1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

ci: Fix Development Freeze Automation

Due to the limitation of `GITHUB_TOKEN` when running workflows from forks,
it's required to split the `development_freeze` workflow in two.

* First workflow will run on the `pull_request` trigger and save the PR
number in the artifact. This workflow is running with read-only permissions
on `GITHUB_TOKEN`.
* Second workflow will get triggered on `workflow_run`. It will be run
directly in the `systemd/systemd` context and can get permission to be
able to create comments on PR.

GITHUB_TOKEN limitations:

* https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

GitHub Security Labs Article - How to correctly and safely overcome GITHUB_TOKEN limitations:

* https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
This commit is contained in:
Jan Macku 2023-02-03 10:25:51 +01:00 committed by Luca Boccassi
parent 45ab6f2a37
commit 4dab1eb952
2 changed files with 88 additions and 6 deletions

View File

@ -3,27 +3,72 @@
name: Development Freeze
on:
pull_request:
types: [ opened, reopened, synchronize ]
branches: [ main ]
workflow_run:
workflows: [ Gather Pull Request Metadata ]
types:
- completed
env:
PULL_REQUEST_METADATA_DIR: pull_request
PULL_REQUEST_METADATA_FILE: metadata
permissions:
contents: read
jobs:
freezer:
if: >
github.event.workflow_run.event == 'pull_request' &&
github.event.workflow_run.conclusion == 'success' &&
github.repository == 'systemd/systemd'
runs-on: ubuntu-22.04
if: github.repository == 'systemd/systemd'
permissions:
pull-requests: write
steps:
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
- name: Download Pull Request Metadata artifact
uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975
with:
script: |
const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: ${{ github.event.workflow_run.id }},
});
const matchArtifact = artifacts.data.artifacts.filter((artifact) => {
return artifact.name == "${{ env.PULL_REQUEST_METADATA_FILE }}"
})[0];
const download = await github.rest.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
});
const fs = require('fs');
fs.writeFileSync('${{ github.workspace }}/${{ env.PULL_REQUEST_METADATA_FILE }}.zip', Buffer.from(download.data));
- run: unzip ${{ env.PULL_REQUEST_METADATA_FILE }}.zip
- name: 'Get Pull Request number'
uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const fs = require('fs');
const pr_number = Number(fs.readFileSync('./${{ env.PULL_REQUEST_METADATA_FILE }}'));
core.exportVariable('pr_number', pr_number);
- name: Repository checkout
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
with:
fetch-depth: 0
- name: Development Freezer
uses: redhat-plumbers-in-action/devel-freezer@1bce2d1d64db1a22f13cd6e4bff0b4f3847236c7
uses: redhat-plumbers-in-action/devel-freezer@13b6551f19ade74ca79be4cab06b815a4ffffa64
with:
pr-number: ${{ env.pr_number }}
token: ${{ secrets.GITHUB_TOKEN }}

View File

@ -0,0 +1,37 @@
---
name: Gather Pull Request Metadata
on:
pull_request:
branches: [ main ]
env:
PULL_REQUEST_METADATA_DIR: pull_request
PULL_REQUEST_METADATA_FILE: metadata
permissions:
contents: read
jobs:
gather-metadata:
if: github.repository == 'systemd/systemd'
runs-on: ubuntu-22.04
steps:
- name: Repository checkout
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
with:
fetch-depth: 0
- name: Store PR number in file
run: |
mkdir -p ./${{ env.PULL_REQUEST_METADATA_DIR }}
echo ${{ github.event.number }} > ./${{ env.PULL_REQUEST_METADATA_DIR }}/${{ env.PULL_REQUEST_METADATA_FILE }}
- name: Upload Pull Request Metadata artifact
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
with:
name: ${{ env.PULL_REQUEST_METADATA_FILE }}
path: ${{ env.PULL_REQUEST_METADATA_DIR }}
retention-days: 1