Updating action path while getting image manifest for bundled actions

remediation/workflow/pin/action_image_manifest.go

@@ -69,6 +69,14 @@ func getOCIImageArtifactTypeForGhAction(action string) (string, error) {
 		return "", fmt.Errorf("invalid action format")
 	}
 
+	// For bundled actions like github/codeql-action/analyze@v3,
+	// we only need the repository part (github/codeql-action) to check for immutability
+	actionPath := parts[0]
+	if strings.Count(parts[0], "/") > 1 {
+		pathParts := strings.Split(parts[0], "/")
+		actionPath = strings.Join(pathParts[:2], "/")
+	}
+
 	// convert v1.x.x to 1.x.x which is
 	// use regexp to match tag version format and replace v in prefix
 	// as immutable actions image tag is in format 1.x.x (without v prefix)
@@ -79,7 +87,7 @@ func getOCIImageArtifactTypeForGhAction(action string) (string, error) {
 	}
 
 	// Convert GitHub action to GHCR image reference using proper OCI reference format
-	image := fmt.Sprintf("ghcr.io/%s:%s", parts[0], parts[1])
+	image := fmt.Sprintf("ghcr.io/%s:%s", actionPath, parts[1])
 	imageManifest, err := getOCIManifestForImage(image)
 	if err != nil {
 		return "", err

remediation/workflow/pin/pinactions_test.go

@@ -173,6 +173,21 @@ func TestPinActions(t *testing.T) {
 				  }
 			]`))
 
+	httpmock.RegisterResponder("GET", "https://api.github.com/repos/github/codeql-action/commits/v3",
+		httpmock.NewStringResponder(200, `d68b2d4edb4189fd2a5366ac14e72027bd4b37dd`))
+
+	httpmock.RegisterResponder("GET", "https://api.github.com/repos/github/codeql-action/git/matching-refs/tags/v3.",
+		httpmock.NewStringResponder(200,
+			`[
+				{
+					"ref": "refs/tags/v3.28.2",
+					"object": {
+					  "sha": "d68b2d4edb4189fd2a5366ac14e72027bd4b37dd",
+					  "type": "commit"
+					}
+				  }
+			]`))
+
 	// mock ping response
 	httpmock.RegisterResponder("GET", "https://ghcr.io/v2/",
 		httpmock.NewStringResponder(200, ``))
@@ -191,7 +206,8 @@ func TestPinActions(t *testing.T) {
 				"repository:JS-DevTools/npm-publish:pull",
 				"repository:elgohr/Publish-Docker-Github-Action:pull",
 				"repository:brandedoutcast/publish-nuget:pull",
-				"repository:rohith/publish-nuget:pull":
+				"repository:rohith/publish-nuget:pull",
+				"repository:github/codeql-action:pull":
 				return httpmock.NewJsonResponse(http.StatusOK, map[string]string{
 					"token":        "test-token",
 					"access_token": "test-token",
@@ -213,6 +229,7 @@ func TestPinActions(t *testing.T) {
 		// the following list will contain the list of actions with versions
 		// which are mocked to be immutable
 		"actions/[email protected]",
+		"github/[email protected]",
 	}
 
 	for _, action := range manifestResponders {

testfiles/pinactions/input/immutableaction-1.yml

@@ -4,7 +4,8 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/[email protected]
+    - uses: actions/checkout@v1
+    - uses: github/codeql-action/analyze@v3
     - uses: borales/[email protected]
       with:
         auth-token: ${{ secrets.GITHUB_TOKEN }}

testfiles/pinactions/output/immutableaction-1.yml

@@ -5,6 +5,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/[email protected]
+    - uses: github/codeql-action/[email protected]
     - uses: borales/actions-yarn@4965e1a0f0ae9c422a9a5748ebd1fb5e097d22b9 # v2.3.0
       with:
         auth-token: ${{ secrets.GITHUB_TOKEN }}