update wildcard function

Author: Balijepalli Vamshi Krishna

remediation/workflow/pin/pinactions.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"os"
-	"path/filepath"
 	"regexp"
 	"strings"
 
@@ -229,8 +228,15 @@ func getSemanticVersion(client *github.Client, owner, repo, tagOrBranch, commitS
 // Function to check if an action matches any pattern in the list
 func ActionExists(actionName string, patterns []string) bool {
 	for _, pattern := range patterns {
-		// Use filepath.Match to match the pattern
-		matched, err := filepath.Match(pattern, actionName)
+		// Convert glob pattern to regex for path matching
+		// Replace * with [^/]* to match within a path segment
+		// Replace **/ with .* to match across path segments
+		regexPattern := strings.ReplaceAll(pattern, "**", "§§")
+		regexPattern = strings.ReplaceAll(regexPattern, "*", "[^/]*")
+		regexPattern = strings.ReplaceAll(regexPattern, "§§", ".*")
+		regexPattern = "^" + regexPattern + "($|/)"
+
+		matched, err := regexp.MatchString(regexPattern, actionName)
 		if err != nil {
 			// Handle invalid patterns
 			fmt.Printf("Error matching pattern: %v\n", err)

remediation/workflow/pin/pinactions_test.go

@@ -293,7 +293,7 @@ func TestPinActions(t *testing.T) {
 		{fileName: "actionwithcomment.yml", wantUpdated: true, pinToImmutable: true},
 		{fileName: "repeatedactionwithcomment.yml", wantUpdated: true, pinToImmutable: true},
 		{fileName: "immutableaction-1.yml", wantUpdated: true, pinToImmutable: true},
-		{fileName: "exemptaction.yml", wantUpdated: true, exemptedActions: []string{"actions/checkout", "rohith/*"}, pinToImmutable: true},
+		{fileName: "exemptaction.yml", wantUpdated: true, exemptedActions: []string{"actions/checkout", "rohith/*", "praveen/*"}, pinToImmutable: true},
 		{fileName: "donotpintoimmutable.yml", wantUpdated: true, pinToImmutable: false},
 		{fileName: "invertedcommas.yml", wantUpdated: true, pinToImmutable: false},
 	}
@@ -345,3 +345,23 @@ func Test_isAbsolute(t *testing.T) {
 		})
 	}
 }
+
+func TestActionExists(t *testing.T) {
+	result := ActionExists("actions/checkout", []string{"actions/checkout"})
+	t.Log(result)
+	if !result {
+		t.Errorf("ActionExists returned false for actions/checkout")
+	}
+
+	result = ActionExists("actions/checkout", []string{"actions/*"})
+	t.Log(result)
+	if !result {
+		t.Errorf("ActionExists returned false for actions/checkout")
+	}
+
+	result = ActionExists("actions/checkout/something", []string{"actions/*"})
+	t.Log(result)
+	if !result {
+		t.Errorf("ActionExists returned true for actions/checkout/something")
+	}
+}

testfiles/pinactions/input/exemptaction.yml

@@ -38,6 +38,14 @@ jobs:
       - name: publish on version change
         id: publish_nuget
         uses: rohith/publish-nuget@v2
+        with:
+          PROJECT_FILE_PATH: Core/Core.csproj
+          NUGET_KEY: ${{ secrets.GITHUB_TOKEN }}
+          NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json
+
+      - name: publish on version change 2
+        id: publish_nuget
+        uses: praveen/publish-nuget/to-version@v2
         with:
           PROJECT_FILE_PATH: Core/Core.csproj
           NUGET_KEY: ${{ secrets.GITHUB_TOKEN }}

testfiles/pinactions/output/exemptaction.yml

@@ -38,6 +38,14 @@ jobs:
       - name: publish on version change
         id: publish_nuget
         uses: rohith/publish-nuget@v2
+        with:
+          PROJECT_FILE_PATH: Core/Core.csproj
+          NUGET_KEY: ${{ secrets.GITHUB_TOKEN }}
+          NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json
+
+      - name: publish on version change 2
+        id: publish_nuget
+        uses: praveen/publish-nuget/to-version@v2
         with:
           PROJECT_FILE_PATH: Core/Core.csproj
           NUGET_KEY: ${{ secrets.GITHUB_TOKEN }}