Merge pull request #1379 from step-security/update-harden-harden-int

varunsh-coder · web-flow · commit cc5afdced8d8 · 2022-11-08T20:46:06.000-08:00
Update harden runner version
diff --git a/README.md b/README.md
@@ -190,7 +190,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@v1
+        uses: step-security/harden-runner@v2
         with:
           egress-policy: audit
 
diff --git a/remediation/workflow/hardenrunner/addaction_test.go b/remediation/workflow/hardenrunner/addaction_test.go
@@ -20,11 +20,11 @@ func TestAddAction(t *testing.T) {
 		wantErr     bool
 		wantUpdated bool
 	}{
-		{name: "one job", args: args{inputYaml: "action-issues.yml", action: "step-security/harden-runner@v1"}, want: "action-issues.yml", wantErr: false, wantUpdated: true},
-		{name: "two jobs", args: args{inputYaml: "2jobs.yml", action: "step-security/harden-runner@v1"}, want: "2jobs.yml", wantErr: false, wantUpdated: true},
-		{name: "already present", args: args{inputYaml: "alreadypresent.yml", action: "step-security/harden-runner@v1"}, want: "alreadypresent.yml", wantErr: false, wantUpdated: true},
-		{name: "already present 2", args: args{inputYaml: "alreadypresent_2.yml", action: "step-security/harden-runner@v1"}, want: "alreadypresent_2.yml", wantErr: false, wantUpdated: false},
-		{name: "reusable job", args: args{inputYaml: "reusablejob.yml", action: "step-security/harden-runner@v1"}, want: "reusablejob.yml", wantErr: false, wantUpdated: false},
+		{name: "one job", args: args{inputYaml: "action-issues.yml", action: "step-security/harden-runner@v2"}, want: "action-issues.yml", wantErr: false, wantUpdated: true},
+		{name: "two jobs", args: args{inputYaml: "2jobs.yml", action: "step-security/harden-runner@v2"}, want: "2jobs.yml", wantErr: false, wantUpdated: true},
+		{name: "already present", args: args{inputYaml: "alreadypresent.yml", action: "step-security/harden-runner@v2"}, want: "alreadypresent.yml", wantErr: false, wantUpdated: true},
+		{name: "already present 2", args: args{inputYaml: "alreadypresent_2.yml", action: "step-security/harden-runner@v2"}, want: "alreadypresent_2.yml", wantErr: false, wantUpdated: false},
+		{name: "reusable job", args: args{inputYaml: "reusablejob.yml", action: "step-security/harden-runner@v2"}, want: "reusablejob.yml", wantErr: false, wantUpdated: false},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
diff --git a/remediation/workflow/secureworkflow.go b/remediation/workflow/secureworkflow.go
@@ -7,7 +7,7 @@ import (
 	"github.com/step-security/secure-workflows/remediation/workflow/pin"
 )
 
-const HardenRunnerActionPathWithTag = "step-security/harden-runner@v1"
+const HardenRunnerActionPathWithTag = "step-security/harden-runner@v2"
 
 func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc dynamodbiface.DynamoDBAPI) (*permissions.SecureWorkflowReponse, error) {
 	pinActions, addHardenRunner, addPermissions, addProjectComment := true, true, true, true
diff --git a/remediation/workflow/secureworkflow_test.go b/remediation/workflow/secureworkflow_test.go
@@ -20,7 +20,7 @@ func TestSecureWorkflow(t *testing.T) {
 	httpmock.RegisterResponder("GET", "https://api.github.com/repos/actions/checkout/commits/v1",
 		httpmock.NewStringResponder(200, `544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9`))
 
-	httpmock.RegisterResponder("GET", "https://api.github.com/repos/step-security/harden-runner/commits/v1",
+	httpmock.RegisterResponder("GET", "https://api.github.com/repos/step-security/harden-runner/commits/v2",
 		httpmock.NewStringResponder(200, `7206db2ec98c5538323a6d70e51f965d55c11c87`))
 
 	httpmock.RegisterResponder("GET", "https://api.github.com/repos/github/super-linter/commits/v3",
diff --git a/testfiles/addaction/input/alreadypresent_2.yml b/testfiles/addaction/input/alreadypresent_2.yml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
      - name: Harden Runner
-       uses: step-security/harden-runner@v1
+       uses: step-security/harden-runner@v2
        with:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
diff --git a/testfiles/addaction/output/2jobs.yml b/testfiles/addaction/output/2jobs.yml
@@ -6,7 +6,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
      - name: Harden Runner
-       uses: step-security/harden-runner@v1
+       uses: step-security/harden-runner@v2
        with:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
      - name: Harden Runner
-       uses: step-security/harden-runner@v1
+       uses: step-security/harden-runner@v2
        with:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
diff --git a/testfiles/addaction/output/action-issues.yml b/testfiles/addaction/output/action-issues.yml
@@ -10,7 +10,7 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@v1
+      uses: step-security/harden-runner@v2
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
diff --git a/testfiles/addaction/output/alreadypresent.yml b/testfiles/addaction/output/alreadypresent.yml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
      - name: Harden Runner
-       uses: step-security/harden-runner@v1
+       uses: step-security/harden-runner@v2
        with:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
diff --git a/testfiles/addaction/output/alreadypresent_2.yml b/testfiles/addaction/output/alreadypresent_2.yml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
      - name: Harden Runner
-       uses: step-security/harden-runner@v1
+       uses: step-security/harden-runner@v2
        with:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
diff --git a/testfiles/joblevelpermskb/input/duplicate-perms.yml b/testfiles/joblevelpermskb/input/duplicate-perms.yml
@@ -7,7 +7,7 @@ jobs:
   create-pr:
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@v1
+      - uses: step-security/harden-runner@v2
       - uses: actions/checkout@v2
       - name: Create commits
         run: |
diff --git a/testfiles/joblevelpermskb/output/duplicate-perms.yml b/testfiles/joblevelpermskb/output/duplicate-perms.yml
@@ -10,7 +10,7 @@ jobs:
       pull-requests: write  # for peter-evans/create-pull-request to create a PR
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@v1
+      - uses: step-security/harden-runner@v2
       - uses: actions/checkout@v2
       - name: Create commits
         run: |
diff --git a/testfiles/secureworkflow/output/nopin.yml b/testfiles/secureworkflow/output/nopin.yml
@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest  
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@v1
+        uses: step-security/harden-runner@v2
         with:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@ import (`
`7`	`7`	`"github.com/step-security/secure-workflows/remediation/workflow/pin"`
`8`	`8`	`)`
`9`	`9`
`10`		`-const HardenRunnerActionPathWithTag = "step-security/harden-runner@v1"`
	`10`	`+const HardenRunnerActionPathWithTag = "step-security/harden-runner@v2"`
`11`	`11`
`12`	`12`	`func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc dynamodbiface.DynamoDBAPI) (*permissions.SecureWorkflowReponse, error) {`
`13`	`13`	`pinActions, addHardenRunner, addPermissions, addProjectComment := true, true, true, true`