Merge pull request #23 from step-security/feat/pdpr-action-commit-map

sailikhith-stepsecurity · web-flow · commit e940f4381abb · 2025-10-24T23:13:49.000+05:30
Feat: Add action commit map attribute in pdpr for pinning actions.
diff --git a/docs/resources/policy_driven_pr.md b/docs/resources/policy_driven_pr.md
@@ -76,6 +76,12 @@ resource "stepsecurity_policy_driven_pr" "repo_level_config" {
       }
     ]
     add_workflows = "https://github.com/[owner]/[repo]"
+    action_commit_map = {
+      "codecov/codecov-action@v5" : "cf3f51a67d2820f7a7cefa0831889fbbef41ca57",
+      "codecov/codecov-action@v4" : "5ecb98a3c6b747ed38dc09f787459979aebb39be",
+      "google-github-actions/auth@v2" : "ba79af03959ebeac9769e648f473a284504d9193",
+      "google-github-actions/auth@v3" : "7c6bc770dae815cd3e89ee6cdf493a5fab2cc093"
+    }
   }
 }
 
@@ -132,6 +138,7 @@ import {
 
 Optional:
 
+- `action_commit_map` (Map of String) Map of actions to their corresponding commit SHAs to bypass pinning
 - `actions_to_exempt_while_pinning` (List of String) List of actions to exempt while pinning actions to SHA. When exempted, the action will not be pinned to SHA.
 - `actions_to_replace_with_step_security_actions` (List of String) List of actions to replace with Step Security actions. When provided, the actions will be replaced with Step Security actions.
 - `add_workflows` (String) Additional workflows to add as part of policy-driven PR.
diff --git a/examples/resources/stepsecurity_policy_driven_pr/resource.tf b/examples/resources/stepsecurity_policy_driven_pr/resource.tf
@@ -62,6 +62,12 @@ resource "stepsecurity_policy_driven_pr" "repo_level_config" {
       }
     ]
     add_workflows = "https://github.com/[owner]/[repo]"
+    action_commit_map = {
+      "codecov/codecov-action@v5" : "cf3f51a67d2820f7a7cefa0831889fbbef41ca57",
+      "codecov/codecov-action@v4" : "5ecb98a3c6b747ed38dc09f787459979aebb39be",
+      "google-github-actions/auth@v2" : "ba79af03959ebeac9769e648f473a284504d9193",
+      "google-github-actions/auth@v3" : "7c6bc770dae815cd3e89ee6cdf493a5fab2cc093"
+    }
   }
 }
 
@@ -93,4 +99,4 @@ resource "stepsecurity_policy_driven_pr" "org_level_with_exclusions" {
 import {
   to = stepsecurity_policy_driven_pr.org_level_all
   id = "test-organization"
-}
+}
diff --git a/internal/provider/resource_policy_driven_pr.go b/internal/provider/resource_policy_driven_pr.go
@@ -182,6 +182,11 @@ func (r *policyDrivenPRResource) Schema(_ context.Context, _ resource.SchemaRequ
 						Optional:    true,
 						Description: "Additional workflows to add as part of policy-driven PR.",
 					},
+					"action_commit_map": schema.MapAttribute{
+						ElementType: types.StringType,
+						Optional:    true,
+						Description: "Map of actions to their corresponding commit SHAs to bypass pinning",
+					},
 				},
 			},
 			"selected_repos": schema.ListAttribute{
@@ -310,6 +315,17 @@ func (r *policyDrivenPRResource) ImportState(ctx context.Context, req resource.I
 		addWorkflowsValue = types.StringNull()
 	}
 
