Revert "Fix sentence and remove existing action comments (#2067)"

This reverts commit 830739d.
step-security · Apr 13, 2023 · eadfcec · eadfcec
1 parent 830739d
commit eadfcec
Show file tree

Hide file tree

Showing 16 changed files with 13 additions and 79 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -43,7 +43,7 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
       - name: Checkout repository
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b

diff --git a/.github/workflows/kbanalysis.yml b/.github/workflows/kbanalysis.yml
@@ -24,7 +24,7 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
       - uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
         with:

diff --git a/remediation/workflow/hardenrunner/addaction.go b/remediation/workflow/hardenrunner/addaction.go
@@ -83,7 +83,7 @@ func addAction(inputYaml, jobName, action string) (string, error) {
 	output = append(output, spaces+fmt.Sprintf("- name: %s", HardenRunnerActionName))
 	output = append(output, spaces+fmt.Sprintf("  uses: %s", action))
 	output = append(output, spaces+"  with:")
-	output = append(output, spaces+"    egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs")
+	output = append(output, spaces+"    egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs")
 	output = append(output, "")
 
 	for i := jobNode.Line - 1; i < len(inputLines); i++ {

diff --git a/remediation/workflow/pin/pinactions.go b/remediation/workflow/pin/pinactions.go
@@ -76,13 +76,6 @@ func PinAction(action, inputYaml string) (string, bool) {
 	pinnedAction := fmt.Sprintf("%s@%s # %s", leftOfAt[0], commitSHA, tagOrBranch)
 	updated = !strings.EqualFold(action, pinnedAction)
 	inputYaml = strings.ReplaceAll(inputYaml, action, pinnedAction)
-	stringParts := strings.SplitN(inputYaml, pinnedAction, 2)
-	if len(stringParts) > 1 {
-		trimmedString := strings.SplitN(stringParts[1], "\n", 2)
-		if len(trimmedString) > 1 {
-			inputYaml = stringParts[0] + pinnedAction + "\n" + trimmedString[1]
-		}
-	}
 	return inputYaml, updated
 }
 

diff --git a/remediation/workflow/pin/pinactions_test.go b/remediation/workflow/pin/pinactions_test.go
@@ -182,7 +182,6 @@ func TestPinActions(t *testing.T) {
 		{fileName: "basic.yml", wantUpdated: true},
 		{fileName: "dockeraction.yml", wantUpdated: true},
 		{fileName: "multipleactions.yml", wantUpdated: true},
-		{fileName: "actionwithcomment.yml", wantUpdated: true},
 	}
 	for _, tt := range tests {
 		input, err := ioutil.ReadFile(path.Join(inputDirectory, tt.fileName))

diff --git a/testfiles/addaction/input/alreadypresent_2.yml b/testfiles/addaction/input/alreadypresent_2.yml
@@ -13,6 +13,6 @@ jobs:
      - name: Harden Runner
        uses: step-security/harden-runner@v2
        with:
-         egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs
+         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
      - run: ls -R
diff --git a/testfiles/addaction/output/2jobs.yml b/testfiles/addaction/output/2jobs.yml
@@ -8,7 +8,7 @@ jobs:
      - name: Harden Runner
        uses: step-security/harden-runner@v2
        with:
-         egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs
+         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
      - run: ls -R
   list-directory1:
@@ -17,6 +17,6 @@ jobs:
      - name: Harden Runner
        uses: step-security/harden-runner@v2
        with:
-         egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs
+         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
      - run: ls -R
diff --git a/testfiles/addaction/output/action-issues.yml b/testfiles/addaction/output/action-issues.yml
@@ -12,7 +12,7 @@ jobs:
     - name: Harden Runner
       uses: step-security/harden-runner@v2
       with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
     - name: Close Issue
       uses: peter-evans/close-issue@v1

diff --git a/testfiles/addaction/output/alreadypresent.yml b/testfiles/addaction/output/alreadypresent.yml
@@ -13,6 +13,6 @@ jobs:
      - name: Harden Runner
        uses: step-security/harden-runner@v2
        with:
-         egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs
+         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
      - run: ls -R
diff --git a/testfiles/addaction/output/alreadypresent_2.yml b/testfiles/addaction/output/alreadypresent_2.yml
@@ -13,6 +13,6 @@ jobs:
      - name: Harden Runner
        uses: step-security/harden-runner@v2
        with:
-         egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs
+         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
      - run: ls -R
diff --git a/testfiles/pinactions/input/actionwithcomment.yml b/testfiles/pinactions/input/actionwithcomment.yml
diff --git a/testfiles/pinactions/output/actionwithcomment.yml b/testfiles/pinactions/output/actionwithcomment.yml
diff --git a/testfiles/secureworkflow/output/allscenarios.yml b/testfiles/secureworkflow/output/allscenarios.yml
@@ -17,7 +17,7 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
       - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1.2.0
       - uses: github/super-linter@34b2f8032d759425f6b42ea2e52231b33ae05401 # v3.17.1

diff --git a/testfiles/secureworkflow/output/missingaction.yml b/testfiles/secureworkflow/output/missingaction.yml
@@ -11,7 +11,7 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
       - uses: actions/missingaction@v2
       - uses: github/super-linter@34b2f8032d759425f6b42ea2e52231b33ae05401 # v3.17.1

diff --git a/testfiles/secureworkflow/output/noperms.yml b/testfiles/secureworkflow/output/noperms.yml
@@ -11,7 +11,7 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
       - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1.2.0
       - uses: github/super-linter@34b2f8032d759425f6b42ea2e52231b33ae05401 # v3.17.1

diff --git a/testfiles/secureworkflow/output/nopin.yml b/testfiles/secureworkflow/output/nopin.yml
@@ -17,7 +17,7 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@v2
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
       - uses: actions/checkout@v1
       - uses: github/super-linter@v3