step-security · varunsh-coder · Nov 27, 2025 · Nov 27, 2025
diff --git a/remediation/workflow/hardenrunner/addaction.go b/remediation/workflow/hardenrunner/addaction.go
@@ -51,7 +51,7 @@ func AddAction(inputYaml, action string, pinActions, pinToImmutable bool, skipCo
 	}
 
 	if updated && pinActions {
-		out, _, err = pin.PinAction(action, out, nil, pinToImmutable, nil)
+		out, _, err = pin.PinActionWithPatFallback(action, out, nil, pinToImmutable, nil)
 		if err != nil {
 			return out, updated, err
 		}

diff --git a/remediation/workflow/pin/pinactions.go b/remediation/workflow/pin/pinactions.go
@@ -29,7 +29,7 @@ func PinActions(inputYaml string, exemptedActions []string, pinToImmutable bool,
 		for _, step := range job.Steps {
 			if len(step.Uses) > 0 {
 				localUpdated := false
-				out, localUpdated, err = PinAction(step.Uses, out, exemptedActions, pinToImmutable, actionCommitMap)
+				out, localUpdated, err = PinActionWithPatFallback(step.Uses, out, exemptedActions, pinToImmutable, actionCommitMap)
 				if err != nil {
 					return out, updated, err
 				}
@@ -43,7 +43,7 @@ func PinActions(inputYaml string, exemptedActions []string, pinToImmutable bool,
 		for _, run := range workflow.Runs.Steps {
 			if len(run.Uses) > 0 {
 				localUpdated := false
-				out, localUpdated, err = PinAction(run.Uses, out, exemptedActions, pinToImmutable, actionCommitMap)
+				out, localUpdated, err = PinActionWithPatFallback(run.Uses, out, exemptedActions, pinToImmutable, actionCommitMap)
 				if err != nil {
 					return out, updated, err
 				}
@@ -55,7 +55,25 @@ func PinActions(inputYaml string, exemptedActions []string, pinToImmutable bool,
 	return out, updated, nil
 }
 
-func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutable bool, actionCommitMap map[string]string) (string, bool, error) {
+func PinActionWithPatFallback(action, inputYaml string, exemptedActions []string, pinToImmutable bool, actionCommitMap map[string]string) (string, bool, error) {
+	// use secure repo token
+	PAT := os.Getenv("SECURE_REPO_PAT")
+	if PAT == "" {
+		PAT = os.Getenv("PAT")
+		log.Println("SECURE_REPO_PAT is not set, using PAT")
+	} else {
+		log.Println("SECURE_REPO_PAT is set")
+	}
+	out, updated, err := PinAction(action, inputYaml, PAT, exemptedActions, pinToImmutable, actionCommitMap)
+	if err != nil && strings.Contains(err.Error(), "organization has an IP allow list enabled, and your IP address is not permitted to access this resource") {
+		PAT = os.Getenv("PAT")
+		log.Println("[RETRY] SECURE_REPO_PAT is not set, using PAT")
+		return PinAction(action, inputYaml, PAT, exemptedActions, pinToImmutable, actionCommitMap)
+	}
+	return out, updated, err
+}
+
+func PinAction(action, inputYaml, PAT string, exemptedActions []string, pinToImmutable bool, actionCommitMap map[string]string) (string, bool, error) {
 	updated := false
 
 	if !strings.Contains(action, "@") || strings.HasPrefix(action, "docker://") {
@@ -77,15 +95,6 @@ func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutabl
 	owner := splitOnSlash[0]
 	repo := splitOnSlash[1]
 
-	// use secure repo token
-	PAT := os.Getenv("SECURE_REPO_PAT")
-	if PAT == "" {
-		PAT = os.Getenv("PAT")
-		log.Println("SECURE_REPO_PAT is not set, using PAT")
-	} else {
-		log.Println("SECURE_REPO_PAT is set")
-	}
-
 	ctx := context.Background()
 	ts := oauth2.StaticTokenSource(
 		&oauth2.Token{AccessToken: PAT},