Skip to content

Commit 81df8cf

Browse files
Balijepalli Vamshi KrishnaBalijepalli Vamshi Krishna
Balijepalli Vamshi Krishna
authored and
Balijepalli Vamshi Krishna
committed
retry with PAT
1 parent b87f942 commit 81df8cf

File tree

2 files changed

+22
-13
lines changed

2 files changed

+22
-13
lines changed

remediation/workflow/hardenrunner/addaction.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@ func AddAction(inputYaml, action string, pinActions, pinToImmutable bool, skipCo
5151
}
5252

5353
if updated && pinActions {
54-
out, _, err = pin.PinAction(action, out, nil, pinToImmutable, nil)
54+
out, _, err = pin.PinActionWithPatFallback(action, out, nil, pinToImmutable, nil)
5555
if err != nil {
5656
return out, updated, err
5757
}

remediation/workflow/pin/pinactions.go

Lines changed: 21 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ func PinActions(inputYaml string, exemptedActions []string, pinToImmutable bool,
2929
for _, step := range job.Steps {
3030
if len(step.Uses) > 0 {
3131
localUpdated := false
32-
out, localUpdated, err = PinAction(step.Uses, out, exemptedActions, pinToImmutable, actionCommitMap)
32+
out, localUpdated, err = PinActionWithPatFallback(step.Uses, out, exemptedActions, pinToImmutable, actionCommitMap)
3333
if err != nil {
3434
return out, updated, err
3535
}
@@ -43,7 +43,7 @@ func PinActions(inputYaml string, exemptedActions []string, pinToImmutable bool,
4343
for _, run := range workflow.Runs.Steps {
4444
if len(run.Uses) > 0 {
4545
localUpdated := false
46-
out, localUpdated, err = PinAction(run.Uses, out, exemptedActions, pinToImmutable, actionCommitMap)
46+
out, localUpdated, err = PinActionWithPatFallback(run.Uses, out, exemptedActions, pinToImmutable, actionCommitMap)
4747
if err != nil {
4848
return out, updated, err
4949
}
@@ -55,7 +55,25 @@ func PinActions(inputYaml string, exemptedActions []string, pinToImmutable bool,
5555
return out, updated, nil
5656
}
5757

58-
func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutable bool, actionCommitMap map[string]string) (string, bool, error) {
58+
func PinActionWithPatFallback(action, inputYaml string, exemptedActions []string, pinToImmutable bool, actionCommitMap map[string]string) (string, bool, error) {
59+
// use secure repo token
60+
PAT := os.Getenv("SECURE_REPO_PAT")
61+
if PAT == "" {
62+
PAT = os.Getenv("PAT")
63+
log.Println("SECURE_REPO_PAT is not set, using PAT")
64+
} else {
65+
log.Println("SECURE_REPO_PAT is set")
66+
}
67+
out, updated, err := PinAction(action, inputYaml, PAT, exemptedActions, pinToImmutable, actionCommitMap)
68+
if err != nil && strings.Contains(err.Error(), "organization has an IP allow list enabled, and your IP address is not permitted to access this resource") {
69+
PAT = os.Getenv("PAT")
70+
log.Println("[RETRY] SECURE_REPO_PAT is not set, using PAT")
71+
return PinAction(action, inputYaml, PAT, exemptedActions, pinToImmutable, actionCommitMap)
72+
}
73+
return out, updated, err
74+
}
75+
76+
func PinAction(action, inputYaml, PAT string, exemptedActions []string, pinToImmutable bool, actionCommitMap map[string]string) (string, bool, error) {
5977
updated := false
6078

6179
if !strings.Contains(action, "@") || strings.HasPrefix(action, "docker://") {
@@ -77,15 +95,6 @@ func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutabl
7795
owner := splitOnSlash[0]
7896
repo := splitOnSlash[1]
7997

80-
// use secure repo token
81-
PAT := os.Getenv("SECURE_REPO_PAT")
82-
if PAT == "" {
83-
PAT = os.Getenv("PAT")
84-
log.Println("SECURE_REPO_PAT is not set, using PAT")
85-
} else {
86-
log.Println("SECURE_REPO_PAT is set")
87-
}
88-
8998
ctx := context.Background()
9099
ts := oauth2.StaticTokenSource(
91100
&oauth2.Token{AccessToken: PAT},

0 commit comments

Comments
 (0)