move action commit map to pin actions control

Balijepalli Vamshi Krishna · Balijepalli Vamshi Krishna · commit 6d7416360c33 · 2025-10-24T13:47:47.000+05:30
diff --git a/remediation/workflow/permissions/permissions.go b/remediation/workflow/permissions/permissions.go
@@ -25,7 +25,6 @@ type SecureWorkflowReponse struct {
 	WorkflowFetchError     bool
 	JobErrors              []JobError
 	MissingActions         []string
-	UsedActionCommitMap    bool
 }
 
 type JobError struct {
diff --git a/remediation/workflow/pin/pinactions.go b/remediation/workflow/pin/pinactions.go
@@ -72,17 +72,24 @@ func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutabl
 	var commitSHA string
 	var err error
 
-	if actionCommitMap != nil && actionCommitMap[action] != "" {
-		actionWithCommit := actionCommitMap[action]
-		commitSHA = strings.Split(actionWithCommit, "@")[1]
-
-		if !semanticTagRegex.MatchString(tagOrBranch) {
-			tagOrBranch, err = getSemanticVersion(client, owner, repo, tagOrBranch, commitSHA)
-			if err != nil {
-				return inputYaml, updated
+	if actionCommitMap != nil {
+		// Check case-insensitively by iterating through the map
+		for mapAction, actionWithCommit := range actionCommitMap {
+			if strings.EqualFold(action, mapAction) && actionWithCommit != "" {
+				commitSHA = strings.Split(actionWithCommit, "@")[1]
+
+				if !semanticTagRegex.MatchString(tagOrBranch) {
+					tagOrBranch, err = getSemanticVersion(client, owner, repo, tagOrBranch, commitSHA)
+					if err != nil {
+						return inputYaml, updated
+					}
+				}
+				break
 			}
 		}
-	} else {
+	}
+
+	if commitSHA == "" {
 		commitSHA, _, err = client.Repositories.GetCommitSHA1(ctx, owner, repo, tagOrBranch, "")
 		if err != nil {
 			return inputYaml, updated
diff --git a/remediation/workflow/secureworkflow.go b/remediation/workflow/secureworkflow.go
@@ -18,8 +18,8 @@ const (
 )
 
 func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc dynamodbiface.DynamoDBAPI, params ...interface{}) (*permissions.SecureWorkflowReponse, error) {
-	pinActions, addHardenRunner, addPermissions, addProjectComment, replaceMaintainedActions, useActionCommitMap := true, true, true, true, false, false
-	pinnedActions, addedHardenRunner, addedPermissions, replacedMaintainedActions, usedActionCommitMap := false, false, false, false, false
+	pinActions, addHardenRunner, addPermissions, addProjectComment, replaceMaintainedActions := true, true, true, true, false
+	pinnedActions, addedHardenRunner, addedPermissions, replacedMaintainedActions := false, false, false, false
 	ignoreMissingKBs := false
 	enableLogging := false
 	addEmptyTopLevelPermissions := false
@@ -143,22 +143,12 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
 		}
 	}
 
-	if useActionCommitMap {
-		if enableLogging {
-			log.Printf("Using action commit map")
-		}
-		secureWorkflowReponse.FinalOutput, usedActionCommitMap, err = pin.PinActions(secureWorkflowReponse.FinalOutput, []string{}, false, actionCommitMap)
-		if err != nil {
-			log.Printf("Error pinning actions using commit map: %v", err)
-			secureWorkflowReponse.HasErrors = true
-		}
-	}
 	if pinActions {
 		if enableLogging {
 			log.Printf("Pinning GitHub Actions")
 		}
 		pinnedAction, pinnedDocker := false, false
-		secureWorkflowReponse.FinalOutput, pinnedAction, _ = pin.PinActions(secureWorkflowReponse.FinalOutput, exemptedActions, pinToImmutable, nil)
+		secureWorkflowReponse.FinalOutput, pinnedAction, _ = pin.PinActions(secureWorkflowReponse.FinalOutput, exemptedActions, pinToImmutable, actionCommitMap)
 		secureWorkflowReponse.FinalOutput, pinnedDocker, _ = pin.PinDocker(secureWorkflowReponse.FinalOutput)
 		pinnedActions = pinnedAction || pinnedDocker
 		if enableLogging {
@@ -189,15 +179,13 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
 	secureWorkflowReponse.AddedHardenRunner = addedHardenRunner
 	secureWorkflowReponse.AddedPermissions = addedPermissions
 	secureWorkflowReponse.AddedMaintainedActions = replacedMaintainedActions
-	secureWorkflowReponse.UsedActionCommitMap = usedActionCommitMap
 
 	if enableLogging {
-		log.Printf("SecureWorkflow complete - PinnedActions: %v, AddedHardenRunner: %v, AddedPermissions: %v, AddedMaintainedActions: %v, UsedActionCommitMap: %v, HasErrors: %v",
+		log.Printf("SecureWorkflow complete - PinnedActions: %v, AddedHardenRunner: %v, AddedPermissions: %v, AddedMaintainedActions: %v, HasErrors: %v",
 			secureWorkflowReponse.PinnedActions,
 			secureWorkflowReponse.AddedHardenRunner,
 			secureWorkflowReponse.AddedPermissions,
 			secureWorkflowReponse.AddedMaintainedActions,
-			secureWorkflowReponse.UsedActionCommitMap,
 			secureWorkflowReponse.HasErrors)
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,6 @@ type SecureWorkflowReponse struct {`
`25`	`25`	`WorkflowFetchError bool`
`26`	`26`	`JobErrors []JobError`
`27`	`27`	`MissingActions []string`
`28`		`- UsedActionCommitMap bool`
`29`	`28`	`}`
`30`	`29`
`31`	`30`	`type JobError struct {`