Skip to content

use secure repo pat #2544

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 3 commits into from
Closed

use secure repo pat #2544

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e787422
use secure repo pat
Oct 28, 2025
c34c8da
return error for pinning
Oct 28, 2025
76a7b80
return error if unable to fetch commit sha
Oct 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion remediation/workflow/hardenrunner/addaction.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ func AddAction(inputYaml, action string, pinActions, pinToImmutable bool, skipCo
}

if updated && pinActions {
out, _ = pin.PinAction(action, out, nil, pinToImmutable)
out, _, _ = pin.PinAction(action, out, nil, pinToImmutable)
}

return out, updated, nil
Expand Down
29 changes: 16 additions & 13 deletions remediation/workflow/pin/pinactions.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,10 @@ func PinActions(inputYaml string, exemptedActions []string, pinToImmutable bool)
for _, step := range job.Steps {
if len(step.Uses) > 0 {
localUpdated := false
out, localUpdated = PinAction(step.Uses, out, exemptedActions, pinToImmutable)
out, localUpdated, err = PinAction(step.Uses, out, exemptedActions, pinToImmutable)
if err != nil {
return out, updated, err
}
updated = updated || localUpdated
}
}
Expand All @@ -38,29 +41,32 @@ func PinActions(inputYaml string, exemptedActions []string, pinToImmutable bool)
return out, updated, nil
}

func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutable bool) (string, bool) {
func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutable bool) (string, bool, error) {

updated := false
if !strings.Contains(action, "@") || strings.HasPrefix(action, "docker://") {
return inputYaml, updated // Cannot pin local actions and docker actions
return inputYaml, updated, nil // Cannot pin local actions and docker actions
}

if isAbsolute(action) || (pinToImmutable && IsImmutableAction(action)) {
return inputYaml, updated
return inputYaml, updated, nil
}
leftOfAt := strings.Split(action, "@")
tagOrBranch := leftOfAt[1]

// skip pinning for exempted actions
if ActionExists(leftOfAt[0], exemptedActions) {
return inputYaml, updated
return inputYaml, updated, nil
}

splitOnSlash := strings.Split(leftOfAt[0], "/")
owner := splitOnSlash[0]
repo := splitOnSlash[1]

PAT := os.Getenv("PAT")
PAT := os.Getenv("SECURE_REPO_PAT")
if PAT == "" {
PAT = os.Getenv("PAT")
}

ctx := context.Background()
ts := oauth2.StaticTokenSource(
Expand All @@ -72,13 +78,10 @@ func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutabl

commitSHA, _, err := client.Repositories.GetCommitSHA1(ctx, owner, repo, tagOrBranch, "")
if err != nil {
return inputYaml, updated
return inputYaml, updated, fmt.Errorf("unable to get commit sha %v", err)
}

tagOrBranch, err = getSemanticVersion(client, owner, repo, tagOrBranch, commitSHA)
if err != nil {
return inputYaml, updated
}
tagOrBranch, _ = getSemanticVersion(client, owner, repo, tagOrBranch, commitSHA)

// pinnedAction := fmt.Sprintf("%s@%s # %s", leftOfAt[0], commitSHA, tagOrBranch)
// build separately so we can quote only the ref, not the comment
Expand Down Expand Up @@ -109,7 +112,7 @@ func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutabl
inputYaml = actionRegex.ReplaceAllString(inputYaml, pinnedActionWithVersion+"$2")

inputYaml, _ = removePreviousActionComments(pinnedActionWithVersion, inputYaml)
return inputYaml, !strings.EqualFold(action, pinnedActionWithVersion)
return inputYaml, !strings.EqualFold(action, pinnedActionWithVersion), nil
}

updated = !strings.EqualFold(action, fullPinned)
Expand Down Expand Up @@ -141,7 +144,7 @@ func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutabl
)
inputYaml, _ = removePreviousActionComments(fullPinned, inputYaml)

return inputYaml, updated
return inputYaml, updated, nil
}

// It may be that there was already a comment next to the action
Expand Down
8 changes: 7 additions & 1 deletion remediation/workflow/secureworkflow.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -143,7 +143,13 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
log.Printf("Pinning GitHub Actions")
}
pinnedAction, pinnedDocker := false, false
secureWorkflowReponse.FinalOutput, pinnedAction, _ = pin.PinActions(secureWorkflowReponse.FinalOutput, exemptedActions, pinToImmutable)
secureWorkflowReponse.FinalOutput, pinnedAction, err = pin.PinActions(secureWorkflowReponse.FinalOutput, exemptedActions, pinToImmutable)
if err != nil {
if enableLogging {
log.Printf("Error pinning actions: %v", err)
}
return secureWorkflowReponse, err
}
secureWorkflowReponse.FinalOutput, pinnedDocker, _ = pin.PinDocker(secureWorkflowReponse.FinalOutput)
pinnedActions = pinnedAction || pinnedDocker
if enableLogging {
Expand Down