chore: always pin harden-runner unless exempted

Author: shubham-stepsecurity

remediation/workflow/secureworkflow.go

@@ -85,10 +85,12 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
 	}
 
 	if addHardenRunner {
+		// Always pin harden-runner unless exempted
+		pinHardenRunner := true
 		if pin.ActionExists(HardenRunnerActionPath, exemptedActions) {
-			pinActions = false
+			pinHardenRunner = false
 		}
-		secureWorkflowReponse.FinalOutput, addedHardenRunner, _ = hardenrunner.AddAction(secureWorkflowReponse.FinalOutput, HardenRunnerActionPathWithTag, pinActions, pinToImmutable)
+		secureWorkflowReponse.FinalOutput, addedHardenRunner, _ = hardenrunner.AddAction(secureWorkflowReponse.FinalOutput, HardenRunnerActionPathWithTag, pinHardenRunner, pinToImmutable)
 	}
 
 	// Setting appropriate flags

testfiles/secureworkflow/output/nopin.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest  
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@v2
+        uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0
         with:
           egress-policy: audit