toggle replace action for major tag

Author: vamshi-stepsecurity

remediation/workflow/maintainedactions/maintainedActions.go

@@ -56,8 +56,41 @@ func LoadMaintainedActions(jsonPath string) (map[string]string, error) {
 	return actionMap, nil
 }
 
-// ReplaceActions replaces original actions with Step Security actions in a workflow
-func ReplaceActions(inputYaml string, customerMaintainedActions map[string]string) (string, bool, error) {
+// resolveVersion determines the version to use for the replacement action.
+// When replaceByMajorTag is true, it matches the major version from the original action.
+// When false (default), it uses the latest release of the new action.
+func resolveVersion(originalUses, actionName, newAction string, replaceByMajorTag bool) (string, error) {
+	if !replaceByMajorTag {
+		return GetLatestRelease(newAction)
+	}
+
+	parts := strings.SplitN(originalUses, "@", 2)
+	if len(parts) < 2 || parts[1] == "" {
+		return "", fmt.Errorf("no ref found in %s", originalUses)
+	}
+	ref := parts[1]
+	var version string
+	var err error
+	if len(ref) == 40 && pin.IsAllHex(ref) {
+		version, err = GetMajorTagFromSHA(actionName, ref)
+		if err != nil || version == "" {
+			return "", fmt.Errorf("unable to resolve SHA %s to major tag", ref)
+		}
+	} else {
+		version = ref
+	}
+	majorVersion := getMajorVersion(version)
+	tag, exists, err := GetMajorTagIfExists(newAction, majorVersion)
+	if err != nil || !exists {
+		return "", fmt.Errorf("major tag %s not found on %s", majorVersion, newAction)
+	}
+	return tag, nil
+}
+
+// ReplaceActions replaces original actions with Step Security actions in a workflow.
+// When replaceByMajorTag is true, the replacement action uses the same major version as the original.
+// When false (default), it uses the latest release of the replacement action.
+func ReplaceActions(inputYaml string, customerMaintainedActions map[string]string, replaceByMajorTag bool) (string, bool, error) {
 	workflow := metadata.Workflow{}
 	updated := false
 
@@ -79,31 +112,16 @@ func ReplaceActions(inputYaml string, customerMaintainedActions map[string]strin
 		for stepIdx, step := range job.Steps {
 			actionName := strings.Split(step.Uses, "@")[0]
 			if newAction, ok := actionMap[actionName]; ok {
-				parts := strings.SplitN(step.Uses, "@", 2)
-				if len(parts) < 2 || parts[1] == "" {
-					continue
-				}
-				ref := parts[1]
-				var version string
-				if len(ref) == 40 && pin.IsAllHex(ref) {
-					version, err = GetMajorTagFromSHA(actionName, ref)
-					if err != nil || version == "" {
-						continue
-					}
-				} else {
-					version = ref
-				}
-				majorVersion := getMajorVersion(version)
-				tag, exists, err := GetMajorTagIfExists(newAction, majorVersion)
-				if err != nil || !exists {
+				version, err := resolveVersion(step.Uses, actionName, newAction, replaceByMajorTag)
+				if err != nil {
 					continue
 				}
 				replacements = append(replacements, replacement{
 					jobName:        jobName,
 					stepIdx:        stepIdx,
 					newAction:      newAction,
 					originalAction: step.Uses,
-					latestVersion:  tag,
+					latestVersion:  version,
 				})
 			}
 		}
@@ -115,31 +133,16 @@ func ReplaceActions(inputYaml string, customerMaintainedActions map[string]strin
 			if len(step.Uses) > 0 {
 				actionName := strings.Split(step.Uses, "@")[0]
 				if newAction, ok := actionMap[actionName]; ok {
-					parts := strings.SplitN(step.Uses, "@", 2)
-					if len(parts) < 2 || parts[1] == "" {
-						continue
-					}
-					ref := parts[1]
-					var version string
-					if len(ref) == 40 && pin.IsAllHex(ref) {
-						version, err = GetMajorTagFromSHA(actionName, ref)
-						if err != nil || version == "" {
-							continue
-						}
-					} else {
-						version = ref
-					}
-					majorVersion := getMajorVersion(version)
-					tag, exists, err := GetMajorTagIfExists(newAction, majorVersion)
-					if err != nil || !exists {
+					version, err := resolveVersion(step.Uses, actionName, newAction, replaceByMajorTag)
+					if err != nil {
 						continue
 					}
 					replacements = append(replacements, replacement{
 						jobName:        "composite",
 						stepIdx:        stepIdx,
 						newAction:      newAction,
 						originalAction: step.Uses,
-						latestVersion:  tag,
+						latestVersion:  version,
 					})
 				}
 			}

remediation/workflow/maintainedactions/maintainedactions_test.go

@@ -88,7 +88,7 @@ func TestReplaceActions(t *testing.T) {
 				t.Errorf("ReplaceActions() unable to json file %v", err)
 				return
 			}
-			got, updated, replaceErr := ReplaceActions(string(input), actionMap)
+			got, updated, replaceErr := ReplaceActions(string(input), actionMap, true)
 
