[Tool] Fix security issues (#26767)

Signed-off-by: AndyZiYe <[email protected]>
StarRocks · Jul 9, 2023 · d113a85 · d113a85
1 parent c7972cb
commit d113a85
Show file tree

Hide file tree

Showing 3 changed files with 85 additions and 54 deletions.
diff --git a/.github/workflows/ci-merged.yml b/.github/workflows/ci-merged.yml
@@ -82,6 +82,11 @@ jobs:
       PR_NUMBER: ${{ github.event.number }}
       BRANCH: ${{ github.base_ref }}
     steps:
+      - name: clean
+        run: |
+          rm -rf ${{ github.workspace }}
+          mkdir -p ${{ github.workspace }}
+
       - uses: dorny/paths-filter@v2
         id: changes
         with:
@@ -93,11 +98,14 @@ jobs:
       - name: update image
         if: steps.changes.outputs.thirdparty == 'true'
         run: |
-          rm -rf ./elastic-service
-          cp -rf /var/lib/elastic-service ./elastic-service
-          cd elastic-service && git pull
+          rm -rf ./ci-tool && cp -rf /var/lib/ci-tool ./ci-tool && cd ci-tool && git pull && source lib/init.sh
           ./bin/elastic-update-image.sh $BRANCH $PR_NUMBER
 
+      - name: Clean ENV
+        if: always()
+        run: |
+          rm -rf ${{ github.workspace }}/*
+
   close_msg:
     runs-on: self-hosted
     if: github.event.pull_request.merged == true && github.base_ref == 'main'
@@ -119,5 +127,10 @@ jobs:
 
       - name: update merged coverage
         run: |
-          rm -rf ./elastic-service && cp -rf /var/lib/elastic-service ./elastic-service && cd elastic-service && git pull
+          rm -rf ./ci-tool && cp -rf /var/lib/ci-tool ./ci-tool && cd ci-tool && git pull && source lib/init.sh
           ./bin/upload_cov_after_merge.sh --pr ${PR_NUMBER} --commit ${{ steps.commit_sha.outputs.commit_sha }}
+
+      - name: Clean ENV
+        if: always()
+        run: |
+          rm -rf ${{ github.workspace }}/*
diff --git a/.github/workflows/ci-pipeline-branch.yml b/.github/workflows/ci-pipeline-branch.yml
@@ -39,7 +39,6 @@ jobs:
           path: ./pr_num.txt
           retention-days: 1
 
-
   doc-checker:
     runs-on: ubuntu-latest
     needs: sync-checker
@@ -79,7 +78,7 @@ jobs:
       - name: clean
         run: |
           rm -rf ${{ github.workspace }}
-          mkdir -p ${{ github.workspace }}/starrocks
+          mkdir -p ${{ github.workspace }}
 
       - name: BRANCH INFO
         id: branch
@@ -94,8 +93,6 @@ jobs:
       - name: Checkout PR
         run: |
           BRANCH=${{steps.branch.outputs.branch}}
-          git config --global user.name "wanpengfei-git"
-          git config --global user.email "[email protected]"
           git checkout $BRANCH;
           git pull;
           BRANCH_NAME="${BRANCH}-${PR_NUMBER}";
@@ -141,7 +138,7 @@ jobs:
           echo "thirdparty=${{ steps.changes.outputs.thirdparty }}" >> $GITHUB_OUTPUT
 
   clang-format:
-    runs-on: [self-hosted, normal]
+    runs-on: [self-hosted, safe]
     needs: be-checker
     name: Clang-Format
     env:
@@ -151,7 +148,7 @@ jobs:
       - name: clean
         run: |
           rm -rf ${{ github.workspace }}
-          mkdir -p ${{ github.workspace }}/starrocks
+          mkdir -p ${{ github.workspace }}
 
       - name: Checkout Code
         uses: actions/checkout@v3
@@ -180,8 +177,13 @@ jobs:
           export PATH=/var/lib/llvm/bin:$PATH
           bash build-support/check-format.sh
 
+      - name: Clean ENV
+        if: always()
+        run: |
+          rm -rf ${{ github.workspace }}/*
+
   thirdparty-update:
-    runs-on: [self-hosted, normal]
+    runs-on: [self-hosted, safe]
     needs: [ be-checker, clang-format ]
     name: Thirdparty Update
     env:
@@ -196,7 +198,7 @@ jobs:
       - name: clean
         run: |
           rm -rf ${{ github.workspace }}
-          mkdir -p ${{ github.workspace }}/starrocks
+          mkdir -p ${{ github.workspace }}
 
