fix: handle quote delimeter for pin actions

shubham-stepsecurity · shubham-stepsecurity · commit 1d7518eac248 · 2025-07-30T16:22:22.000+05:30
diff --git a/remediation/workflow/pin/pinactions.go b/remediation/workflow/pin/pinactions.go
@@ -105,7 +105,7 @@ func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutabl
 	// - "actions/checkout@v1""    - Matches (quote delimiter)
 	// - "actions/checkout@v1"     - Matches (quote delimiter)
 	// - "actions/checkout@v1\n"   - Matches (newline is considered whitespace \s)
-	actionRegex := regexp.MustCompile(`(` + regexp.QuoteMeta(action) + `)($|\s|"|')`)
+	actionRegex := regexp.MustCompile(`((?:["'])?` + regexp.QuoteMeta(action) + `(?:["'])?)($|\s|"|')`)
 	inputYaml = actionRegex.ReplaceAllString(inputYaml, pinnedAction+"$2")
 	yamlWithPreviousActionCommentsRemoved, wasModified := removePreviousActionComments(pinnedAction, inputYaml)
 	if wasModified {
diff --git a/remediation/workflow/pin/pinactions_test.go b/remediation/workflow/pin/pinactions_test.go
@@ -295,6 +295,7 @@ func TestPinActions(t *testing.T) {
 		{fileName: "immutableaction-1.yml", wantUpdated: true, pinToImmutable: true},
 		{fileName: "exemptaction.yml", wantUpdated: true, exemptedActions: []string{"actions/checkout", "rohith/*"}, pinToImmutable: true},
 		{fileName: "donotpintoimmutable.yml", wantUpdated: true, pinToImmutable: false},
+		{fileName: "invertedcommas.yml", wantUpdated: true, pinToImmutable: false},
 	}
 	for _, tt := range tests {
 		input, err := ioutil.ReadFile(path.Join(inputDirectory, tt.fileName))
diff --git a/testfiles/pinactions/input/invertedcommas.yml b/testfiles/pinactions/input/invertedcommas.yml
@@ -0,0 +1,15 @@
+name: "close issue"
+
+on:
+  push:
+
+jobs:
+  closeissue:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Close Issue
+        uses: "peter-evans/close-issue@v1"
+        with:
+          issue-number: 1
+          comment: Auto-closing issue
diff --git a/testfiles/pinactions/output/invertedcommas.yml b/testfiles/pinactions/output/invertedcommas.yml
@@ -0,0 +1,15 @@
+name: "close issue"
+
+on:
+  push:
+
+jobs:
+  closeissue:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Close Issue
+        uses: peter-evans/close-issue@a700eac5bf2a1c7a8cb6da0c13f93ed96fd53dbe # v1.0.3
+        with:
+          issue-number: 1
+          comment: Auto-closing issue

Original file line number	Diff line number	Diff line change
`@@ -295,6 +295,7 @@ func TestPinActions(t *testing.T) {`
`295`	`295`	`{fileName: "immutableaction-1.yml", wantUpdated: true, pinToImmutable: true},`
`296`	`296`	`{fileName: "exemptaction.yml", wantUpdated: true, exemptedActions: []string{"actions/checkout", "rohith/*"}, pinToImmutable: true},`
`297`	`297`	`{fileName: "donotpintoimmutable.yml", wantUpdated: true, pinToImmutable: false},`
	`298`	`+ {fileName: "invertedcommas.yml", wantUpdated: true, pinToImmutable: false},`
`298`	`299`	`}`
`299`	`300`	`for _, tt := range tests {`
`300`	`301`	`input, err := ioutil.ReadFile(path.Join(inputDirectory, tt.fileName))`