Merge pull request #2506 from step-security/feature/exclude_pin_actio…

…ns_main feature/exclude_pin_actions -> main
step-security · Feb 4, 2025 · 6fb13bc · 6fb13bc
2 parents d48f26d + b71adb4
commit 6fb13bc
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/remediation/workflow/pin/pinactions.go b/remediation/workflow/pin/pinactions.go
@@ -52,7 +52,7 @@ func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutabl
 	tagOrBranch := leftOfAt[1]
 
 	// skip pinning for exempted actions
-	if actionExists(leftOfAt[0], exemptedActions) {
+	if ActionExists(leftOfAt[0], exemptedActions) {
 		return inputYaml, updated
 	}
 
@@ -196,7 +196,7 @@ func getSemanticVersion(client *github.Client, owner, repo, tagOrBranch, commitS
 }
 
 // Function to check if an action matches any pattern in the list
-func actionExists(actionName string, patterns []string) bool {
+func ActionExists(actionName string, patterns []string) bool {
 	for _, pattern := range patterns {
 		// Use filepath.Match to match the pattern
 		matched, err := filepath.Match(pattern, actionName)

diff --git a/remediation/workflow/secureworkflow.go b/remediation/workflow/secureworkflow.go
@@ -85,6 +85,9 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
 	}
 
 	if addHardenRunner {
+		if pin.ActionExists(HardenRunnerActionPath, exemptedActions) {
+			pinActions = false
+		}
 		secureWorkflowReponse.FinalOutput, addedHardenRunner, _ = hardenrunner.AddAction(secureWorkflowReponse.FinalOutput, HardenRunnerActionPathWithTag, pinActions, pinToImmutable)
 	}