       - name: Checkout Code
         uses: actions/checkout@v3
@@ -207,21 +209,22 @@ jobs:
         id: update-image
         run: |
           if [[ "${{ needs.be-checker.outputs.output2 }}" == 'true' ]]; then
-              rm -rf ./elastic-service && cp -rf /var/lib/elastic-service ./elastic-service && cd elastic-service && git pull
+              rm -rf ./ci-tool && cp -rf /var/lib/ci-tool ./ci-tool && cd ci-tool && git pull && source lib/init.sh
               ./bin/run-pr-update-image.sh
           fi
 
       - name: Clean ENV
         if: always()
         run: |
           if [[ "${{ needs.be-checker.outputs.output2 }}" == 'true' ]]; then
-              cd elastic-service
+              cd ci-tool && source lib/init.sh
               ./bin/elastic-cluster.sh --delete
           fi
+          rm -rf ${{ github.workspace }}/*
 
   be-ut:
-    runs-on: [self-hosted, normal]
-    needs: [ be-checker, clang-format, thirdparty-update ]
+    runs-on: [self-hosted, safe]
+    needs: [ be-checker, thirdparty-update ]
     timeout-minutes: 90
     name: BE UT
     env:
@@ -239,8 +242,7 @@ jobs:
         shell: bash
         timeout-minutes: 90
         run: |
-          set -ex
-          rm -rf ./elastic-service && ln -s /var/lib/elastic-service ./elastic-service && cd elastic-service && git pull
+          rm -rf ./ci-tool && cp -rf /var/lib/ci-tool ./ci-tool && cd ci-tool && git pull && source lib/init.sh
           if [[ "${{ needs.be-checker.outputs.output2 }}" == 'true' ]]; then
               export image_cache_id=${{ needs.thirdparty-update.outputs.image_cache_id }}
               export image_tag=$BRANCH-$PR_NUMBER
@@ -266,6 +268,7 @@ jobs:
         run: |
           rm -f ${{ steps.run_ut.outputs.RES_FILE }}
           rm -f ${{ steps.run_ut.outputs.RES_LOG }}
+          rm -rf ${{ github.workspace }}/*
 
   fe-checker:
     runs-on: ubuntu-latest
@@ -303,7 +306,7 @@ jobs:
       - name: clean
         run: |
           rm -rf ${{ github.workspace }}
-          mkdir -p ${{ github.workspace }}/starrocks
+          mkdir -p ${{ github.workspace }}
 
       - uses: dorny/paths-filter@v2
         id: java-file
@@ -328,8 +331,6 @@ jobs:
       - name: Checkout PR
         run: |
           BRANCH=${{steps.branch.outputs.branch}}
-          git config --global user.name "wanpengfei-git";
-          git config --global user.email "[email protected]";
           git checkout $BRANCH;
           git pull;
           BRANCH_NAME="${BRANCH}-${PR_NUMBER}";
@@ -355,7 +356,7 @@ jobs:
           level: error
 
   fe-ut:
-    runs-on: [self-hosted, normal]
+    runs-on: [self-hosted, safe]
     needs: fe-codestyle-check
     name: FE UT
     env:
@@ -364,7 +365,7 @@ jobs:
       - name: clean
         run: |
           rm -rf ${{ github.workspace }}
-          mkdir -p ${{ github.workspace }}/starrocks
+          mkdir -p ${{ github.workspace }}
 
       - name: BRANCH INFO
         id: branch
@@ -394,8 +395,7 @@ jobs:
         shell: bash
         timeout-minutes: 60
         run: |
-          set -ex
-          rm -rf ./elastic-service && ln -s /var/lib/elastic-service ./elastic-service && cd elastic-service && git pull
+          rm -rf ./ci-tool && cp -rf /var/lib/ci-tool ./ci-tool && cd ci-tool && git pull && source lib/init.sh
           ./bin/elastic-ut.sh --pr ${PR_NUMBER} --module fe --branch ${{steps.branch.outputs.branch}} --build Release --repository ${{ github.repository }}
 
       - name: Clean ECI
@@ -452,3 +452,4 @@ jobs:
           rm -f ${{ steps.run_ut.outputs.RES_FILE }}
           rm -f ${{ steps.run_ut.outputs.RES_LOG }}
           rm -rf ${{ steps.run_ut.outputs.COV_DIR }}
+          rm -rf ${{ github.workspace }}/*