From 4e7bc4e488f33ed785fcbe075990513881a3922b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andre=CC=81=20Pacheco=20Neves?= Date: Fri, 17 May 2024 13:48:20 +0100 Subject: [PATCH 1/4] Enable fork PRs CI to run codecov For security reasons, fork PRs don't have access to secrets if we use `pull_request` in GH Actions CI spec, only if we use `pull_request_target`, which has its own security implications. See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ Codecov status reporting in CI requires a token, so for fork PRs to be able to do so we migrated to `pull_request_target` with the caveat that MRs have to be labelled and have the `run ci` label applied, which can only be done by someone with triage access to the repo. This should give us a good compromise in terms of security. --- .github/workflows/ci.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 99977eb..3dd3e1a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,9 +6,10 @@ on: - master tags: - '[0-9]+\.[0-9]+\.[0-9]+' - pull_request: + pull_request_target: # forks don't have access to secrets if we use `pull_request`, which is required for codecov branches: - master + types: [labeled] # ensure PRs are labelled, which can only be done by users with triage access env: # https://github.com/actions/runner-images/blob/main/images/macos/macos-14-Readme.md#xcode @@ -24,6 +25,7 @@ jobs: env-details: name: Environment details runs-on: macos-14 + if: ${{ github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'run ci') }} steps: - name: xcode version run: xcodebuild -version -sdk @@ -39,6 +41,7 @@ jobs: build-test: name: Build and Test runs-on: macos-14 + if: ${{ github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'run ci') }} env: WORKSPACE: Alicerce.xcworkspace SCHEME: Alicerce @@ -133,6 +136,7 @@ jobs: swiftpm: name: SwiftPM Build runs-on: macos-14 + if: ${{ github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'run ci') }} env: WORKSPACE: Alicerce.xcworkspace SCHEME: "Alicerce (SPM)" @@ -203,6 +207,7 @@ jobs: cocoapods: name: CocoaPods Verification runs-on: macos-14 + if: ${{ github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'run ci') }} steps: - name: git checkout uses: actions/checkout@v3 @@ -232,6 +237,7 @@ jobs: carthage: name: Carthage Verification runs-on: macos-14 + if: ${{ github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'run ci') }} env: # Use Xcode 15.3 (latest) for Carthage to avoid iOS device/simulator version mismatches DEVELOPER_DIR: "/Applications/Xcode_15.3.app/Contents/Developer" From 47906434f2d3c83a00d9ab6fb19762c867398a22 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andre=CC=81=20Pacheco=20Neves?= Date: Fri, 17 May 2024 14:21:36 +0100 Subject: [PATCH 2/4] Remove `labeled` type filter, improve conditions --- .github/workflows/ci.yml | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3dd3e1a..ca56bbb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,7 +9,6 @@ on: pull_request_target: # forks don't have access to secrets if we use `pull_request`, which is required for codecov branches: - master - types: [labeled] # ensure PRs are labelled, which can only be done by users with triage access env: # https://github.com/actions/runner-images/blob/main/images/macos/macos-14-Readme.md#xcode @@ -25,7 +24,10 @@ jobs: env-details: name: Environment details runs-on: macos-14 - if: ${{ github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'run ci') }} + if: | + github.event_name == 'push' || + !github.event.pull_request.head.repo.fork || + (github.event.pull_request.head.repo.fork && contains(github.event.pull_request.labels.*.name, 'run ci')) steps: - name: xcode version run: xcodebuild -version -sdk @@ -41,7 +43,10 @@ jobs: build-test: name: Build and Test runs-on: macos-14 - if: ${{ github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'run ci') }} + if: | + github.event_name == 'push' || + !github.event.pull_request.head.repo.fork || + (github.event.pull_request.head.repo.fork && contains(github.event.pull_request.labels.*.name, 'run ci')) env: WORKSPACE: Alicerce.xcworkspace SCHEME: Alicerce @@ -136,7 +141,10 @@ jobs: swiftpm: name: SwiftPM Build runs-on: macos-14 - if: ${{ github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'run ci') }} + if: | + github.event_name == 'push' || + !github.event.pull_request.head.repo.fork || + (github.event.pull_request.head.repo.fork && contains(github.event.pull_request.labels.*.name, 'run ci')) env: WORKSPACE: Alicerce.xcworkspace SCHEME: "Alicerce (SPM)" @@ -207,7 +215,10 @@ jobs: cocoapods: name: CocoaPods Verification runs-on: macos-14 - if: ${{ github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'run ci') }} + if: | + github.event_name == 'push' || + !github.event.pull_request.head.repo.fork || + (github.event.pull_request.head.repo.fork && contains(github.event.pull_request.labels.*.name, 'run ci')) steps: - name: git checkout uses: actions/checkout@v3 @@ -237,7 +248,10 @@ jobs: carthage: name: Carthage Verification runs-on: macos-14 - if: ${{ github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'run ci') }} + if: | + github.event_name == 'push' || + !github.event.pull_request.head.repo.fork || + (github.event.pull_request.head.repo.fork && contains(github.event.pull_request.labels.*.name, 'run ci')) env: # Use Xcode 15.3 (latest) for Carthage to avoid iOS device/simulator version mismatches DEVELOPER_DIR: "/Applications/Xcode_15.3.app/Contents/Developer" From 86e8483f4d9a74066107a87d9c78af50caf2d5d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andre=CC=81=20Pacheco=20Neves?= Date: Fri, 17 May 2024 14:35:11 +0100 Subject: [PATCH 3/4] test condition --- .github/workflows/ci.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ca56bbb..04becb4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,8 +26,7 @@ jobs: runs-on: macos-14 if: | github.event_name == 'push' || - !github.event.pull_request.head.repo.fork || - (github.event.pull_request.head.repo.fork && contains(github.event.pull_request.labels.*.name, 'run ci')) + !github.event.pull_request.head.repo.fork steps: - name: xcode version run: xcodebuild -version -sdk From 9cd8109c89ae0b8f59fc1d8353ccdf22cc3f65a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andre=CC=81=20Pacheco=20Neves?= Date: Fri, 17 May 2024 14:37:58 +0100 Subject: [PATCH 4/4] remove condition from env-details --- .github/workflows/ci.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 04becb4..9197394 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -24,9 +24,6 @@ jobs: env-details: name: Environment details runs-on: macos-14 - if: | - github.event_name == 'push' || - !github.event.pull_request.head.repo.fork steps: - name: xcode version run: xcodebuild -version -sdk