Merge pull request step-security#2590 from vamshi-stepsecurity/feat/hardenrunner-runner-label

sailikhith-stepsecurity · web-flow · commit 31278aad561a · 2026-04-10T12:13:03.000+05:30
match group labels
diff --git a/remediation/workflow/hardenrunner/addaction.go b/remediation/workflow/hardenrunner/addaction.go
@@ -24,21 +24,33 @@ type HardenRunnerConfig struct {
 }
 
 // getJobRunsOnLabels extracts the runs-on labels from a job's yaml.Node.
-// Handles both scalar (runs-on: ubuntu-latest) and sequence (runs-on: [self-hosted, linux]) formats.
+// Handles scalar (runs-on: ubuntu-latest), sequence (runs-on: [self-hosted, linux]),
+// and mapping with labels key (runs-on: {labels: [self-hosted, linux]}) formats.
 func getJobRunsOnLabels(jobNode *yaml.Node) []string {
 	for i := 0; i < len(jobNode.Content); i += 2 {
 		keyNode := jobNode.Content[i]
 		if keyNode.Value == "runs-on" && i+1 < len(jobNode.Content) {
-			valNode := jobNode.Content[i+1]
-			switch valNode.Kind {
-			case yaml.ScalarNode:
-				return []string{valNode.Value}
-			case yaml.SequenceNode:
-				var labels []string
-				for _, item := range valNode.Content {
-					labels = append(labels, item.Value)
-				}
-				return labels
+			return extractLabels(jobNode.Content[i+1])
+		}
+	}
+	return nil
+}
+
+// extractLabels extracts labels from a yaml.Node that can be a scalar, sequence, or mapping with a "labels" key.
+func extractLabels(node *yaml.Node) []string {
+	switch node.Kind {
+	case yaml.ScalarNode:
+		return []string{node.Value}
+	case yaml.SequenceNode:
+		var labels []string
+		for _, item := range node.Content {
+			labels = append(labels, item.Value)
+		}
+		return labels
+	case yaml.MappingNode:
+		for j := 0; j < len(node.Content); j += 2 {
+			if node.Content[j].Value == "labels" && j+1 < len(node.Content) {
+				return extractLabels(node.Content[j+1])
 			}
 		}
 	}
diff --git a/remediation/workflow/hardenrunner/addaction_test.go b/remediation/workflow/hardenrunner/addaction_test.go
@@ -209,6 +209,26 @@ func TestRunnerLabelFiltering(t *testing.T) {
 			wantUpdated: true,
 			outputFile:  "labelScalar.yml",
 		},
+		{
+			name:      "both slices overlap",
+			inputFile: "labelArray.yml",
+			config: HardenRunnerConfig{
+				SkipHardenRunner: true,
+				RunnerLabels:     []string{"windows-latest", "ubuntu-latest", "macos-latest"},
+			},
+			wantUpdated: true,
+			outputFile:  "labelArray.yml",
+		},
+		{
+			name:      "both slices no overlap",
+			inputFile: "labelArray.yml",
+			config: HardenRunnerConfig{
+				SkipHardenRunner: true,
+				RunnerLabels:     []string{"windows-latest", "macos-latest"},
+			},
+			wantUpdated: false,
+			unchanged:   true,
+		},
 		{
 			name:      "multi-job mixed labels",
 			inputFile: "labelMultiJob.yml",
@@ -219,6 +239,36 @@ func TestRunnerLabelFiltering(t *testing.T) {
 			wantUpdated: true,
 			outputFile:  "labelMultiJob.yml",
 		},
+		{
+			name:      "mapping with labels array",
+			inputFile: "labelMapping.yml",
+			config: HardenRunnerConfig{
+				SkipHardenRunner: true,
+				RunnerLabels:     []string{"ubuntu-latest"},
+			},
+			wantUpdated: true,
+			outputFile:  "labelMapping.yml",
+		},
+		{
+			name:      "mapping with labels scalar",
+			inputFile: "labelMappingScalar.yml",
+			config: HardenRunnerConfig{
+				SkipHardenRunner: true,
+				RunnerLabels:     []string{"ubuntu-latest"},
+			},
+			wantUpdated: true,
+			outputFile:  "labelMappingScalar.yml",
+		},
+		{
+			name:      "mapping with labels no match",
+			inputFile: "labelMapping.yml",
+			config: HardenRunnerConfig{
+				SkipHardenRunner: true,
+				RunnerLabels:     []string{"windows-latest"},
+			},
+			wantUpdated: false,
+			unchanged:   true,
+		},
 	}
 
 	for _, tt := range tests {
diff --git a/testfiles/addaction/input/labelArray.yml b/testfiles/addaction/input/labelArray.yml
@@ -3,7 +3,8 @@ on:
   push:
 jobs:
   build:
-    runs-on: [self-hosted, linux, ubuntu-latest]
+    # Run on self-hosted runners with ubuntu
+    runs-on: [self-hosted, linux, ubuntu-latest] # custom runner pool
     steps:
       - uses: actions/checkout@v3
       - run: echo "build"
diff --git a/testfiles/addaction/input/labelMapping.yml b/testfiles/addaction/input/labelMapping.yml
@@ -0,0 +1,11 @@
+name: test-label-mapping
+on:
+  push:
+jobs:
+  build:
+    runs-on:
+      # Use specific runner labels
+      labels: [self-hosted, linux, ubuntu-latest] # approved labels
+    steps:
+      - uses: actions/checkout@v3
+      - run: echo "build"
diff --git a/testfiles/addaction/input/labelMappingScalar.yml b/testfiles/addaction/input/labelMappingScalar.yml
@@ -0,0 +1,11 @@
+name: test-label-mapping-scalar
+on:
+  push:
+jobs:
+  build:
+    runs-on:
+      group: large-runners
+      labels: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - run: echo "build"
diff --git a/testfiles/addaction/output/labelArray.yml b/testfiles/addaction/output/labelArray.yml
@@ -3,7 +3,8 @@ on:
   push:
 jobs:
   build:
-    runs-on: [self-hosted, linux, ubuntu-latest]
+    # Run on self-hosted runners with ubuntu
+    runs-on: [self-hosted, linux, ubuntu-latest] # custom runner pool
     steps:
       - name: Harden the runner (Audit all outbound calls)
         uses: step-security/harden-runner@v2
diff --git a/testfiles/addaction/output/labelMapping.yml b/testfiles/addaction/output/labelMapping.yml
@@ -0,0 +1,16 @@
+name: test-label-mapping
+on:
+  push:
+jobs:
+  build:
+    runs-on:
+      # Use specific runner labels
+      labels: [self-hosted, linux, ubuntu-latest] # approved labels
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@v3
+      - run: echo "build"
diff --git a/testfiles/addaction/output/labelMappingScalar.yml b/testfiles/addaction/output/labelMappingScalar.yml
@@ -0,0 +1,16 @@
+name: test-label-mapping-scalar
+on:
+  push:
+jobs:
+  build:
+    runs-on:
+      group: large-runners
+      labels: ubuntu-latest
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@v3
+      - run: echo "build"
