Merge pull request #2014 from Devils-Knight/issue-docker

Update Format for Pinning Docker Actions

Author: varunsh-coder

remediation/workflow/pin/pindocker.go

@@ -66,10 +66,11 @@ func pinDocker(action, jobName, inputYaml string) (string, bool) {
 		return inputYaml, updated
 	}
 
-	pinnedAction := fmt.Sprintf("%s:%s@%s # %s", leftOfAt[0], leftOfAt[1], imghash.String(), tag)
+	pinnedAction := fmt.Sprintf("%s:%s:%s@%s", leftOfAt[0], leftOfAt[1], tag, imghash.String())
 	inputYaml = strings.ReplaceAll(inputYaml, action, pinnedAction)
 	// Revert the extra hash for already pinned docker actions
 	inputYaml = strings.ReplaceAll(inputYaml, pinnedAction+"@", action+"@")
+	inputYaml = strings.ReplaceAll(inputYaml, pinnedAction+":", action+":")
 	updated = !strings.EqualFold(action, pinnedAction)
 	return inputYaml, updated
 }

testfiles/pindockers/input/dockeraction.yml

@@ -38,7 +38,7 @@ jobs:
       with:
         args: sh -c "cd conker && make --jobs"
     - name: Perform make replace
-      uses: docker://docker.io/markstreet/conker@sha256:1efef3bbdd297d1b321b9b4559092d3131961913bc68b7c92b681b4783d563f0 # latest
+      uses: docker://docker.io/markstreet/conker:latest@sha256:1efef3bbdd297d1b321b9b4559092d3131961913bc68b7c92b681b4783d563f0
       with:
         args: sh -c "cd conker && make replace"
 

testfiles/pindockers/output/dockeraction.yml

@@ -25,30 +25,30 @@ jobs:
       run: echo ${{ secrets.CONKER_BASEROM_US }} | openssl enc -d -aes-256-cbc -pass stdin -pbkdf2 -in baserom/baserom.us.z64.aes -out baserom.us.z64
 
     - name: Perform make extract (rom)
-      uses: docker://docker.io/markstreet/conker@sha256:1efef3bbdd297d1b321b9b4559092d3131961913bc68b7c92b681b4783d563f0 # latest
+      uses: docker://docker.io/markstreet/conker:latest@sha256:1efef3bbdd297d1b321b9b4559092d3131961913bc68b7c92b681b4783d563f0
       with:
         args: make extract
 
     - name: Perform make extract (code)
-      uses: docker://docker.io/markstreet/conker@sha256:1efef3bbdd297d1b321b9b4559092d3131961913bc68b7c92b681b4783d563f0 # latest
+      uses: docker://docker.io/markstreet/conker:latest@sha256:1efef3bbdd297d1b321b9b4559092d3131961913bc68b7c92b681b4783d563f0
       with:
         args: sh -c "cd conker && make extract"
     - name: Perform make (code)
-      uses: docker://docker.io/markstreet/conker@sha256:1efef3bbdd297d1b321b9b4559092d3131961913bc68b7c92b681b4783d563f0 # latest
+      uses: docker://docker.io/markstreet/conker:latest@sha256:1efef3bbdd297d1b321b9b4559092d3131961913bc68b7c92b681b4783d563f0
       with:
         args: sh -c "cd conker && make --jobs"
     - name: Perform make replace
-      uses: docker://docker.io/markstreet/conker@sha256:1efef3bbdd297d1b321b9b4559092d3131961913bc68b7c92b681b4783d563f0 # latest
+      uses: docker://docker.io/markstreet/conker:latest@sha256:1efef3bbdd297d1b321b9b4559092d3131961913bc68b7c92b681b4783d563f0
       with:
         args: sh -c "cd conker && make replace"
 
     - name: Perform make
-      uses: docker://docker.io/markstreet/conker@sha256:1efef3bbdd297d1b321b9b4559092d3131961913bc68b7c92b681b4783d563f0 # latest
+      uses: docker://docker.io/markstreet/conker:latest@sha256:1efef3bbdd297d1b321b9b4559092d3131961913bc68b7c92b681b4783d563f0
       with:
         args: make --jobs
 
     - name: Create progress.csv
-      uses: docker://docker.io/markstreet/conker@sha256:1efef3bbdd297d1b321b9b4559092d3131961913bc68b7c92b681b4783d563f0 # latest
+      uses: docker://docker.io/markstreet/conker:latest@sha256:1efef3bbdd297d1b321b9b4559092d3131961913bc68b7c92b681b4783d563f0
       with:
         args: sh -c "cd conker && make progress"
 

testfiles/pindockers/output/gcraction.yml

@@ -19,12 +19,12 @@ jobs:
         go-version: ${{ env.GO_VERSION }}
 
     - name: Container structure test (scratch)
-      uses: docker://gcr.io/gcp-runtimes/container-structure-test@sha256:4affda1c8f058f8d6c86dcad965cdb438a3d1d9a982828ff6737ea492b6bc8ce # latest
+      uses: docker://gcr.io/gcp-runtimes/container-structure-test:latest@sha256:4affda1c8f058f8d6c86dcad965cdb438a3d1d9a982828ff6737ea492b6bc8ce
       with:
         args: 'test --image ffurrer/semver:latest --config test/semver_container_test.yml'
 
     - name: Container structure test (alpine)
-      uses: docker://gcr.io/gcp-runtimes/container-structure-test@sha256:4affda1c8f058f8d6c86dcad965cdb438a3d1d9a982828ff6737ea492b6bc8ce # latest
+      uses: docker://gcr.io/gcp-runtimes/container-structure-test:latest@sha256:4affda1c8f058f8d6c86dcad965cdb438a3d1d9a982828ff6737ea492b6bc8ce
       with:
         args: 'test --image ffurrer/semver:alpine --config test/semver_alpine_container_test.yml'
 

testfiles/pindockers/output/ghcraction.yml

@@ -12,6 +12,6 @@ jobs:
     - name: Checkout
       uses: actions/checkout@v1
     - name: Integration test
-      uses: docker://ghcr.io/step-security/integration-test/int@sha256:f1f95204dc1f12a41eaf41080185e2d289596b3e7637a8c50a3f6fbe17f99649 # latest
+      uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:f1f95204dc1f12a41eaf41080185e2d289596b3e7637a8c50a3f6fbe17f99649
       env:
         PAT: ${{ secrets.PAT }}