From 8be5eda799078ac6bf353cbc23e9f539f904f73d Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jakub@stacklok.com>
Date: Mon, 22 Apr 2024 15:22:38 +0200
Subject: [PATCH] Add remediation for default_workflow_permissions

Fixes: #77
---
 rule-types/github/default_workflow_permissions.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/rule-types/github/default_workflow_permissions.yaml b/rule-types/github/default_workflow_permissions.yaml
index 2060bfb..b52a2e4 100644
--- a/rule-types/github/default_workflow_permissions.yaml
+++ b/rule-types/github/default_workflow_permissions.yaml
@@ -54,6 +54,13 @@ def:
           def: ".can_approve_pull_request_reviews"
         profile:
           def: ".can_approve_pull_request_reviews"
+  remediate:
+    type: rest
+    rest:
+      method: PUT
+      endpoint: "/repos/{{.Entity.Owner}}/{{.Entity.Name}}/actions/permissions/workflow"
+      body: |
+        {"default_workflow_permissions": "{{ .Profile.default_workflow_permissions }}", "can_approve_pull_request_reviews": {{ .Profile.can_approve_pull_request_reviews }} }
   # Defines the configuration for alerting on the rule
   alert:
     type: security_advisory