mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
ci: Fix Development Freeze Automation
Due to the limitation of `GITHUB_TOKEN` when running workflows from forks, it's required to split the `development_freeze` workflow in two. * First workflow will run on the `pull_request` trigger and save the PR number in the artifact. This workflow is running with read-only permissions on `GITHUB_TOKEN`. * Second workflow will get triggered on `workflow_run`. It will be run directly in the `systemd/systemd` context and can get permission to be able to create comments on PR. GITHUB_TOKEN limitations: * https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token GitHub Security Labs Article - How to correctly and safely overcome GITHUB_TOKEN limitations: * https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
This commit is contained in:
parent
45ab6f2a37
commit
4dab1eb952
57
.github/workflows/development_freeze.yml
vendored
57
.github/workflows/development_freeze.yml
vendored
@ -3,27 +3,72 @@
|
||||
|
||||
name: Development Freeze
|
||||
on:
|
||||
pull_request:
|
||||
types: [ opened, reopened, synchronize ]
|
||||
branches: [ main ]
|
||||
workflow_run:
|
||||
workflows: [ Gather Pull Request Metadata ]
|
||||
types:
|
||||
- completed
|
||||
|
||||
env:
|
||||
PULL_REQUEST_METADATA_DIR: pull_request
|
||||
PULL_REQUEST_METADATA_FILE: metadata
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
freezer:
|
||||
if: >
|
||||
github.event.workflow_run.event == 'pull_request' &&
|
||||
github.event.workflow_run.conclusion == 'success' &&
|
||||
github.repository == 'systemd/systemd'
|
||||
runs-on: ubuntu-22.04
|
||||
if: github.repository == 'systemd/systemd'
|
||||
|
||||
permissions:
|
||||
pull-requests: write
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
|
||||
- name: Download Pull Request Metadata artifact
|
||||
uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975
|
||||
with:
|
||||
script: |
|
||||
const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
|
||||
owner: context.repo.owner,
|
||||
repo: context.repo.repo,
|
||||
run_id: ${{ github.event.workflow_run.id }},
|
||||
});
|
||||
|
||||
const matchArtifact = artifacts.data.artifacts.filter((artifact) => {
|
||||
return artifact.name == "${{ env.PULL_REQUEST_METADATA_FILE }}"
|
||||
})[0];
|
||||
|
||||
const download = await github.rest.actions.downloadArtifact({
|
||||
owner: context.repo.owner,
|
||||
repo: context.repo.repo,
|
||||
artifact_id: matchArtifact.id,
|
||||
archive_format: 'zip',
|
||||
});
|
||||
|
||||
const fs = require('fs');
|
||||
fs.writeFileSync('${{ github.workspace }}/${{ env.PULL_REQUEST_METADATA_FILE }}.zip', Buffer.from(download.data));
|
||||
|
||||
- run: unzip ${{ env.PULL_REQUEST_METADATA_FILE }}.zip
|
||||
|
||||
- name: 'Get Pull Request number'
|
||||
uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975
|
||||
with:
|
||||
github-token: ${{ secrets.GITHUB_TOKEN }}
|
||||
script: |
|
||||
const fs = require('fs');
|
||||
const pr_number = Number(fs.readFileSync('./${{ env.PULL_REQUEST_METADATA_FILE }}'));
|
||||
core.exportVariable('pr_number', pr_number);
|
||||
|
||||
- name: Repository checkout
|
||||
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Development Freezer
|
||||
uses: redhat-plumbers-in-action/devel-freezer@1bce2d1d64db1a22f13cd6e4bff0b4f3847236c7
|
||||
uses: redhat-plumbers-in-action/devel-freezer@13b6551f19ade74ca79be4cab06b815a4ffffa64
|
||||
with:
|
||||
pr-number: ${{ env.pr_number }}
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
37
.github/workflows/gather-pr-metadata.yml
vendored
Normal file
37
.github/workflows/gather-pr-metadata.yml
vendored
Normal file
@ -0,0 +1,37 @@
|
||||
---
|
||||
|
||||
name: Gather Pull Request Metadata
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
branches: [ main ]
|
||||
|
||||
env:
|
||||
PULL_REQUEST_METADATA_DIR: pull_request
|
||||
PULL_REQUEST_METADATA_FILE: metadata
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
gather-metadata:
|
||||
if: github.repository == 'systemd/systemd'
|
||||
runs-on: ubuntu-22.04
|
||||
|
||||
steps:
|
||||
- name: Repository checkout
|
||||
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Store PR number in file
|
||||
run: |
|
||||
mkdir -p ./${{ env.PULL_REQUEST_METADATA_DIR }}
|
||||
echo ${{ github.event.number }} > ./${{ env.PULL_REQUEST_METADATA_DIR }}/${{ env.PULL_REQUEST_METADATA_FILE }}
|
||||
|
||||
- name: Upload Pull Request Metadata artifact
|
||||
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
|
||||
with:
|
||||
name: ${{ env.PULL_REQUEST_METADATA_FILE }}
|
||||
path: ${{ env.PULL_REQUEST_METADATA_DIR }}
|
||||
retention-days: 1
|
Loading…
Reference in New Issue
Block a user