add changes for exempted actions

Balijepalli Vamshi Krishna · Balijepalli Vamshi Krishna · commit fc469a13e60f · 2025-05-02T13:12:55.000+05:30
diff --git a/remediation/workflow/maintainedactions/maintainedActions.go b/remediation/workflow/maintainedactions/maintainedActions.go
@@ -59,7 +59,7 @@ func LoadMaintainedActions() (map[string]string, error) {
 }
 
 // ReplaceActions replaces original actions with Step Security actions in a workflow
-func ReplaceActions(inputYaml string) (string, bool, error) {
+func ReplaceActions(inputYaml string, customerMaintainedActions []string) (string, bool, error) {
 	workflow := metadata.Workflow{}
 	updated := false
 	actionMap, err := LoadMaintainedActions()
@@ -83,6 +83,9 @@ func ReplaceActions(inputYaml string) (string, bool, error) {
 			// fmt.Println("step ", step.Uses)
 			actionName := strings.Split(step.Uses, "@")[0]
 			if newAction, ok := actionMap[actionName]; ok {
+				if isMaintained(newAction, customerMaintainedActions) {
+					continue
+				}
 				latestVersion, err := GetLatestRelease(newAction)
 				if err != nil {
 					return "", updated, fmt.Errorf("unable to get latest release: %v", err)
@@ -145,3 +148,12 @@ func replaceAction(t *yaml.Node, inputLines []string, replacements []replacement
 	}
 	return inputLines, updated
 }
+
+func isMaintained(actionName string, maintainedActions []string) bool {
+	for _, maintainedAction := range maintainedActions {
+		if maintainedAction == actionName {
+			return true
+		}
+	}
+	return false
+}
diff --git a/remediation/workflow/maintainedactions/maintainedactions_test.go b/remediation/workflow/maintainedactions/maintainedactions_test.go
@@ -1,33 +1,13 @@
 package maintainedactions
 
 import (
-	"fmt"
 	"io/ioutil"
-	"os"
 	"path"
 	"testing"
 
 	"github.com/jarcoal/httpmock"
 )
 
-// WriteYAML writes the given string content to a YAML file with the specified filename.
-func WriteYAML(filename string, content string) error {
-	// Create or truncate the file
-	file, err := os.Create(filename)
-	if err != nil {
-		return fmt.Errorf("failed to create file %s: %w", filename, err)
-	}
-	defer file.Close()
-
-	// Write the string content to the file
-	_, err = file.WriteString(content)
-	if err != nil {
-		return fmt.Errorf("failed to write to file %s: %w", filename, err)
-	}
-
-	return nil
-}
-
 func TestReplaceActions(t *testing.T) {
 	const inputDirectory = "../../../testfiles/maintainedactions/input"
 	const outputDirectory = "../../../testfiles/maintainedactions/output"
@@ -89,6 +69,12 @@ func TestReplaceActions(t *testing.T) {
 			wantUpdated: true,
 			wantErr:     false,
 		},
+		{
+			name:        "exemtedMaintainedActions.yml",
+			inputFile:   "exemtedMaintainedActions.yml",
+			outputFile:  "exemtedMaintainedActions.yml",
+			wantUpdated: true,
+		},
 	}
 
 	for _, tt := range tests {
@@ -100,11 +86,18 @@ func TestReplaceActions(t *testing.T) {
 			}
 
 			// Call ReplaceActions
-			got, updated, err := ReplaceActions(string(input))
+			var got string
+			var updated bool
+			var replaceErr error
+			if tt.inputFile == "exemtedMaintainedActions.yml" {
+				got, updated, replaceErr = ReplaceActions(string(input), []string{"step-security/git-restore-mtime-action"})
+			} else {
+				got, updated, replaceErr = ReplaceActions(string(input), []string{})
+			}
 
 			// Check error
-			if (err != nil) != tt.wantErr {
-				t.Errorf("ReplaceActions() error = %v, wantErr %v", err, tt.wantErr)
+			if (replaceErr != nil) != tt.wantErr {
+				t.Errorf("ReplaceActions() error = %v, wantErr %v", replaceErr, tt.wantErr)
 				return
 			}
 
@@ -121,7 +114,7 @@ func TestReplaceActions(t *testing.T) {
 
 			// Compare output with expected
 			if got != string(expectedOutput) {
-				WriteYAML(tt.outputFile+"second", got)
+				// WriteYAML(tt.outputFile+"second", got)
 				t.Errorf("ReplaceActions() = %v, want %v", got, string(expectedOutput))
 			}
 		})
diff --git a/remediation/workflow/secureworkflow.go b/remediation/workflow/secureworkflow.go
@@ -18,7 +18,7 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
 	pinActions, addHardenRunner, addPermissions, addProjectComment, addMaintainedActions := true, true, true, true, true
 	pinnedActions, addedHardenRunner, addedPermissions, addedMaintainedActions := false, false, false, false
 	ignoreMissingKBs := false
-	exemptedActions, pinToImmutable := []string{}, false
+	exemptedActions, pinToImmutable, customerMaintainedActions := []string{}, false, []string{}
 	if len(params) > 0 {
 		if v, ok := params[0].([]string); ok {
 			exemptedActions = v
@@ -29,6 +29,11 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
 			pinToImmutable = v
 		}
 	}
+	if len(params) > 2 {
+		if v, ok := params[2].([]string); ok {
+			customerMaintainedActions = v
+		}
+	}
 
 	if queryStringParams["pinActions"] == "false" {
 		pinActions = false
@@ -79,7 +84,7 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
 	}
 
 	if addMaintainedActions {
-		secureWorkflowReponse.FinalOutput, addedMaintainedActions, err = maintainedactions.ReplaceActions(secureWorkflowReponse.FinalOutput)
+		secureWorkflowReponse.FinalOutput, addedMaintainedActions, err = maintainedactions.ReplaceActions(secureWorkflowReponse.FinalOutput, customerMaintainedActions)
 		if err != nil {
 			secureWorkflowReponse.HasErrors = true
 		}
diff --git a/testfiles/maintainedActions/input/exemtedMaintainedActions.yml b/testfiles/maintainedActions/input/exemtedMaintainedActions.yml
@@ -0,0 +1,35 @@
+name: Test Workflow
+on: push
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: amannn/action-semantic-pull-request@v5
+        with:
+          types: feat,fix,chore
+      - uses: fkirc/skip-duplicate-actions@v5
+        with:
+          do_not_skip: '["release"]'
+      - uses: chetan/git-restore-mtime-action@v1
+        with:
+          pattern: '**/*'
+
+  build:
+    runs-on: ubuntu-latest
+    needs: test
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: '16'
+      - uses: actions/cache@v3
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
+      - uses: amannn/action-semantic-pull-request@v5
+        with:
+          types: feat,fix,chore
diff --git a/testfiles/maintainedActions/output/exemtedMaintainedActions.yml b/testfiles/maintainedActions/output/exemtedMaintainedActions.yml
@@ -0,0 +1,35 @@
+name: Test Workflow
+on: push
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: step-security/action-semantic-pull-request@v5
+        with:
+          types: feat,fix,chore
+      - uses: step-security/skip-duplicate-actions@v5
+        with:
+          do_not_skip: '["release"]'
+      - uses: chetan/git-restore-mtime-action@v1
+        with:
+          pattern: '**/*'
+
+  build:
+    runs-on: ubuntu-latest
+    needs: test
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: '16'
+      - uses: actions/cache@v3
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
+      - uses: step-security/action-semantic-pull-request@v5
+        with:
+          types: feat,fix,chore
