Merge pull request step-security#2597 from vamshi-stepsecurity/bug/hr-config

avoid duplicate addition for custom actions

Author: vamshi-stepsecurity

remediation/workflow/hardenrunner/addaction.go

@@ -93,6 +93,10 @@ func AddAction(inputYaml string, hardenRunnerConfig HardenRunnerConfig, pinActio
 		return "", updated, fmt.Errorf("unable to parse yaml %v", err)
 	}
 
+	// Extract the action path from the config to detect custom actions already present.
+	configAction := getActionFromConfig(hardenRunnerConfig)
+	configActionPath := strings.Split(configAction, "@")[0]
+
 	// Build a map of jobName → yaml.Node for runs-on label lookup
 	jobNodeMap := map[string]*yaml.Node{}
 	if hardenRunnerConfig.SkipHardenRunner && len(hardenRunnerConfig.RunnerLabels) > 0 {
@@ -128,7 +132,7 @@ func AddAction(inputYaml string, hardenRunnerConfig HardenRunnerConfig, pinActio
 		}
 		alreadyPresent := false
 		for _, step := range job.Steps {
-			if len(step.Uses) > 0 && strings.HasPrefix(step.Uses, HardenRunnerActionPath) {
+			if len(step.Uses) > 0 && (strings.HasPrefix(step.Uses, HardenRunnerActionPath) || strings.HasPrefix(step.Uses, configActionPath)) {
 				alreadyPresent = true
 				break
 			}

remediation/workflow/hardenrunner/addaction_test.go

@@ -91,6 +91,20 @@ func TestCustomActionConfig(t *testing.T) {
 			wantUpdated: true,
 			outputFile:  "customActionSubtractive.yml",
 		},
+		{
+			name:        "three jobs: custom present, harden-runner present, empty gets action",
+			inputFile:   "customActionAlreadyPresent.yml",
+			config:      HardenRunnerConfig{Config: customConfig},
+			wantUpdated: true,
+			outputFile:  "customActionAlreadyPresent.yml",
+		},
+		{
+			name:        "subtractive three jobs: custom unchanged, harden-runner replaced, empty gets action",
+			inputFile:   "customActionAlreadyPresentSubtractive.yml",
+			config:      HardenRunnerConfig{Config: customConfig, Subtractive: true},
+			wantUpdated: true,
+			outputFile:  "customActionAlreadyPresentSubtractive.yml",
+		},
 	}
 
 	for _, tt := range tests {

testfiles/addaction/input/customActionAlreadyPresent.yml

@@ -0,0 +1,32 @@
+name: test-custom-action-three-jobs
+on:
+  push:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Security Scanner
+        uses: org/security-scanner@v3
+        with:
+          mode: strict
+          scan-level: deep
+
+      - uses: actions/checkout@v3
+      - run: echo "build"
+
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@v3
+      - run: echo "lint"
+
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - run: echo "deploy"

testfiles/addaction/input/customActionAlreadyPresentSubtractive.yml

@@ -0,0 +1,32 @@
+name: test-custom-action-three-jobs-subtractive
+on:
+  push:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Security Scanner
+        uses: org/security-scanner@v3
+        with:
+          mode: strict
+          scan-level: deep
+
+      - uses: actions/checkout@v3
+      - run: echo "build"
+
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@v3
+      - run: echo "lint"
+
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - run: echo "deploy"

testfiles/addaction/output/customActionAlreadyPresent.yml

@@ -0,0 +1,38 @@
+name: test-custom-action-three-jobs
+on:
+  push:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Security Scanner
+        uses: org/security-scanner@v3
+        with:
+          mode: strict
+          scan-level: deep
+
+      - uses: actions/checkout@v3
+      - run: echo "build"
+
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@v3
+      - run: echo "lint"
+
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Security Scanner
+        uses: org/security-scanner@v3
+        with:
+          mode: strict
+          scan-level: deep
+
+      - uses: actions/checkout@v3
+      - run: echo "deploy"

testfiles/addaction/output/customActionAlreadyPresentSubtractive.yml

@@ -0,0 +1,39 @@
+name: test-custom-action-three-jobs-subtractive
+on:
+  push:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Security Scanner
+        uses: org/security-scanner@v3
+        with:
+          mode: strict
+          scan-level: deep
+
+      - uses: actions/checkout@v3
+      - run: echo "build"
+
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Security Scanner
+        uses: org/security-scanner@v3
+        with:
+          mode: strict
+          scan-level: deep
+
+      - uses: actions/checkout@v3
+      - run: echo "lint"
+
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Security Scanner
+        uses: org/security-scanner@v3
+        with:
+          mode: strict
+          scan-level: deep
+
+      - uses: actions/checkout@v3
+      - run: echo "deploy"