-
Notifications
You must be signed in to change notification settings - Fork 123
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This protects our token secrets from PR attackers. Exposing github secure tokens as part of random PR build system is a security risk: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ Instead, we should export the relevant PR information and then run the workflow which has our tokens. Should fix #226.
- Loading branch information
1 parent
4851107
commit 4da9693
Showing
2 changed files
with
67 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -259,7 +259,6 @@ jobs: | |
compiler: gcc-6 | ||
clang-runtime: '11' | ||
coverage: true | ||
clang-format: true | ||
|
||
- name: ubu18-gcc8-runtime11 | ||
os: ubuntu-18.04 | ||
|
@@ -300,6 +299,17 @@ jobs: | |
- uses: actions/checkout@v2 | ||
with: | ||
fetch-depth: 0 | ||
- name: Save PR Info | ||
if: ${{ matrix.coverage == true }} | ||
run: | | ||
mkdir -p ./pr | ||
echo ${{ github.event.number }} > ./pr/NR | ||
echo ${{ github.repository }} > ./pr/REPO | ||
- uses: actions/upload-artifact@v2 | ||
if: ${{ matrix.coverage == true }} | ||
with: | ||
name: pr | ||
path: pr/ | ||
- uses: nelonoel/[email protected] | ||
- name: Setup default Build Type | ||
run: | | ||
|
@@ -566,15 +576,6 @@ jobs: | |
python3 -m pip show lit | ||
cat obj/CMakeCache.txt | ||
cat obj/CMakeFiles/*.log | ||
- name: Invoke workflow clang-format on compiler-research | ||
if: ${{ success() && (matrix.clang-format == true) }} | ||
uses: benc-uk/workflow-dispatch@v1 | ||
with: | ||
workflow: SuggestFormattingChanges | ||
repo: compiler-research/knowall | ||
token: ${{ secrets.PERSONAL_TOKEN }} | ||
ref: main # The SuggestFormattingChanges branch | ||
inputs: '{ "repo": "${{ github.repository }}", "pull_id": "${{ github.event.number }}" }' | ||
- name: Setup tmate session | ||
if: ${{ failure() }} | ||
uses: mxschmitt/action-tmate@v3 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
name: PostMain | ||
on: | ||
workflow_run: | ||
workflows: [Main] | ||
types: [completed] | ||
|
||
jobs: | ||
knowall: | ||
runs-on: ubuntu-latest | ||
if: > | ||
${{ github.event.workflow_run.event == 'pull_request'}} | ||
steps: | ||
- name: 'Download artifact' | ||
uses: actions/[email protected] | ||
with: | ||
script: | | ||
var artifacts = await github.actions.listWorkflowRunArtifacts({ | ||
owner: context.repo.owner, | ||
repo: context.repo.repo, | ||
run_id: ${{github.event.workflow_run.id }}, | ||
}); | ||
var matchArtifact = artifacts.data.artifacts.filter((artifact) => { | ||
return artifact.name == "pr" | ||
})[0]; | ||
var download = await github.actions.downloadArtifact({ | ||
owner: context.repo.owner, | ||
repo: context.repo.repo, | ||
artifact_id: matchArtifact.id, | ||
archive_format: 'zip', | ||
}); | ||
var fs = require('fs'); | ||
fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data)); | ||
- run: | | ||
unzip pr.zip | ||
cat ./NR | ||
cat ./REPO | ||
echo "PR_NUMBER=`cat ./NR`" >> $GITHUB_ENV | ||
echo "PR_REPO=`cat ./REPO`" >> $GITHUB_ENV | ||
- uses: actions/checkout@v2 | ||
with: | ||
fetch-depth: 0 | ||
|
||
- name: Invoke workflow clang-format on compiler-research | ||
uses: benc-uk/workflow-dispatch@v1 | ||
with: | ||
workflow: SuggestFormattingChanges | ||
repo: compiler-research/knowall | ||
token: ${{ secrets.PERSONAL_TOKEN }} | ||
ref: main # The SuggestFormattingChanges branch | ||
inputs: '{ "repo": "$PR_REPO", "pull_id": "$PR_NUMBER" }' | ||
|
||
- name: Failed job config | ||
if: ${{ failure() }} | ||
run: | | ||
export |