Merge pull request #2514 from step-security/shubham/main

Update: Fix secure-repo parsing & Always pin harden runner

Author: varunsh-coder

remediation/workflow/hardenrunner/addaction.go

@@ -61,7 +61,9 @@ func addAction(inputYaml, jobName, action string) (string, error) {
 		return "", fmt.Errorf("unable to parse yaml %v", err)
 	}
 
-	jobNode := permissions.IterateNode(&t, jobName, "!!map", 0)
+	jobNode := permissions.IterateNode(&t, "jobs", "!!map", 0)
+
+	jobNode = permissions.IterateNode(&t, jobName, "!!map", jobNode.Line)
 
 	jobNode = permissions.IterateNode(&t, "steps", "!!seq", jobNode.Line)
 

remediation/workflow/hardenrunner/addaction_test.go

@@ -25,6 +25,7 @@ func TestAddAction(t *testing.T) {
 		{name: "already present", args: args{inputYaml: "alreadypresent.yml", action: "step-security/harden-runner@v2"}, want: "alreadypresent.yml", wantErr: false, wantUpdated: true},
 		{name: "already present 2", args: args{inputYaml: "alreadypresent_2.yml", action: "step-security/harden-runner@v2"}, want: "alreadypresent_2.yml", wantErr: false, wantUpdated: false},
 		{name: "reusable job", args: args{inputYaml: "reusablejob.yml", action: "step-security/harden-runner@v2"}, want: "reusablejob.yml", wantErr: false, wantUpdated: false},
+		{name: "job name in input", args: args{inputYaml: "jobNameInInput.yml", action: "step-security/harden-runner@v2"}, want: "jobNameInInput.yml", wantErr: false, wantUpdated: true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

remediation/workflow/secureworkflow.go

@@ -85,10 +85,12 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
 	}
 
 	if addHardenRunner {
+		// Always pin harden-runner unless exempted
+		pinHardenRunner := true
 		if pin.ActionExists(HardenRunnerActionPath, exemptedActions) {
-			pinActions = false
+			pinHardenRunner = false
 		}
-		secureWorkflowReponse.FinalOutput, addedHardenRunner, _ = hardenrunner.AddAction(secureWorkflowReponse.FinalOutput, HardenRunnerActionPathWithTag, pinActions, pinToImmutable)
+		secureWorkflowReponse.FinalOutput, addedHardenRunner, _ = hardenrunner.AddAction(secureWorkflowReponse.FinalOutput, HardenRunnerActionPathWithTag, pinHardenRunner, pinToImmutable)
 	}
 
 	// Setting appropriate flags

testfiles/addaction/input/jobNameInInput.yml

@@ -0,0 +1,65 @@
+name: coveo-example-library
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'coveo-example-library/**'
+      - '!**.lock'
+      - '!**.md'
+
+  pull_request:
+    types: [opened, synchronize, reopened]
+    paths:
+      - 'coveo-example-library/**'
+      - '.github/workflows/coveo-example-library.yml'
+      - '!**.md'
+
+  workflow_dispatch:
+    inputs:
+      publish:
+        description: "Publish to pypi.org?"
+        required: false
+        default: 'false'
+
+jobs:
+  pyprojectci:
+    name: pyproject ci
+    runs-on: ${{ matrix.os }}
+
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.8", "3.10"]
+        os: [ubuntu-latest, windows-latest, macos-latest]
+
+    steps:
+      - name: Run stew ci
+        uses: coveo/stew@main
+        with:
+          project-name: ${{ github.workflow }}
+          python-version: ${{ matrix.python-version }}
+          poetry-version: "<2"
+
+  publish:
+    name: Publish to pypi.org
+    runs-on: ubuntu-20.04
+    needs: pyprojectci
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
+
+      - name: Setup python 3.9
+        uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e # v2.3.4
+        with:
+          python-version: 3.9
+
+      - name: Publish to pypi
+        uses: ./.github/workflows/actions/publish-to-pypi
+        with:
+          project-name: ${{ github.workflow }}
+          pypi-token: ${{ secrets.PYPI_TOKEN_COVEO_EXAMPLE_LIBRARY }}
+          pre-release: ${{ github.ref != 'refs/heads/main' }}
+          dry-run: true

testfiles/addaction/output/jobNameInInput.yml

@@ -0,0 +1,75 @@
+name: coveo-example-library
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'coveo-example-library/**'
+      - '!**.lock'
+      - '!**.md'
+
+  pull_request:
+    types: [opened, synchronize, reopened]
+    paths:
+      - 'coveo-example-library/**'
+      - '.github/workflows/coveo-example-library.yml'
+      - '!**.md'
+
+  workflow_dispatch:
+    inputs:
+      publish:
+        description: "Publish to pypi.org?"
+        required: false
+        default: 'false'
+
+jobs:
+  pyprojectci:
+    name: pyproject ci
+    runs-on: ${{ matrix.os }}
+
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.8", "3.10"]
+        os: [ubuntu-latest, windows-latest, macos-latest]
+
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
+      - name: Run stew ci
+        uses: coveo/stew@main
+        with:
+          project-name: ${{ github.workflow }}
+          python-version: ${{ matrix.python-version }}
+          poetry-version: "<2"
+
+  publish:
+    name: Publish to pypi.org
+    runs-on: ubuntu-20.04
+    needs: pyprojectci
+
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
+
+      - name: Setup python 3.9
+        uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e # v2.3.4
+        with:
+          python-version: 3.9
+
+      - name: Publish to pypi
+        uses: ./.github/workflows/actions/publish-to-pypi
+        with:
+          project-name: ${{ github.workflow }}
+          pypi-token: ${{ secrets.PYPI_TOKEN_COVEO_EXAMPLE_LIBRARY }}
+          pre-release: ${{ github.ref != 'refs/heads/main' }}
+          dry-run: true

testfiles/secureworkflow/output/nopin.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest  
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@v2
+        uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0
         with:
           egress-policy: audit