github/slsa-verifier
1
0
Fork 0
mirror of https://github.com/slsa-framework/slsa-verifier.git synced 2026-02-14 09:39:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: workflow to update actions dist (#760)

Browse Source 
Add a new Post-Commit workflow, to make these renovate-bot updates a bit
easier.
Previously, we had to clone the PR locally, run `make package`, and then
push to the PR.
Now we would just need to use the github UI to invoke this new workflow
against the PR number.
We could also copy this over to the slsa-github-generator repo.

> A workflow to run against renovate-bot's PRs,
> such as `make package` after it updates the package.json and
package-lock.json files.
> The potentially untrusted code is first run inside a low-privilege
Job, and the diff is uploaded as an artifact.
> Then a higher-privilege Job applies the diff and pushes the changes to
the PR.
> It's important to only run this workflow against PRs from trusted
sources, after also reviewing the changes!

## Testing.

Tested in my own private fork, where when applicable, it pushed a commit
of changes to `dist/` folders
-
https://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806815483
  - https://github.com/ramonpetgrave64/slsa-verifier/pull/8/commits
-
https://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806841353
  - https://github.com/ramonpetgrave64/slsa-verifier/pull/16/commits

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
This commit is contained in:
Ramon Petgrave
2024-05-06 17:56:35 -04:00
committed by GitHub
parent 9c4e2196d8
commit 23160d82c0
2 changed files with 117 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
.github/workflows/update-actions-dist-post-commit.yml vendored Normal file
View File

@@ -0,0 +1,96 @@
# A workflow to run against renovate-bot's PRs,
# such as `make package` after it updates the package.json and package-lock.json files.
# The potentially untrusted code is first run inside a low-privilege Job, and the diff is uploaded as an artifact.
# Then a higher-privilege Job applies the diff and pushes the changes to the PR.
# It's important to only run this workflow against PRs from trusted sources, after also reviewing the changes!
# There have been vulnerabilities with using `git apply` https://github.blog/2023-04-25-git-security-vulnerabilities-announced-4/
# At this point a compromised git binary cannot modify any of this repo's branches, only the PR fork's branch,
# due to our branch protection rules and CODEOWNERS.
# It aslso cannot submit a new release or modify exsiting releases due to tag protection rules.
name: Update actions dist post-commit
permissions: {}
on:
workflow_dispatch:
inputs:
pr_number:
description: "The pull request number."
required: true
type: number
jobs:
diff:
permissions:
# This Job executes the PR's untrusted code, so it must how low permissions.
pull-requests: read
outputs:
patch_not_empty: ${{ steps.diff.outputs.patch_not_empty }}
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
repository: ${{ github.repository }}
persist-credentials: false
- name: checkout-pr
env:
GH_TOKEN: ${{ github.token }}
run: gh pr checkout ${{ inputs.pr_number }}
- name: run-command
run: |
(
cd ./actions/installer/dist/../ && \
make clean && \
make package
)
- name: diff
id: diff
run: |
git add .
git status
git diff HEAD > changes.patch
[ -z "$(cat changes.patch)" ] && RESULT=false || RESULT=true
echo "patch_not_empty=$RESULT" >> "$GITHUB_OUTPUT"
- name: upload
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: changes.patch
path: changes.patch
push:
if: needs.diff.outputs.patch_not_empty == 'true'
needs: diff
runs-on: ubuntu-latest
permissions:
# This Job does not run untrusted code, but it does need to push changes to the PR's branch.
pull-requests: read
contents: write
steps:
- name: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: checkout-pr
env:
GH_TOKEN: ${{ github.token }}
run: gh pr checkout ${{ inputs.pr_number }}
- name: download-patch
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: changes.patch
- id: apply
run: |
git apply changes.patch
rm changes.patch
# example from
# https://github.com/actions/checkout/blob/cd7d8d697e10461458bc61a30d094dc601a8b017/README.md#push-a-commit-using-the-built-in-token
- name: push
run: |
git config user.name github-actions
git config user.email github-actions@github.com
git add .
git status
git commit -m "update actions dist"
git push

21
docs/CONTRIBUTING.md Normal file
View File

@@ -0,0 +1,21 @@
# Contributing
## Updating Github Actions Dependencies
### Renovate-Bot PRs
`renovate-bot` will periodically send PRs to update the `package.json` and `package-lock.json` in the Github Actions of this repo.
But, it will not also automatically recompile the packages into `.js` files.
We use a Workflow [Update actions dist post-commit](../.github/workflows/update-actions-dist-post-commit.yml) to
help maintainers easily recompile the Github Actions against a PR.
Use the UI to invoke the workflow
[update-actions-dist-post-commit.yml](https://github.com/slsa-framework/slsa-verifier/actions/workflows/update-actions-dist-post-commit.yml)
or invoke with
```shell
gh workflow run update-actions-dist-post-commit.yml -F pr_number=<pull request number>
```