Add config option to specify branches for dangerous workflow

[serb-google]

Add config option to specify branches for dangerous workflow, see #622 (comment)

Tested with and without option in /.allstar/dangerous_workflow.yaml file private branch to confirm this works as expected.

[serb-google]

It's not really clear why the linter is failing, I can't replicate this locally with:

 allstar$ ../golangci-lint-1.64.7-linux-amd64/golangci-lint run --timeout 3m
 allstar$ ../golangci-lint-1.64.7-linux-amd64/golangci-lint cache clean

[serb-google]

Looks like 24b42f0 resolved the lint error.

[coheigea]

Nit: separated. Same for below

[serb-google]

Nice catch :)

[coheigea]

What happens if a given branch isn't available in a repo? Will it just skip or throw an error? I'd want to specify "refs/remotes/origin/master", "refs/remotes/origin/main" etc. to catch different default branches in various repos. Or is there a way to always pick the default branch?

[serb-google]

What happens if a given branch isn't available in a repo? Will it just skip or throw an error? I'd want to specify "refs/remotes/origin/master", "refs/remotes/origin/main" etc. to catch different default branches in various repos. Or is there a way to always pick the default branch?

Based on https://github.com/serb-google/allstar/blob/config/pkg/policies/workflow/workflow.go#L150 this should throw an error.

I think it should be possible to wire up GetDefaultBranchName() from the scorecard Git client for a magic string like Default ( https://github.com/ossf/scorecard/blob/main/clients/git/client.go#L316 ). I should be able to have that wired up in a few days.

[jeffmendoza]

Looks good, some naming comments.
Lets preserve the ability to easily only check the default branch, as @coheigea mentioned.

[jeffmendoza]

I don't believe you need these config fields. Just the ones you added to the policy-specific config

[serb-google]

Ack, updated!

[jeffmendoza]

Because this is already a part of the Dangerous Workflow policy config, just name this "BranchList"

[serb-google]

Ack, updated!

[serb-google]

I modified the logic to add in a keyword "default" which will be replaced with the actual default git branch name.

I tested this using a private repo with configuration file .allstar/dangerous_workflow.yaml with the contents branchList: default. Log:

{"severity":"DEBUG","time":"2025-04-27T16:21:34Z","message":"local checkout -- installation access token retrieved"}
{"severity":"DEBUG","repo":"serb-google/test_private","time":"2025-04-27T16:21:34Z","message":"Repo checkout"}
{"severity":"DEBUG","time":"2025-04-27T16:21:34Z","message":"local checkout -- checkout success"}
{"severity":"DEBUG","branches":"refs/heads/main","time":"2025-04-27T16:21:34Z","message":"Running against branch list"}
{"severity":"DEBUG","branch":"refs/heads/main","time":"2025-04-27T16:21:34Z","message":"Branch checkout"}
{"severity":"INFO","org":"serb-google","repo":"test_private","area":"Dangerous Workflow","result":true,"enabled":false,"notify":"","details":{"Findings":null},"time":"2025-04-27T16:21:34Z","message":"Policy run result."}

[jeffmendoza]

Added a quick note on how the lists are merged. Thanks for the updates!!

[jeffmendoza]

Some merge conflicts for some reason, a rebase was needed, will merge now

[coheigea]

@jeffmendoza Can we have a new release with this feature please? #659