Refactor amalgamation workflow to avoid dangerous use of pull_request_target (#3969)

2023-03-08 09:41:20 -03:00 · 2023-03-08 09:41:20 -03:00 · 31c00dc729
commit 31c00dc729
parent 6cec5aefc9
2 changed files with 91 additions and 38 deletions
--- a/.github/workflows/check_amalgamation.yml
+++ b/.github/workflows/check_amalgamation.yml
@ -1,9 +1,24 @@
 name: "Check amalgamation"

 on:
-  pull_request_target:
+  pull_request:
+
+permissions: read-all

 jobs:
+  save:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Save PR number
+        run: |
+          mkdir -p ./pr
+          echo ${{ github.event.number }} > ./pr/number
+          echo ${{ github.event.pull_request.user.login }} > ./pr/author
+      - uses: actions/upload-artifact@v2
+        with:
+          name: pr
+          path: pr/
+
  check:
    runs-on: ubuntu-latest
    env:
@ -53,40 +68,3 @@ jobs:
          astyle $ASTYLE_FLAGS $(find docs/examples include tests -type f \( -name '*.hpp' -o -name '*.cpp' -o -name '*.cu' \) -not -path 'tests/thirdparty/*' -not -path 'tests/abi/include/nlohmann/*' | sort)
          echo Check
          find $MAIN_DIR -name '*.orig' -exec false {} \+
-
-      - name: Comment on pull request
-        if: failure()
-        uses: actions/github-script@v6
-        with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
-          script: |
-            const author = context.payload.pull_request.user.login
-            const opts = github.rest.issues.listForRepo.endpoint.merge({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              creator: author,
-              state: 'all'
-            })
-
-            let first = true
-            const issues = await github.paginate(opts)
-            for (const issue of issues) {
-              if (issue.number === context.issue.number) {
-                continue
-              }
-
-              if (issue.pull_request) {
-                first = false
-                break
-              }
-            }
-
-            await github.rest.issues.createComment({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: '## 🔴 Amalgamation check failed! 🔴\nThe source code has not been amalgamated.'
-                    + (first ? ' @' + author + ' Please read and follow the [Contribution Guidelines]'
-                               + '(https://github.com/nlohmann/json/blob/develop/.github/CONTRIBUTING.md#files-to-change).'
-                             : '')
-              })
--- a/.github/workflows/comment_check_amalgamation.yml
+++ b/.github/workflows/comment_check_amalgamation.yml
@ -0,0 +1,75 @@
+name: Comment Check Amalgamation
+on:
+  workflow_run:
+    workflows: ["Check amalgamation"]
+    types:
+      - completed
+
+permissions: {}
+
+jobs:
+  comment:
+    if: ${{ github.event.workflow_run.conclusion == 'failure' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read
+      issues: read
+      pull-requests: write
+    steps:
+      - name: 'Download artifact'
+        uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975 # v6.4.0
+        with:
+          script: |
+            var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: ${{github.event.workflow_run.id }},
+            });
+            var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "pr"
+            })[0];
+            var download = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+            var fs = require('fs');
+            fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data));
+      - run: unzip pr.zip
+
+      - name: 'Comment on PR'
+        uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975 # v6.4.0
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            var fs = require('fs');
+            const author = fs.readFileSync('./author')
+            const issue_number = Number(fs.readFileSync('./number'));
+            const opts = github.rest.issues.listForRepo.endpoint.merge({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              creator: author,
+              state: 'all'
+            })
+            let first = true
+            const issues = await github.paginate(opts)
+            for (const issue of issues) {
+              if (issue.number === issue_number) {
+                continue
+              }
+              if (issue.pull_request) {
+                first = false
+                break
+              }
+            }
+            await github.rest.issues.createComment({
+              issue_number: issue_number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: '## 🔴 Amalgamation check failed! 🔴\nThe source code has not been amalgamated.'
+                    + (first ? ' @' + author + ' Please read and follow the [Contribution Guidelines]'
+                               + '(https://github.com/nlohmann/json/blob/develop/.github/CONTRIBUTING.md#files-to-change).'
+                             : '')
+              })