Fix sentence and remove existing action comments (#2067)

step-security · Apr 13, 2023 · 830739d · 830739d
1 parent adfb0fa
commit 830739d
Show file tree

Hide file tree

Showing 16 changed files with 79 additions and 13 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -43,7 +43,7 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs
 
       - name: Checkout repository
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b

diff --git a/.github/workflows/kbanalysis.yml b/.github/workflows/kbanalysis.yml
@@ -24,7 +24,7 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs
 
       - uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
         with:

diff --git a/remediation/workflow/hardenrunner/addaction.go b/remediation/workflow/hardenrunner/addaction.go
@@ -83,7 +83,7 @@ func addAction(inputYaml, jobName, action string) (string, error) {
 	output = append(output, spaces+fmt.Sprintf("- name: %s", HardenRunnerActionName))
 	output = append(output, spaces+fmt.Sprintf("  uses: %s", action))
 	output = append(output, spaces+"  with:")
-	output = append(output, spaces+"    egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs")
+	output = append(output, spaces+"    egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs")
 	output = append(output, "")
 
 	for i := jobNode.Line - 1; i < len(inputLines); i++ {

diff --git a/remediation/workflow/pin/pinactions.go b/remediation/workflow/pin/pinactions.go
@@ -76,6 +76,13 @@ func PinAction(action, inputYaml string) (string, bool) {
 	pinnedAction := fmt.Sprintf("%s@%s # %s", leftOfAt[0], commitSHA, tagOrBranch)
 	updated = !strings.EqualFold(action, pinnedAction)
 	inputYaml = strings.ReplaceAll(inputYaml, action, pinnedAction)
+	stringParts := strings.SplitN(inputYaml, pinnedAction, 2)
+	if len(stringParts) > 1 {
+		trimmedString := strings.SplitN(stringParts[1], "\n", 2)
+		if len(trimmedString) > 1 {
+			inputYaml = stringParts[0] + pinnedAction + "\n" + trimmedString[1]
+		}
+	}
 	return inputYaml, updated
 }
 

diff --git a/remediation/workflow/pin/pinactions_test.go b/remediation/workflow/pin/pinactions_test.go
@@ -182,6 +182,7 @@ func TestPinActions(t *testing.T) {
 		{fileName: "basic.yml", wantUpdated: true},
 		{fileName: "dockeraction.yml", wantUpdated: true},
 		{fileName: "multipleactions.yml", wantUpdated: true},
+		{fileName: "actionwithcomment.yml", wantUpdated: true},
 	}
 	for _, tt := range tests {
 		input, err := ioutil.ReadFile(path.Join(inputDirectory, tt.fileName))

diff --git a/testfiles/addaction/input/alreadypresent_2.yml b/testfiles/addaction/input/alreadypresent_2.yml
@@ -13,6 +13,6 @@ jobs:
      - name: Harden Runner
        uses: step-security/harden-runner@v2
        with:
-         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+         egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs
 
      - run: ls -R
diff --git a/testfiles/addaction/output/2jobs.yml b/testfiles/addaction/output/2jobs.yml
@@ -8,7 +8,7 @@ jobs:
      - name: Harden Runner
        uses: step-security/harden-runner@v2
        with:
-         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+         egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs
 
      - run: ls -R
   list-directory1:
@@ -17,6 +17,6 @@ jobs:
      - name: Harden Runner
        uses: step-security/harden-runner@v2
        with:
-         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+         egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs
 
      - run: ls -R
diff --git a/testfiles/addaction/output/action-issues.yml b/testfiles/addaction/output/action-issues.yml
@@ -12,7 +12,7 @@ jobs:
     - name: Harden Runner
       uses: step-security/harden-runner@v2
       with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+        egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs
 
     - name: Close Issue
       uses: peter-evans/close-issue@v1

diff --git a/testfiles/addaction/output/alreadypresent.yml b/testfiles/addaction/output/alreadypresent.yml
@@ -13,6 +13,6 @@ jobs:
      - name: Harden Runner
        uses: step-security/harden-runner@v2
        with:
-         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+         egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs
 
      - run: ls -R
diff --git a/testfiles/addaction/output/alreadypresent_2.yml b/testfiles/addaction/output/alreadypresent_2.yml
@@ -13,6 +13,6 @@ jobs:
      - name: Harden Runner
        uses: step-security/harden-runner@v2
        with:
-         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+         egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs
 
      - run: ls -R
diff --git a/testfiles/pinactions/input/actionwithcomment.yml b/testfiles/pinactions/input/actionwithcomment.yml
@@ -0,0 +1,29 @@
+name: "close issue"
+
+on:
+  push:
+
+
+jobs:
+  closeissue:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Close Issue
+      uses: peter-evans/close-issue@v1 #Mock comment to remove
+      with:
+       issue-number: 1
+       comment: Auto-closing issue
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1 #Mock Comment
+      - uses: actions/setup-node@v1 #Mock Comment 
+        with:
+          node-version: 10
+      - run: npm install
+      - run: npm test
+      - uses: JS-DevTools/npm-publish@v1 #Mock Comment
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          registry: https://npm.pkg.github.com
diff --git a/testfiles/pinactions/output/actionwithcomment.yml b/testfiles/pinactions/output/actionwithcomment.yml
@@ -0,0 +1,29 @@
+name: "close issue"
+
+on:
+  push:
+
+
+jobs:
+  closeissue:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Close Issue
+      uses: peter-evans/close-issue@a700eac5bf2a1c7a8cb6da0c13f93ed96fd53dbe # v1.0.3
+      with:
+       issue-number: 1
+       comment: Auto-closing issue
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1.2.0
+      - uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e # v1.4.6
+        with:
+          node-version: 10
+      - run: npm install
+      - run: npm test
+      - uses: JS-DevTools/npm-publish@0f451a94170d1699fd50710966d48fb26194d939 # v1.4.3
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          registry: https://npm.pkg.github.com
diff --git a/testfiles/secureworkflow/output/allscenarios.yml b/testfiles/secureworkflow/output/allscenarios.yml
@@ -17,7 +17,7 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs
 
       - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1.2.0
       - uses: github/super-linter@34b2f8032d759425f6b42ea2e52231b33ae05401 # v3.17.1

diff --git a/testfiles/secureworkflow/output/missingaction.yml b/testfiles/secureworkflow/output/missingaction.yml
@@ -11,7 +11,7 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs
 
       - uses: actions/missingaction@v2
       - uses: github/super-linter@34b2f8032d759425f6b42ea2e52231b33ae05401 # v3.17.1

diff --git a/testfiles/secureworkflow/output/noperms.yml b/testfiles/secureworkflow/output/noperms.yml
@@ -11,7 +11,7 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs
 
       - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1.2.0
       - uses: github/super-linter@34b2f8032d759425f6b42ea2e52231b33ae05401 # v3.17.1

diff --git a/testfiles/secureworkflow/output/nopin.yml b/testfiles/secureworkflow/output/nopin.yml
@@ -17,7 +17,7 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@v2
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs
 
       - uses: actions/checkout@v1
       - uses: github/super-linter@v3