From 4da9693d841669612ebbb4b5be7f7c18e2213b7d Mon Sep 17 00:00:00 2001 From: Vassil Vassilev Date: Tue, 27 Apr 2021 19:08:45 +0000 Subject: [PATCH] Run token-based CI in a secure way. This protects our token secrets from PR attackers. Exposing github secure tokens as part of random PR build system is a security risk: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ Instead, we should export the relevant PR information and then run the workflow which has our tokens. Should fix #226. --- .github/workflows/ci.yml | 21 +++++++------- .github/workflows/postci.yml | 56 ++++++++++++++++++++++++++++++++++++ 2 files changed, 67 insertions(+), 10 deletions(-) create mode 100644 .github/workflows/postci.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ba9dabb9f..4d2e500cc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -259,7 +259,6 @@ jobs: compiler: gcc-6 clang-runtime: '11' coverage: true - clang-format: true - name: ubu18-gcc8-runtime11 os: ubuntu-18.04 @@ -300,6 +299,17 @@ jobs: - uses: actions/checkout@v2 with: fetch-depth: 0 + - name: Save PR Info + if: ${{ matrix.coverage == true }} + run: | + mkdir -p ./pr + echo ${{ github.event.number }} > ./pr/NR + echo ${{ github.repository }} > ./pr/REPO + - uses: actions/upload-artifact@v2 + if: ${{ matrix.coverage == true }} + with: + name: pr + path: pr/ - uses: nelonoel/branch-name@v1.0.1 - name: Setup default Build Type run: | @@ -566,15 +576,6 @@ jobs: python3 -m pip show lit cat obj/CMakeCache.txt cat obj/CMakeFiles/*.log - - name: Invoke workflow clang-format on compiler-research - if: ${{ success() && (matrix.clang-format == true) }} - uses: benc-uk/workflow-dispatch@v1 - with: - workflow: SuggestFormattingChanges - repo: compiler-research/knowall - token: ${{ secrets.PERSONAL_TOKEN }} - ref: main # The SuggestFormattingChanges branch - inputs: '{ "repo": "${{ github.repository }}", "pull_id": "${{ github.event.number }}" }' - name: Setup tmate session if: ${{ failure() }} uses: mxschmitt/action-tmate@v3 diff --git a/.github/workflows/postci.yml b/.github/workflows/postci.yml new file mode 100644 index 000000000..41bfe5706 --- /dev/null +++ b/.github/workflows/postci.yml @@ -0,0 +1,56 @@ +name: PostMain +on: + workflow_run: + workflows: [Main] + types: [completed] + +jobs: + knowall: + runs-on: ubuntu-latest + if: > + ${{ github.event.workflow_run.event == 'pull_request'}} + steps: + - name: 'Download artifact' + uses: actions/github-script@v3.1.0 + with: + script: | + var artifacts = await github.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{github.event.workflow_run.id }}, + }); + var matchArtifact = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "pr" + })[0]; + var download = await github.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + var fs = require('fs'); + fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data)); + - run: | + unzip pr.zip + cat ./NR + cat ./REPO + echo "PR_NUMBER=`cat ./NR`" >> $GITHUB_ENV + echo "PR_REPO=`cat ./REPO`" >> $GITHUB_ENV + + - uses: actions/checkout@v2 + with: + fetch-depth: 0 + + - name: Invoke workflow clang-format on compiler-research + uses: benc-uk/workflow-dispatch@v1 + with: + workflow: SuggestFormattingChanges + repo: compiler-research/knowall + token: ${{ secrets.PERSONAL_TOKEN }} + ref: main # The SuggestFormattingChanges branch + inputs: '{ "repo": "$PR_REPO", "pull_id": "$PR_NUMBER" }' + + - name: Failed job config + if: ${{ failure() }} + run: | + export