+	var actionCommitMapValue types.Map
+	if len(policy.AutoRemdiationOptions.ActionCommitMap) > 0 {
+		mapElements := make(map[string]attr.Value)
+		for key, value := range policy.AutoRemdiationOptions.ActionCommitMap {
+			mapElements[key] = types.StringValue(value)
+		}
+		actionCommitMapValue, _ = types.MapValue(types.StringType, mapElements)
+	} else {
+		actionCommitMapValue = types.MapNull(types.StringType)
+	}
+
 	optionsObj, _ := types.ObjectValue(
 		map[string]attr.Type{
 			"create_pr":                                     types.BoolType,
@@ -330,7 +346,8 @@ func (r *policyDrivenPRResource) ImportState(ctx context.Context, req resource.I
 					},
 				},
 			},
-			"add_workflows": types.StringType,
+			"add_workflows":     types.StringType,
+			"action_commit_map": types.MapType{ElemType: types.StringType},
 		},
 		map[string]attr.Value{
 			"create_pr":                                     types.BoolValue(policy.AutoRemdiationOptions.CreatePR),
@@ -345,6 +362,7 @@ func (r *policyDrivenPRResource) ImportState(ctx context.Context, req resource.I
 			"update_precommit_file":                         updatePrecommitFileList,
 			"package_ecosystem":                             packageEcosystemList,
 			"add_workflows":                                 addWorkflowsValue,
+			"action_commit_map":                             actionCommitMapValue,
 		},
 	)
 	state.AutoRemdiationOptions = optionsObj
@@ -375,6 +393,7 @@ type autoRemdiationOptionsModel struct {
 	UpdatePrecommitFile                     types.List   `tfsdk:"update_precommit_file"`
 	PackageEcosystem                        types.List   `tfsdk:"package_ecosystem"`
 	AddWorkflows                            types.String `tfsdk:"add_workflows"`
+	ActionCommitMap                         types.Map    `tfsdk:"action_commit_map"`
 }
 
 type packageEcosystemModel struct {
@@ -618,6 +637,14 @@ func (r *policyDrivenPRResource) Create(ctx context.Context, req resource.Create
 		}
 	}
 
+	var actionCommitMap map[string]string
+	if !options.ActionCommitMap.IsNull() {
+		actionCommitMap = make(map[string]string)
+		for key, value := range options.ActionCommitMap.Elements() {
+			actionCommitMap[key] = value.(types.String).ValueString()
+		}
+	}
+
 	// Automatically compute config levels based on selected_repos
 	// If selected_repos = ["*"], use org-level config
 	// Otherwise, use repo-level config
@@ -641,6 +668,7 @@ func (r *policyDrivenPRResource) Create(ctx context.Context, req resource.Create
 			UpdatePrecommitFile:                     updatePrecommitFile,
 			PackageEcosystem:                        packageEcosystem,
 			AddWorkflows:                            options.AddWorkflows.ValueString(),
+			ActionCommitMap:                         actionCommitMap,
 		},
 		SelectedRepos:      selectedRepos,
 		UseRepoLevelConfig: useRepoLevel,
@@ -875,6 +903,16 @@ func (r *policyDrivenPRResource) Read(ctx context.Context, req resource.ReadRequ
 		tflog.Info(ctx, "Preserving actions_to_replace_with_step_security_actions from state")
 	}
 
+	if !currentStateOptions.ActionCommitMap.IsNull() {
+		stepSecurityPolicy.AutoRemdiationOptions.ActionCommitMap = make(map[string]string)
+		for key, value := range currentStateOptions.ActionCommitMap.Elements() {
+			stepSecurityPolicy.AutoRemdiationOptions.ActionCommitMap[key] = value.(types.String).ValueString()
+		}
+		tflog.Info(ctx, "Preserving action_commit_map from state")
+	} else if len(stepSecurityPolicy.AutoRemdiationOptions.ActionCommitMap) == 0 {
+		stepSecurityPolicy.AutoRemdiationOptions.ActionCommitMap = map[string]string{}
+	}
+
 	// Update state with API response, preserving selected_repos and excluded_repos from state
 	r.updatePolicyDrivenPRState(ctx, *stepSecurityPolicy, &state, stateSelectedRepos, stateExcludedRepos)
 
@@ -1016,6 +1054,16 @@ func (r *policyDrivenPRResource) Update(ctx context.Context, req resource.Update
 		}
 	}
 
+	var actionCommitMapPlan map[string]string
+	if !planOptions.ActionCommitMap.IsNull() {
+		actionCommitMapPlan = make(map[string]string)
+		for key, value := range planOptions.ActionCommitMap.Elements() {
+			actionCommitMapPlan[key] = value.(types.String).ValueString()
+		}
+	} else if len(planOptions.ActionCommitMap.Elements()) == 0 {
+		actionCommitMapPlan = map[string]string{}
+	}
+
 	// Automatically compute config levels based on planRepos
 	// If planRepos = ["*"], use org-level config
 	// Otherwise, use repo-level config
@@ -1038,6 +1086,7 @@ func (r *policyDrivenPRResource) Update(ctx context.Context, req resource.Update
 			UpdatePrecommitFile:                     updatePrecommitFilePlan,
 			PackageEcosystem:                        packageEcosystemPlan,
 			AddWorkflows:                            planOptions.AddWorkflows.ValueString(),
+			ActionCommitMap:                         actionCommitMapPlan,
 		},
 		SelectedRepos:      planRepos,
 		UseRepoLevelConfig: useRepoLevel,
@@ -1225,6 +1274,17 @@ func (r *policyDrivenPRResource) updatePolicyDrivenPRState(ctx context.Context,
 		addWorkflowsValue = types.StringNull()
 	}
 
