github/slsa-verifier
1
0
Fork 0
mirror of https://github.com/slsa-framework/slsa-verifier.git synced 2026-05-12 03:26:49 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
b69efeea0bc4809d8fca48d01a1af6b29d35bf9b
slsa-verifier/.github/workflows/update-actions-dist-post-commit.yml
Ramon Petgrave 18c5f13b3e fix: signoff commit (#767) 
Followup to https://github.com/slsa-framework/slsa-verifier/pull/760

Fix the .github/workflows/update-actions-dist-post-commit.yml workflow
to also signoff commit

# Testing

- [x] Invoked this PR's branch copy of the workflow against #717, and it
did signoff the commit.
-
9670f76ab8

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
2024-05-22 16:45:20 +00:00

99 lines
3.9 KiB
YAML
Raw Blame History

# A workflow to run against renovate-bot's PRs,
# such as `make package` after it updates the package.json and package-lock.json files.
# The potentially untrusted code is first run inside a low-privilege Job, and the diff is uploaded as an artifact.
# Then a higher-privilege Job applies the diff and pushes the changes to the PR.
# It's important to only run this workflow against PRs from trusted sources, after also reviewing the changes!
# There have been vulnerabilities with using `git apply` https://github.blog/2023-04-25-git-security-vulnerabilities-announced-4/
# At this point a compromised git binary cannot modify any of this repo's branches, only the PR fork's branch,
# due to our branch protection rules and CODEOWNERS.
# It aslso cannot submit a new release or modify exsiting releases due to tag protection rules.
name: Update actions dist post-commit
permissions: {}
on:
workflow_dispatch:
inputs:
pr_number:
description: "The pull request number."
required: true
type: number
jobs:
diff:
permissions:
# This Job executes the PR's untrusted code, so it must how low permissions.
pull-requests: read
outputs:
patch_not_empty: ${{ steps.diff.outputs.patch_not_empty }}
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
repository: ${{ github.repository }}
persist-credentials: false
- name: checkout-pr
env:
GH_TOKEN: ${{ github.token }}
PR_NUMBER: ${{ inputs.pr_number }}
run: gh pr checkout "$PR_NUMBER"
- name: run-command
run: |
(
cd ./actions/installer/dist/../ && \
make clean && \
make package
)
- name: diff
id: diff
run: |
git add .
git status
git diff HEAD > changes.patch
[ -z "$(cat changes.patch)" ] && RESULT=false || RESULT=true
echo "patch_not_empty=$RESULT" >> "$GITHUB_OUTPUT"
- name: upload
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: changes.patch
path: changes.patch
push:
if: needs.diff.outputs.patch_not_empty == 'true'
needs: diff
runs-on: ubuntu-latest
permissions:
# This Job does not run untrusted code, but it does need to push changes to the PR's branch.
pull-requests: read
contents: write
steps:
- name: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: checkout-pr
env:
GH_TOKEN: ${{ github.token }}
PR_NUMBER: ${{ inputs.pr_number }}
run: gh pr checkout "$PR_NUMBER"
- name: download-patch
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: changes.patch
- id: apply
run: |
git apply changes.patch
rm changes.patch
# example from
# https://github.com/actions/checkout/blob/cd7d8d697e10461458bc61a30d094dc601a8b017/README.md#push-a-commit-using-the-built-in-token
- name: push
run: |
git config user.name github-actions
git config user.email github-actions@github.com
git add .
git status
git commit -s -m "update actions dist"
git push
Reference in New Issue View Git Blame Copy Permalink