Merge pull request #2550 from vamshi-stepsecurity/use/secure-repo-pat

sailikhith-stepsecurity · web-flow · commit 789ba827de3d · 2025-11-03T16:33:09.000+05:30
support for passing logger
diff --git a/remediation/workflow/permissions/permissions.go b/remediation/workflow/permissions/permissions.go
@@ -25,6 +25,7 @@ type SecureWorkflowReponse struct {
 	WorkflowFetchError     bool
 	JobErrors              []JobError
 	MissingActions         []string
+	UsingSecureRepoPAT     bool
 }
 
 type JobError struct {
diff --git a/remediation/workflow/pin/pinactions.go b/remediation/workflow/pin/pinactions.go
@@ -43,8 +43,8 @@ func PinActions(inputYaml string, exemptedActions []string, pinToImmutable bool,
 }
 
 func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutable bool, actionCommitMap map[string]string) (string, bool, error) {
-
 	updated := false
+
 	if !strings.Contains(action, "@") || strings.HasPrefix(action, "docker://") {
 		return inputYaml, updated, nil // Cannot pin local actions and docker actions
 	}
@@ -274,3 +274,7 @@ func ActionExists(actionName string, patterns []string) bool {
 	}
 	return false
 }
+
+func UsingSecureRepoPAT() bool {
+	return os.Getenv("SECURE_REPO_PAT") != ""
+}
diff --git a/remediation/workflow/secureworkflow.go b/remediation/workflow/secureworkflow.go
@@ -185,14 +185,16 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
 	secureWorkflowReponse.AddedHardenRunner = addedHardenRunner
 	secureWorkflowReponse.AddedPermissions = addedPermissions
 	secureWorkflowReponse.AddedMaintainedActions = replacedMaintainedActions
+	secureWorkflowReponse.UsingSecureRepoPAT = pin.UsingSecureRepoPAT()
 
 	if enableLogging {
-		log.Printf("SecureWorkflow complete - PinnedActions: %v, AddedHardenRunner: %v, AddedPermissions: %v, AddedMaintainedActions: %v, HasErrors: %v",
+		log.Printf("SecureWorkflow complete - PinnedActions: %v, AddedHardenRunner: %v, AddedPermissions: %v, AddedMaintainedActions: %v, HasErrors: %v, UsingSecureRepoPAT: %v",
 			secureWorkflowReponse.PinnedActions,
 			secureWorkflowReponse.AddedHardenRunner,
 			secureWorkflowReponse.AddedPermissions,
 			secureWorkflowReponse.AddedMaintainedActions,
-			secureWorkflowReponse.HasErrors)
+			secureWorkflowReponse.HasErrors,
+			secureWorkflowReponse.UsingSecureRepoPAT)
 	}
 
 	return secureWorkflowReponse, nil

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,7 @@ type SecureWorkflowReponse struct {`
`25`	`25`	`WorkflowFetchError bool`
`26`	`26`	`JobErrors []JobError`
`27`	`27`	`MissingActions []string`
	`28`	`+ UsingSecureRepoPAT bool`
`28`	`29`	`}`
`29`	`30`
`30`	`31`	`type JobError struct {`
Original file line number	Diff line number	Diff line change
`@@ -43,8 +43,8 @@ func PinActions(inputYaml string, exemptedActions []string, pinToImmutable bool,`
`43`	`43`	`}`
`44`	`44`
`45`	`45`	`func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutable bool, actionCommitMap map[string]string) (string, bool, error) {`
`46`		`-`
`47`	`46`	`updated := false`
	`47`	`+`
`48`	`48`	`if !strings.Contains(action, "@") \|\| strings.HasPrefix(action, "docker://") {`
`49`	`49`	`return inputYaml, updated, nil // Cannot pin local actions and docker actions`
`50`	`50`	`}`
`@@ -274,3 +274,7 @@ func ActionExists(actionName string, patterns []string) bool {`
`274`	`274`	`}`
`275`	`275`	`return false`
`276`	`276`	`}`
	`277`	`+`
	`278`	`+func UsingSecureRepoPAT() bool {`
	`279`	`+ return os.Getenv("SECURE_REPO_PAT") != ""`
	`280`	`+}`