Skip to content

Commit

Permalink
Parse GitHub Action exclusion from rule def (#1934)
Browse files Browse the repository at this point in the history 
In the PR remediation that replaces tags for checksums, we need a way to
pass in an exclusion list from the user input in the profile.

This implements that by parsing an `exclude` key from the `def` section
of the rule.
  • Loading branch information
@JAORMX
JAORMX authored Dec 14, 2023
1 parent 4f6ca28 commit 851ff7c
Show file tree
Hide file tree
Showing 4 changed files with 75 additions and 1 deletion.
1 change: 1 addition & 0 deletions internal/engine/actions/remediate/pull_request/pull_request.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -183,6 +183,7 @@ func (r *Remediator) Do(
prCfg: r.prCfg,
ghCli: r.ghCli,
bfs: ingested.Fs,
def: params.GetRule().Def.AsMap(),
})
if err != nil {
return nil, fmt.Errorf("cannot get modification: %w", err)
Expand Down
42 changes: 42 additions & 0 deletions internal/engine/actions/remediate/pull_request/pull_request_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -174,6 +174,23 @@ func createTestRemArgs() *remediateArgs {
}
}

func createTestRemArgsWithExcludes() *remediateArgs {
return &remediateArgs{
remAction: interfaces.ActionOptOn,
ent: &pb.Repository{
Owner: repoOwner,
Name: repoName,
},
pol: map[string]any{
"exclude": []any{"actions/setup-go@v5"},
},
params: map[string]any{
// explicitly test non-default branch
"branch": "dependabot/gomod",
},
}
}

func happyPathMockSetup(mockGitHub *mock_ghclient.MockGitHub) {
// no pull requst so far
mockGitHub.EXPECT().
Expand Down Expand Up @@ -468,6 +485,31 @@ func TestPullRequestRemediate(t *testing.T) {

resolveActionMockSetup(t, mockGitHub, "repos/actions/checkout/git/refs/tags/v4", checkoutV4Ref)

mockGitHub.EXPECT().
CreatePullRequest(
gomock.Any(),
repoOwner, repoName,
frizbeeCommitTitle, frizbeePrBodyWithExcludes,
refFromBranch(branchBaseName(frizbeeCommitTitle)), dflBranchTo).
Return(nil, nil)
},
},
{
name: "resolve tags using frizbee with excludes from rule",
newRemArgs: &newPullRequestRemediateArgs{
prRem: frizbeePrRem(),
pbuild: testGithubProviderBuilder(),
actionType: TestActionTypeValid,
},
remArgs: createTestRemArgsWithExcludes(),
repoSetup: defaultMockRepoSetup,
mockSetup: func(t *testing.T, mockGitHub *mock_ghclient.MockGitHub) {
t.Helper()

happyPathMockSetup(mockGitHub)

resolveActionMockSetup(t, mockGitHub, "repos/actions/checkout/git/refs/tags/v4", checkoutV4Ref)

mockGitHub.EXPECT().
CreatePullRequest(
gomock.Any(),
Expand Down
32 changes: 31 additions & 1 deletion internal/engine/actions/remediate/pull_request/types_actions_replace_tags.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,9 @@ func newFrizbeeTagResolveModification(
params *modificationConstructorParams,
) (fsModifier, error) {
exclude := []string{}
if ex := params.prCfg.GetActionsReplaceTagsWithSha().GetExclude(); ex != nil {
if ex := parseExcludeFromDef(params.def); ex != nil {
exclude = ex
} else if ex := params.prCfg.GetActionsReplaceTagsWithSha().GetExclude(); ex != nil {
exclude = ex
}
return &frizbeeTagResolveModification{
Expand Down Expand Up @@ -99,3 +101,31 @@ func (ftr *frizbeeTagResolveModification) modifyFs() ([]*fsEntry, error) {
}
return ftr.entries, nil
}

func parseExcludeFromDef(def map[string]any) []string {
if def == nil {
return nil
}

exclude, ok := def["exclude"]
if !ok {
return nil
}

excludeSlice, ok := exclude.([]interface{})
if !ok {
return nil
}

excludeStrings := []string{}
for _, ex := range excludeSlice {
excludeStr, ok := ex.(string)
if !ok {
return nil
}

excludeStrings = append(excludeStrings, excludeStr)
}

return excludeStrings
}
1 change: 1 addition & 0 deletions internal/engine/actions/remediate/pull_request/types_registry.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ type modificationConstructorParams struct {
prCfg *pb.RuleType_Definition_Remediate_PullRequestRemediation
ghCli v1.GitHub
bfs billy.Filesystem
def map[string]any
}

type modificationConstructor func(*modificationConstructorParams) (fsModifier, error)
Expand Down

0 comments on commit 851ff7c

Please sign in to comment.