 			// Check error
 			if (replaceErr != nil) != tt.wantErr {
@@ -116,6 +116,110 @@ func TestReplaceActions(t *testing.T) {
 	}
 }
 
+func TestReplaceActionsLatestRelease(t *testing.T) {
+	const inputDirectory = "../../../testfiles/maintainedActions/input"
+	const outputDirectory = "../../../testfiles/maintainedActions/output"
+
+	// Activate httpmock
+	httpmock.Activate()
+	defer httpmock.DeactivateAndReset()
+
+	// Mock GitHub API responses for GetLatestRelease (GET /repos/{owner}/{repo}/releases/latest)
+	httpmock.RegisterResponder("GET", "https://api.github.com/repos/step-security/action-semantic-pull-request/releases/latest",
+		httpmock.NewStringResponder(200, `{"id":1,"tag_name":"v6.1.0","name":"v6.1.0"}`))
+
+	httpmock.RegisterResponder("GET", "https://api.github.com/repos/step-security/skip-duplicate-actions/releases/latest",
+		httpmock.NewStringResponder(200, `{"id":2,"tag_name":"v5.3.1","name":"v5.3.1"}`))
+
+	httpmock.RegisterResponder("GET", "https://api.github.com/repos/step-security/git-restore-mtime-action/releases/latest",
+		httpmock.NewStringResponder(200, `{"id":3,"tag_name":"v2.0.0","name":"v2.0.0"}`))
+
+	httpmock.RegisterResponder("GET", "https://api.github.com/repos/step-security/actions-cache/releases/latest",
+		httpmock.NewStringResponder(200, `{"id":4,"tag_name":"v4.0.0","name":"v4.0.0"}`))
+
+	tests := []struct {
+		name        string
+		inputFile   string
+		outputFile  string
+		wantUpdated bool
+		wantErr     bool
+	}{
+		{
+			name:        "one job with latest release versions",
+			inputFile:   "oneJob.yml",
+			outputFile:  "oneJobLatest.yml",
+			wantUpdated: true,
+			wantErr:     false,
+		},
+		{
+			name:        "no changes needed - already using maintained actions",
+			inputFile:   "noChangesNeeded.yml",
+			outputFile:  "noChangesNeeded.yml",
+			wantUpdated: false,
+			wantErr:     false,
+		},
+		{
+			name:        "double job with latest release versions",
+			inputFile:   "doubleJob.yml",
+			outputFile:  "doubleJobLatest.yml",
+			wantUpdated: true,
+			wantErr:     false,
+		},
+		{
+			name:        "composite action with latest release versions",
+			inputFile:   "compositeAction.yml",
+			outputFile:  "compositeActionLatest.yml",
+			wantUpdated: true,
+			wantErr:     false,
+		},
+		{
+			name:        "replacement happens even when major version differs (latest release used)",
+			inputFile:   "noMatchingMajorVersion.yml",
+			outputFile:  "noMatchingMajorVersionLatest.yml",
+			wantUpdated: true,
+			wantErr:     false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Read input file
+			input, err := ioutil.ReadFile(path.Join(inputDirectory, tt.inputFile))
+			if err != nil {
+				t.Fatalf("error reading input file: %v", err)
+			}
+			actionMap, err := LoadMaintainedActions("maintainedActions.json")
+			if err != nil {
+				t.Errorf("ReplaceActions() unable to json file %v", err)
+				return
+			}
+			got, updated, replaceErr := ReplaceActions(string(input), actionMap, false)
+
+			// Check error
+			if (replaceErr != nil) != tt.wantErr {
+				t.Errorf("ReplaceActions() error = %v, wantErr %v", replaceErr, tt.wantErr)
+				return
+			}
+
+			// Check if updated flag matches
+			if updated != tt.wantUpdated {
+				t.Errorf("ReplaceActions() updated = %v, wantUpdated %v", updated, tt.wantUpdated)
+			}
+
+			// Read expected output file
+			expectedOutput, err := ioutil.ReadFile(path.Join(outputDirectory, tt.outputFile))
+			if err != nil {
+				t.Fatalf("error reading expected output file: %v", err)
+			}
+
+			// Compare output with expected
+			if got != string(expectedOutput) {
+				t.Errorf("ReplaceActions() = %v, want %v", got, string(expectedOutput))
+			}
+		})
+	}
+}
+
 func TestSome(t *testing.T) {
 
