68 ------------------- 2 files changed, 12 insertions(+), 80 deletions(-) delete mode 100644 testfiles/pinactions/output/exemptaction.yml.failed diff --git a/remediation/workflow/pin/pinactions_test.go b/remediation/workflow/pin/pinactions_test.go index b60009cfb..ecfdf5862 100644 --- a/remediation/workflow/pin/pinactions_test.go +++ b/remediation/workflow/pin/pinactions_test.go @@ -298,19 +298,19 @@ func TestPinActions(t *testing.T) { exemptedActions []string pinToImmutable bool }{ - // {fileName: "alreadypinned.yml", wantUpdated: false, pinToImmutable: true}, - // {fileName: "branch.yml", wantUpdated: true, pinToImmutable: true}, - // {fileName: "localaction.yml", wantUpdated: true, pinToImmutable: true}, - // {fileName: "multiplejobs.yml", wantUpdated: true, pinToImmutable: true}, - // {fileName: "basic.yml", wantUpdated: true, pinToImmutable: true}, - // {fileName: "dockeraction.yml", wantUpdated: true, pinToImmutable: true}, - // {fileName: "multipleactions.yml", wantUpdated: true, pinToImmutable: true}, - // {fileName: "actionwithcomment.yml", wantUpdated: true, pinToImmutable: true}, - // {fileName: "repeatedactionwithcomment.yml", wantUpdated: true, pinToImmutable: true}, - // {fileName: "immutableaction-1.yml", wantUpdated: true, pinToImmutable: true}, + {fileName: "alreadypinned.yml", wantUpdated: false, pinToImmutable: true}, + {fileName: "branch.yml", wantUpdated: true, pinToImmutable: true}, + {fileName: "localaction.yml", wantUpdated: true, pinToImmutable: true}, + {fileName: "multiplejobs.yml", wantUpdated: true, pinToImmutable: true}, + {fileName: "basic.yml", wantUpdated: true, pinToImmutable: true}, + {fileName: "dockeraction.yml", wantUpdated: true, pinToImmutable: true}, + {fileName: "multipleactions.yml", wantUpdated: true, pinToImmutable: true}, + {fileName: "actionwithcomment.yml", wantUpdated: true, pinToImmutable: true}, + {fileName: "repeatedactionwithcomment.yml", wantUpdated: true, pinToImmutable: true}, + {fileName: "immutableaction-1.yml", wantUpdated: true, pinToImmutable: true}, {fileName: "exemptaction.yml", wantUpdated: true, exemptedActions: []string{"actions/checkout", "rohith/*", "praveen/*", "aman-*/*", "*/seperate*"}, pinToImmutable: true}, - // {fileName: "donotpintoimmutable.yml", wantUpdated: true, pinToImmutable: false}, - // {fileName: "invertedcommas.yml", wantUpdated: true, pinToImmutable: false}, + {fileName: "donotpintoimmutable.yml", wantUpdated: true, pinToImmutable: false}, + {fileName: "invertedcommas.yml", wantUpdated: true, pinToImmutable: false}, } for _, tt := range tests { diff --git a/testfiles/pinactions/output/exemptaction.yml.failed b/testfiles/pinactions/output/exemptaction.yml.failed deleted file mode 100644 index e7c6055d0..000000000 --- a/testfiles/pinactions/output/exemptaction.yml.failed +++ /dev/null @@ -1,68 +0,0 @@ -name: publish to nuget -on: - push: - branches: - - master # Default release branch -jobs: - publish: - name: build, pack & publish - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v1 - - # - name: Setup dotnet - # uses: actions/setup-dotnet@v1 - # with: - # dotnet-version: 3.1.200 - - # Publish - - name: publish on version change - id: publish_nuget - uses: brandedoutcast/publish-nuget@v2 - with: - PROJECT_FILE_PATH: Core/Core.csproj - NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} - NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json - publish1: - name: build, pack & publish - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v1 - - # - name: Setup dotnet - # uses: actions/setup-dotnet@v1 - # with: - # dotnet-version: 3.1.200 - - # Publish - - name: publish on version change - id: publish_nuget - uses: rohith/publish-nuget@v2 - with: - PROJECT_FILE_PATH: Core/Core.csproj - NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} - NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json - - - name: publish on version change 2 - id: publish_nuget - uses: praveen/publish-nuget/to-version@v2 - with: - PROJECT_FILE_PATH: Core/Core.csproj - NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} - NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json - - - name: publish on version change 3 - id: publish_nuget - uses: aman-action/move/to-main@v2 - with: - PROJECT_FILE_PATH: Core/Core.csproj - NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} - NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json - - - name: publish on version change 2 - id: publish_nuget - uses: smith/publish/from-version@v2 - with: - PROJECT_FILE_PATH: Core/Core.csproj - NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} - NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json \ No newline at end of file From ba5c17fe96a7febfa29d7a16a720f2dd8d51abfd Mon Sep 17 00:00:00 2001 From: Balijepalli Vamshi Krishna Date: Fri, 21 Nov 2025 13:27:24 +0530 Subject: [PATCH 4/5] add more test cases --- remediation/workflow/pin/pinactions_test.go | 17 ++++++++++++++++- testfiles/pinactions/input/basic.yml | 6 ++++++ testfiles/pinactions/input/exemptaction.yml | 8 ++++++++ testfiles/pinactions/output/basic.yml | 6 ++++++ testfiles/pinactions/output/exemptaction.yml | 8 ++++++++ 5 files changed, 44 insertions(+), 1 deletion(-) diff --git a/remediation/workflow/pin/pinactions_test.go b/remediation/workflow/pin/pinactions_test.go index ecfdf5862..bbee54695 100644 --- a/remediation/workflow/pin/pinactions_test.go +++ b/remediation/workflow/pin/pinactions_test.go @@ -33,6 +33,21 @@ func TestPinActions(t *testing.T) { } ]`)) + httpmock.RegisterResponder("GET", "https://api.github.com/repos/evans/shield/commits/v1", + httpmock.NewStringResponder(200, `a700eac5bf2a1c7a8cb6da0c13f93ed96fd53dbd`)) + + httpmock.RegisterResponder("GET", "https://api.github.com/repos/evans/shield/git/matching-refs/tags/v1.", + httpmock.NewStringResponder(200, + `[ + { + "ref": "refs/tags/v1.0.3", + "object": { + "sha": "a700eac5bf2a1c7a8cb6da0c13f93ed96fd53dbd", + "type": "commit" + } + } + ]`)) + httpmock.RegisterResponder("GET", "https://api.github.com/repos/actions/checkout/commits/master", httpmock.NewStringResponder(200, `61b9e3751b92087fd0b06925ba6dd6314e06f089`)) @@ -308,7 +323,7 @@ func TestPinActions(t *testing.T) { {fileName: "actionwithcomment.yml", wantUpdated: true, pinToImmutable: true}, {fileName: "repeatedactionwithcomment.yml", wantUpdated: true, pinToImmutable: true}, {fileName: "immutableaction-1.yml", wantUpdated: true, pinToImmutable: true}, - {fileName: "exemptaction.yml", wantUpdated: true, exemptedActions: []string{"actions/checkout", "rohith/*", "praveen/*", "aman-*/*", "*/seperate*"}, pinToImmutable: true}, + {fileName: "exemptaction.yml", wantUpdated: true, exemptedActions: []string{"actions/checkout", "rohith/*", "praveen/*", "aman-*/*", "*/seperate*", "starc/*"}, pinToImmutable: true}, {fileName: "donotpintoimmutable.yml", wantUpdated: true, pinToImmutable: false}, {fileName: "invertedcommas.yml", wantUpdated: true, pinToImmutable: false}, } diff --git a/testfiles/pinactions/input/basic.yml b/testfiles/pinactions/input/basic.yml index c62a64855..7b2e46864 100644 --- a/testfiles/pinactions/input/basic.yml +++ b/testfiles/pinactions/input/basic.yml @@ -11,6 +11,12 @@ jobs: steps: - name: Close Issue uses: peter-evans/close-issue@v1 + with: + issue-number: 1 + comment: Auto-closing issue + + - name: test case + uses: evans/shield/@v1 with: issue-number: 1 comment: Auto-closing issue \ No newline at end of file diff --git a/testfiles/pinactions/input/exemptaction.yml b/testfiles/pinactions/input/exemptaction.yml index dd23d2093..3912c757b 100644 --- a/testfiles/pinactions/input/exemptaction.yml +++ b/testfiles/pinactions/input/exemptaction.yml @@ -62,6 +62,14 @@ jobs: - name: publish on version change 2 id: publish_nuget uses: smith/seperate/from-version@v2 + with: + PROJECT_FILE_PATH: Core/Core.csproj + NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} + NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json + + - name: publish on version change 2 + id: publish_nuget + uses: starc/swing/from-version/@v2 with: PROJECT_FILE_PATH: Core/Core.csproj NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} diff --git a/testfiles/pinactions/output/basic.yml b/testfiles/pinactions/output/basic.yml index 39f5bbb59..4721f6655 100644 --- a/testfiles/pinactions/output/basic.yml +++ b/testfiles/pinactions/output/basic.yml @@ -11,6 +11,12 @@ jobs: steps: - name: Close Issue uses: peter-evans/close-issue@a700eac5bf2a1c7a8cb6da0c13f93ed96fd53dbe # v1.0.3 + with: + issue-number: 1 + comment: Auto-closing issue + + - name: test case + uses: evans/shield/@a700eac5bf2a1c7a8cb6da0c13f93ed96fd53dbd # v1.0.3 with: issue-number: 1 comment: Auto-closing issue \ No newline at end of file diff --git a/testfiles/pinactions/output/exemptaction.yml b/testfiles/pinactions/output/exemptaction.yml index dba5fa6ef..820732e88 100644 --- a/testfiles/pinactions/output/exemptaction.yml +++ b/testfiles/pinactions/output/exemptaction.yml @@ -62,6 +62,14 @@ jobs: - name: publish on version change 2 id: publish_nuget uses: smith/seperate/from-version@v2 + with: + PROJECT_FILE_PATH: Core/Core.csproj + NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} + NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json + + - name: publish on version change 2 + id: publish_nuget + uses: starc/swing/from-version/@v2 with: PROJECT_FILE_PATH: Core/Core.csproj NUGET_KEY: ${{ secrets.GITHUB_TOKEN }} From d1cf9aac8c3fddc53c8f55482108c99d7479f3bc Mon Sep 17 00:00:00 2001 From: Balijepalli Vamshi Krishna Date: Fri, 21 Nov 2025 14:10:41 +0530 Subject: [PATCH 5/5] test case for action commit map --- remediation/workflow/pin/pinactions_test.go | 1 + testfiles/pinactions/input/pinusingmap.yml | 6 ++++++ testfiles/pinactions/output/pinusingmap.yml | 6 ++++++ 3 files changed, 13 insertions(+) diff --git a/remediation/workflow/pin/pinactions_test.go b/remediation/workflow/pin/pinactions_test.go index bbee54695..19263e197 100644 --- a/remediation/workflow/pin/pinactions_test.go +++ b/remediation/workflow/pin/pinactions_test.go @@ -344,6 +344,7 @@ func TestPinActions(t *testing.T) { actionCommitMap = map[string]string{ "peter-evans-test/close-issue@v1": "a700eac5bf2a1c7a8cb6da0c13f93ed96fd53vam", "peter-check/close-issue@v1.2.3": "a700eac5bf2a1c7a8cb6da0c13f93ed96fd53tom", + "evans/shield-test/@v1.2.5": "a700eac5bf2a1c7a8cb6da0c13f93ed96fd53cat", } } diff --git a/testfiles/pinactions/input/pinusingmap.yml b/testfiles/pinactions/input/pinusingmap.yml index c9807f980..f45dce5df 100644 --- a/testfiles/pinactions/input/pinusingmap.yml +++ b/testfiles/pinactions/input/pinusingmap.yml @@ -23,6 +23,12 @@ jobs: - name: Close Issue uses: peter-check/close-issue@v1.2.3 + with: + issue-number: 1 + comment: Auto-closing issue + + - name: test case + uses: evans/shield-test/@v1.2.5 with: issue-number: 1 comment: Auto-closing issue \ No newline at end of file diff --git a/testfiles/pinactions/output/pinusingmap.yml b/testfiles/pinactions/output/pinusingmap.yml index ebaced2d4..bd13dd357 100644 --- a/testfiles/pinactions/output/pinusingmap.yml +++ b/testfiles/pinactions/output/pinusingmap.yml @@ -23,6 +23,12 @@ jobs: - name: Close Issue uses: peter-check/close-issue@a700eac5bf2a1c7a8cb6da0c13f93ed96fd53tom # v1.2.3 + with: + issue-number: 1 + comment: Auto-closing issue + + - name: test case + uses: evans/shield-test/@a700eac5bf2a1c7a8cb6da0c13f93ed96fd53cat # v1.2.5 with: issue-number: 1 comment: Auto-closing issue \ No newline at end of file