From 865c6775428a3e98d9dab0415fe1e560729c02e6 Mon Sep 17 00:00:00 2001 From: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com> Date: Tue, 20 Jun 2023 05:46:02 +0200 Subject: [PATCH 1/2] Fix two security issues (#15451) * Fix run_test_cases.yml security issue * Properly fix #15065 --- .github/workflows/run_test_cases.yml | 46 ++++++++++++++----- .../workflows/run_test_cases_pr_comment.yml | 35 ++++++++++++++ .../web-interface-check-pr-comment.yml | 26 +++++++++++ .github/workflows/web-interface-check.yml | 9 +++- 4 files changed, 103 insertions(+), 13 deletions(-) create mode 100644 .github/workflows/run_test_cases_pr_comment.yml create mode 100644 .github/workflows/web-interface-check-pr-comment.yml diff --git a/.github/workflows/run_test_cases.yml b/.github/workflows/run_test_cases.yml index c58605259c2..0d751b21e90 100644 --- a/.github/workflows/run_test_cases.yml +++ b/.github/workflows/run_test_cases.yml @@ -1,10 +1,12 @@ name: run test cases on: - pull_request_target: + pull_request: issue_comment: types: [created, edited] +permissions: read-all + # github.head_ref is only defined on pull_request events concurrency: group: ${{ github.workflow }}-${{ github.actor }}-${{ github.head_ref || github.run_id }} @@ -277,16 +279,38 @@ jobs: JOBID=`cat /usr/local/lib/node_modules/@cctest/scheduler/logs/PR-TEST/nowJobId.log` cd .. python3 -u ./python/main.py --target=job_editor --jobid=$JOBID - - name: Update Comment - uses: peter-evans/create-or-update-comment@v1 + - name: Write comment body and issue number to file + uses: actions/github-script@v5 + env: + PR_AUTHOR: ${{ steps.parse_pr.outputs.pr_author }} + EDITOR_VERSION: ${{ steps.run_test_cases.outputs.editor }} + TASK_STATUS: ${{ steps.run_test_cases.outputs.status }} + TASK_REPORT: ${{ steps.run_test_cases.outputs.report }} + JOB_ID: ${{ steps.run_test_cases.outputs.jobid }} + GITHUB_RUN_ID: ${{ github.run_id }} + PR_NUMBER: ${{ steps.get_pr.outputs.pr_number }} with: - issue-number: ${{ steps.get_pr.outputs.pr_number }} - body: | - @${{ steps.parse_pr.outputs.pr_author }}, Please check the result of `run test cases`: + script: | + const fs = require('fs'); + fs.writeFileSync('pr.txt', process.env.PR_NUMBER); + fs.writeFileSync('comment.txt', `@${process.env.PR_AUTHOR}, Please check the result of \`run test cases\`: - Test Platform: PR-Test - - Editor Version: ${{ steps.run_test_cases.outputs.editor }} - - Task Result: ${{ steps.run_test_cases.outputs.status }} - - Task URL: http://cctest.cocos.org/#/reportview/PR-TEST/${{ steps.run_test_cases.outputs.jobid }}/-1 - - GitHub Action: https://github.com/cocos/cocos-engine/actions/runs/${{ github.run_id }} + - Editor Version: ${process.env.EDITOR_VERSION} + - Task Result: ${process.env.TASK_STATUS} + - Task URL: http://cctest.cocos.org/#/reportview/PR-TEST/${process.env.JOB_ID}/-1 + - GitHub Action: https://github.com/cocos/cocos-engine/actions/runs/${process.env.GITHUB_RUN_ID} ## Task Details - ${{ steps.run_test_cases.outputs.report }} + ${process.env.TASK_REPORT}`); + - name: Upload artifact + uses: actions/upload-artifact@v2 + with: + name: pr.txt + path: | + pr.txt + - name: Upload artifact + uses: actions/upload-artifact@v2 + with: + name: comment.txt + path: | + comment.txt + \ No newline at end of file diff --git a/.github/workflows/run_test_cases_pr_comment.yml b/.github/workflows/run_test_cases_pr_comment.yml new file mode 100644 index 00000000000..d5add8a786f --- /dev/null +++ b/.github/workflows/run_test_cases_pr_comment.yml @@ -0,0 +1,35 @@ +name: run test cases PR comment +on: + workflow_run: + workflows: ["run test cases"] + types: + - completed + +permissions: + issues: write + pull-requests: write + +jobs: + post-pr-comment: + runs-on: ubuntu-latest + steps: + - name: Download artifacts + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + RUN_ID: ${{ github.event.workflow_run.id }} + run: | + gh run download -R "${{ github.repository }}" --name "pr.txt" "$RUN_ID" + gh run download -R "${{ github.repository }}" --name "comment.txt" "$RUN_ID" + - name: Set PR environment variable + uses: actions/github-script@v4 + with: + script: | + const fs = require('fs'); + const pr = fs.readFileSync('pr.txt', 'utf8').trim(); + core.exportVariable('PR_NUMBER', pr); + + - name: Update Comment + uses: peter-evans/create-or-update-comment@v3 + with: + issue-number: ${{ env.PR_NUMBER }} + body-path: 'comment.txt' \ No newline at end of file diff --git a/.github/workflows/web-interface-check-pr-comment.yml b/.github/workflows/web-interface-check-pr-comment.yml new file mode 100644 index 00000000000..04a347d200d --- /dev/null +++ b/.github/workflows/web-interface-check-pr-comment.yml @@ -0,0 +1,26 @@ +name: Interface check PR comment +on: + workflow_run: + workflows: [" Interface check"] + types: + - completed + +permissions: + issues: write + pull-requests: write + +jobs: + post-pr-comment: + runs-on: ubuntu-latest + steps: + - name: Download artifacts + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + RUN_ID: ${{ github.event.workflow_run.id }} + run: | + gh run download -R "${{ github.repository }}" --name "interface-diff.txt" "$RUN_ID" + - name: Post interface-diff.txt as comment + uses: marocchino/sticky-pull-request-comment@v2 + with: + path: interface-diff.txt + number: ${{ github.event.workflow_run.pull_requests[0].number }} \ No newline at end of file diff --git a/.github/workflows/web-interface-check.yml b/.github/workflows/web-interface-check.yml index 25f5e3492dd..f96ce3b2235 100644 --- a/.github/workflows/web-interface-check.yml +++ b/.github/workflows/web-interface-check.yml @@ -1,13 +1,15 @@ name: Interface check #on: push -on: [pull_request_target] +on: [pull_request] # github.head_ref is only defined on pull_request events concurrency: group: ${{ github.workflow }}-${{ github.actor }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true +permissions: read-all + jobs: interface_check: if: @@ -79,6 +81,9 @@ jobs: cat ./interface-diff.txt node ./.github/workflows/interface-check-report.js - - uses: marocchino/sticky-pull-request-comment@v2 + - name: Upload interface-diff.txt artifact + uses: actions/upload-artifact@v2 with: + name: interface-diff.txt path: ./engine/interface-diff.txt + \ No newline at end of file From 8a6bcf157302a956c80a4fc9cd1a38f95fc3022e Mon Sep 17 00:00:00 2001 From: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com> Date: Wed, 12 Jul 2023 03:47:55 +0200 Subject: [PATCH 2/2] Only run commenting workflows on success. (#15499) --- .github/workflows/run_test_cases_pr_comment.yml | 1 + .github/workflows/web-interface-check-pr-comment.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/run_test_cases_pr_comment.yml b/.github/workflows/run_test_cases_pr_comment.yml index d5add8a786f..7c425fb30c9 100644 --- a/.github/workflows/run_test_cases_pr_comment.yml +++ b/.github/workflows/run_test_cases_pr_comment.yml @@ -11,6 +11,7 @@ permissions: jobs: post-pr-comment: + if: github.event.workflow_run.conclusion == 'success' runs-on: ubuntu-latest steps: - name: Download artifacts diff --git a/.github/workflows/web-interface-check-pr-comment.yml b/.github/workflows/web-interface-check-pr-comment.yml index 04a347d200d..ec549062ed7 100644 --- a/.github/workflows/web-interface-check-pr-comment.yml +++ b/.github/workflows/web-interface-check-pr-comment.yml @@ -11,6 +11,7 @@ permissions: jobs: post-pr-comment: + if: github.event.workflow_run.conclusion == 'success' runs-on: ubuntu-latest steps: - name: Download artifacts