+	var actionCommitMapValue types.Map
+	if len(stepSecurityPolicy.AutoRemdiationOptions.ActionCommitMap) > 0 {
+		mapElements := make(map[string]attr.Value)
+		for key, value := range stepSecurityPolicy.AutoRemdiationOptions.ActionCommitMap {
+			mapElements[key] = types.StringValue(value)
+		}
+		actionCommitMapValue, _ = types.MapValue(types.StringType, mapElements)
+	} else {
+		actionCommitMapValue = types.MapNull(types.StringType)
+	}
+
 	optionsObj, _ := types.ObjectValue(
 		map[string]attr.Type{
 			"create_pr":                                     types.BoolType,
@@ -1245,7 +1305,8 @@ func (r *policyDrivenPRResource) updatePolicyDrivenPRState(ctx context.Context,
 					},
 				},
 			},
-			"add_workflows": types.StringType,
+			"add_workflows":     types.StringType,
+			"action_commit_map": types.MapType{ElemType: types.StringType},
 		},
 		map[string]attr.Value{
 			"create_pr":                                     types.BoolValue(stepSecurityPolicy.AutoRemdiationOptions.CreatePR),
@@ -1260,6 +1321,7 @@ func (r *policyDrivenPRResource) updatePolicyDrivenPRState(ctx context.Context,
 			"update_precommit_file":                         updatePrecommitFileList,
 			"package_ecosystem":                             packageEcosystemList,
 			"add_workflows":                                 addWorkflowsValue,
+			"action_commit_map":                             actionCommitMapValue,
 		},
 	)
 	state.AutoRemdiationOptions = optionsObj
diff --git a/internal/stepsecurity-api/gh-policy-driven-prs.go b/internal/stepsecurity-api/gh-policy-driven-prs.go
@@ -30,6 +30,7 @@ type AutoRemdiationOptions struct {
 	UpdatePrecommitFile                     []string           `json:"update_precommit_file,omitempty"`
 	PackageEcosystem                        []DependabotConfig `json:"package_ecosystem,omitempty"`
 	AddWorkflows                            string             `json:"add_workflows,omitempty"`
+	ActionCommitMap                         map[string]string  `json:"action_commit_map"`
 }
 
 // API request/response structures matching agent-api
@@ -56,6 +57,7 @@ type controlSettings struct {
 	PackageEcosystem              []DependabotConfig `json:"package_ecosystem,omitempty"`
 	AddWorkflows                  string             `json:"add_workflows,omitempty"`
 	ApplyIssuePRConfigForAllRepos *bool              `json:"apply_issue_pr_config_for_all_repos,omitempty"`
+	ActionCommitMap               map[string]string  `json:"action_commit_map"`
 }
 