 	version, err := GetMajorTagFromSHA("tj-actions/changed-files", "00f80efd45353091691a96565de08f4f50c685f8")

remediation/workflow/secureworkflow.go

@@ -25,6 +25,7 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
 	enableLogging := false
 	addEmptyTopLevelPermissions := false
 	skipHardenRunnerForContainers := false
+	replaceActionByMajorTag := false
 	exemptedActions, pinToImmutable, maintainedActionsMap, actionCommitMap, runnerLabelMap := []string{}, false, map[string]string{}, map[string]string{}, map[string]string{}
 	hardenRunnerConfig := hardenrunner.HardenRunnerConfig{}
 
@@ -98,6 +99,10 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
 		skipHardenRunnerForContainers = true
 	}
 
+	if queryStringParams["replaceActionByMajorTag"] == "true" {
+		replaceActionByMajorTag = true
+	}
+
 	if enableLogging {
 		// Log query parameters
 		paramsJSON, _ := json.MarshalIndent(queryStringParams, "", "  ")
@@ -151,7 +156,7 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
 	}
 
 	if replaceMaintainedActions {
-		secureWorkflowReponse.FinalOutput, replacedMaintainedActions, err = maintainedactions.ReplaceActions(secureWorkflowReponse.FinalOutput, maintainedActionsMap)
+		secureWorkflowReponse.FinalOutput, replacedMaintainedActions, err = maintainedactions.ReplaceActions(secureWorkflowReponse.FinalOutput, maintainedActionsMap, replaceActionByMajorTag)
 		if err != nil {
 			log.Printf("Error replacing maintained actions: %v", err)
 			secureWorkflowReponse.HasErrors = true

remediation/workflow/secureworkflow_test.go

@@ -231,11 +231,13 @@ func TestSecureWorkflow(t *testing.T) {
 			queryParams["addHardenRunner"] = "true"
 			queryParams["pinActions"] = "true"
 			queryParams["addPermissions"] = "false"
+			queryParams["replaceActionByMajorTag"] = "true"
 		case "compositeAction.yml":
 			queryParams["addMaintainedActions"] = "true"
 			queryParams["addHardenRunner"] = "false"
 			queryParams["pinActions"] = "true"
 			queryParams["addPermissions"] = "false"
+			queryParams["replaceActionByMajorTag"] = "true"
 		}
 		queryParams["addProjectComment"] = "false"
 

testfiles/maintainedActions/output/compositeActionLatest.yml

@@ -0,0 +1,27 @@
+name: 'Test Composite Action'
+description: 'Test composite action for maintained actions replacement'
+branding:
+  icon: 'arrow-up'
+  color: 'blue'
+inputs:
+  component:
+    description: 'Component Name'
+    required: true
+runs:
+  using: 'composite'
+  steps:
+    - uses: step-security/action-semantic-pull-request@v6
+      with:
+        types: feat,fix,chore
+
+    - uses: step-security/skip-duplicate-actions@v5
+      with:
+        do_not_skip: '["release"]'
+
+    - uses: step-security/git-restore-mtime-action@v2
+      with:
+        pattern: '**/*'
+
+    - name: Run custom script
+      run: echo "Running custom script"
+      shell: bash

testfiles/maintainedActions/output/doubleJobLatest.yml

@@ -0,0 +1,31 @@
+name: Test Workflow - Double Job
+on: push
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: step-security/action-semantic-pull-request@v6
+        with:
+          types: feat,fix,chore
+      - uses: step-security/skip-duplicate-actions@v5
+        with:
+          do_not_skip: '["release"]'
+      - uses: step-security/git-restore-mtime-action@v2
+        with:
+          pattern: '**/*'
+
+  build:
+    runs-on: ubuntu-latest
+    needs: test
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: '16'
+      - uses: actions/cache@v3
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node- 

testfiles/maintainedActions/output/noMatchingMajorVersionLatest.yml

@@ -0,0 +1,11 @@
+name: Test Workflow - No Matching Major Version
+on: push
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: step-security/action-semantic-pull-request@v6
+        with:
+          types: feat,fix,chore

testfiles/maintainedActions/output/oneJobLatest.yml

@@ -0,0 +1,23 @@
+name: Test Workflow
+on: push
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: step-security/action-semantic-pull-request@v6
+        with:
+          types: feat,fix,chore
+      - uses: step-security/skip-duplicate-actions@v5
+        with:
+          do_not_skip: '["release"]'
+      - uses: step-security/git-restore-mtime-action@v2
+        with:
+          pattern: '**/*'
+      - uses: step-security/actions-cache/restore@v4
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-