ci: Fix Development Freeze Automation

Due to the limitation of `GITHUB_TOKEN` when running workflows from forks, it's required to split the `development_freeze` workflow in two. * First workflow will run on the `pull_request` trigger and save the PR number in the artifact. This workflow is running with read-only permissions on `GITHUB_TOKEN`. * Second workflow will get triggered on `workflow_run`. It will be run directly in the `systemd/systemd` context and can get permission to be able to create comments on PR. GITHUB_TOKEN limitations: * https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token GitHub Security Labs Article - How to correctly and safely overcome GITHUB_TOKEN limitations: * https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
2024-07-09 04:26:06 +00:00 · 2023-02-03 10:25:51 +01:00 · 2023-02-03 10:25:51 +01:00 · 4dab1eb952
commit 4dab1eb952
parent 45ab6f2a37
2 changed files with 88 additions and 6 deletions
--- a/.github/workflows/development_freeze.yml
+++ b/.github/workflows/development_freeze.yml
@ -3,27 +3,72 @@

 name: Development Freeze
 on:
-  pull_request:
-    types: [ opened, reopened, synchronize ]
-    branches: [ main ]
+  workflow_run:
+    workflows: [ Gather Pull Request Metadata ]
+    types:
+      - completed
+
+env:
+  PULL_REQUEST_METADATA_DIR: pull_request
+  PULL_REQUEST_METADATA_FILE: metadata

 permissions:
  contents: read

 jobs:
  freezer:
+    if: >
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success' &&
+      github.repository == 'systemd/systemd'
    runs-on: ubuntu-22.04
-    if: github.repository == 'systemd/systemd'

    permissions:
      pull-requests: write

    steps:
-      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+      - name: Download Pull Request Metadata artifact
+        uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975
+        with:
+          script: |
+            const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: ${{ github.event.workflow_run.id }},
+            });
+
+            const matchArtifact = artifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "${{ env.PULL_REQUEST_METADATA_FILE }}"
+            })[0];
+
+            const download = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+
+            const fs = require('fs');
+            fs.writeFileSync('${{ github.workspace }}/${{ env.PULL_REQUEST_METADATA_FILE }}.zip', Buffer.from(download.data));
+
+      - run: unzip ${{ env.PULL_REQUEST_METADATA_FILE }}.zip
+
+      - name: 'Get Pull Request number'
+        uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const fs = require('fs');
+            const pr_number = Number(fs.readFileSync('./${{ env.PULL_REQUEST_METADATA_FILE }}'));
+            core.exportVariable('pr_number', pr_number);
+
+      - name: Repository checkout
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
        with:
          fetch-depth: 0

      - name: Development Freezer
-        uses: redhat-plumbers-in-action/devel-freezer@1bce2d1d64db1a22f13cd6e4bff0b4f3847236c7
+        uses: redhat-plumbers-in-action/devel-freezer@13b6551f19ade74ca79be4cab06b815a4ffffa64
        with:
+          pr-number: ${{ env.pr_number }}
          token: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/gather-pr-metadata.yml
+++ b/.github/workflows/gather-pr-metadata.yml
@ -0,0 +1,37 @@
+---
+
+name: Gather Pull Request Metadata
+
+on:
+  pull_request:
+    branches: [ main ]
+
+env:
+  PULL_REQUEST_METADATA_DIR: pull_request
+  PULL_REQUEST_METADATA_FILE: metadata
+
+permissions:
+  contents: read
+
+jobs:
+  gather-metadata:
+    if: github.repository == 'systemd/systemd'
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Repository checkout
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+        with:
+          fetch-depth: 0
+
+      - name: Store PR number in file
+        run: |
+          mkdir -p ./${{ env.PULL_REQUEST_METADATA_DIR }}
+          echo ${{ github.event.number }} > ./${{ env.PULL_REQUEST_METADATA_DIR }}/${{ env.PULL_REQUEST_METADATA_FILE }}
+
+      - name: Upload Pull Request Metadata artifact
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
+        with:
+          name: ${{ env.PULL_REQUEST_METADATA_FILE }}
+          path: ${{ env.PULL_REQUEST_METADATA_DIR }}
+          retention-days: 1