 type DependabotConfig struct {
@@ -169,6 +171,7 @@ func (c *APIClient) CreatePolicyDrivenPRPolicy(ctx context.Context, createReques
 		UpdatePrecommitFile:           updatePrecommitFileMap,
 		PackageEcosystem:              createRequest.AutoRemdiationOptions.PackageEcosystem,
 		AddWorkflows:                  createRequest.AutoRemdiationOptions.AddWorkflows,
+		ActionCommitMap:               createRequest.AutoRemdiationOptions.ActionCommitMap,
 		ApplyIssuePRConfigForAllRepos: &applyToAllRepos,
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -76,6 +76,12 @@ resource "stepsecurity_policy_driven_pr" "repo_level_config" {`
`76`	`76`	`}`
`77`	`77`	`]`
`78`	`78`	`add_workflows = "https://github.com/[owner]/[repo]"`
	`79`	`+ action_commit_map = {`
	`80`	`+ "codecov/codecov-action@v5" : "cf3f51a67d2820f7a7cefa0831889fbbef41ca57",`
	`81`	`+ "codecov/codecov-action@v4" : "5ecb98a3c6b747ed38dc09f787459979aebb39be",`
	`82`	`+ "google-github-actions/auth@v2" : "ba79af03959ebeac9769e648f473a284504d9193",`
	`83`	`+ "google-github-actions/auth@v3" : "7c6bc770dae815cd3e89ee6cdf493a5fab2cc093"`
	`84`	`+ }`
`79`	`85`	`}`
`80`	`86`	`}`
`81`	`87`
`@@ -132,6 +138,7 @@ import {`
`132`	`138`
`133`	`139`	`Optional:`
`134`	`140`
	`141`	+- `action_commit_map` (Map of String) Map of actions to their corresponding commit SHAs to bypass pinning
`135`	`142`	- `actions_to_exempt_while_pinning` (List of String) List of actions to exempt while pinning actions to SHA. When exempted, the action will not be pinned to SHA.
`136`	`143`	- `actions_to_replace_with_step_security_actions` (List of String) List of actions to replace with Step Security actions. When provided, the actions will be replaced with Step Security actions.
`137`	`144`	- `add_workflows` (String) Additional workflows to add as part of policy-driven PR.
Original file line number	Diff line number	Diff line change
`@@ -62,6 +62,12 @@ resource "stepsecurity_policy_driven_pr" "repo_level_config" {`
`62`	`62`	`}`
`63`	`63`	`]`
`64`	`64`	`add_workflows = "https://github.com/[owner]/[repo]"`
	`65`	`+ action_commit_map = {`
	`66`	`+ "codecov/codecov-action@v5" : "cf3f51a67d2820f7a7cefa0831889fbbef41ca57",`
	`67`	`+ "codecov/codecov-action@v4" : "5ecb98a3c6b747ed38dc09f787459979aebb39be",`
	`68`	`+ "google-github-actions/auth@v2" : "ba79af03959ebeac9769e648f473a284504d9193",`
	`69`	`+ "google-github-actions/auth@v3" : "7c6bc770dae815cd3e89ee6cdf493a5fab2cc093"`
	`70`	`+ }`
`65`	`71`	`}`
`66`	`72`	`}`
`67`	`73`
`@@ -93,4 +99,4 @@ resource "stepsecurity_policy_driven_pr" "org_level_with_exclusions" {`
`93`	`99`	`import {`
`94`	`100`	`to = stepsecurity_policy_driven_pr.org_level_all`
`95`	`101`	`id = "test-organization"`
`96`		`-}`
	`102`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,7 @@ type AutoRemdiationOptions struct {`
`30`	`30`	UpdatePrecommitFile []string `json:"update_precommit_file,omitempty"`
`31`	`31`	PackageEcosystem []DependabotConfig `json:"package_ecosystem,omitempty"`
`32`	`32`	AddWorkflows string `json:"add_workflows,omitempty"`
	`33`	+ ActionCommitMap map[string]string `json:"action_commit_map"`
`33`	`34`	`}`
`34`	`35`
`35`	`36`	`// API request/response structures matching agent-api`
`@@ -56,6 +57,7 @@ type controlSettings struct {`
`56`	`57`	PackageEcosystem []DependabotConfig `json:"package_ecosystem,omitempty"`
`57`	`58`	AddWorkflows string `json:"add_workflows,omitempty"`
`58`	`59`	ApplyIssuePRConfigForAllRepos *bool `json:"apply_issue_pr_config_for_all_repos,omitempty"`
	`60`	+ ActionCommitMap map[string]string `json:"action_commit_map"`
`59`	`61`	`}`
`60`	`62`
`61`	`63`	`type DependabotConfig struct {`
`@@ -169,6 +171,7 @@ func (c *APIClient) CreatePolicyDrivenPRPolicy(ctx context.Context, createReques`
`169`	`171`	`UpdatePrecommitFile: updatePrecommitFileMap,`
`170`	`172`	`PackageEcosystem: createRequest.AutoRemdiationOptions.PackageEcosystem,`
`171`	`173`	`AddWorkflows: createRequest.AutoRemdiationOptions.AddWorkflows,`
	`174`	`+ ActionCommitMap: createRequest.AutoRemdiationOptions.ActionCommitMap,`
`172`	`175`	`ApplyIssuePRConfigForAllRepos: &applyToAllRepos,`
`173`	`176`	`}`
`174`	`177`