Fix parsing of github action name.

Signed-off-by: Jeff Mendoza <[email protected]>
ossf · Mar 1, 2024 · c532eed · c532eed
1 parent 609be43
commit c532eed
Showing 1 changed file with 4 additions and 7 deletions.
diff --git a/pkg/policies/action/action.go b/pkg/policies/action/action.go
@@ -18,7 +18,6 @@ package action
 import (
 	"context"
 	"fmt"
-	"regexp"
 	"sort"
 	"strings"
 
@@ -34,8 +33,6 @@ import (
 const configFile = "actions.yaml"
 const polName = "GitHub Actions"
 
-var actionNameVersionRegex = regexp.MustCompile(`^([a-zA-Z0-9_\-.]+\/[a-zA-Z0-9_\-.]+)@([a-zA-Z0-9\-.]+)$`)
-
 const failText = "This policy, specified at the organization level, sets requirements for Action use by repos within the organization. This repo is failing to fully comply with organization policies, as explained below.\n\n```\n%s```\n\nSee the org-level %s policy configuration for details."
 
 const maxWorkflows = 50
@@ -270,8 +267,8 @@ func (a Action) Check(ctx context.Context, c *github.Client, owner,
 					// Missing uses in step
 					continue
 				}
-				sm := actionNameVersionRegex.FindStringSubmatch(actionStep.Uses.Value)
-				if sm == nil {
+				sm := strings.SplitN(actionStep.Uses.Value, "@", 2)
+				if len(sm) != 2 {
 					// Ignore invalid Action
 					log.Warn().
 						Str("org", owner).
@@ -281,8 +278,8 @@ func (a Action) Check(ctx context.Context, c *github.Client, owner,
 						Msg("Ignoring invalid action")
 					continue
 				}
-				name := sm[1]
-				version := sm[2]
+				name := sm[0]
+				version := sm[1]
 				actions = append(actions, &actionMetadata{
 					name:             name,
 					version:          version,