mirror of
https://github.com/systemd/systemd
synced 2024-07-22 02:34:54 +00:00
ci: Fix Development Freeze Automation
Due to the limitation of `GITHUB_TOKEN` when running workflows from forks, it's required to split the `development_freeze` workflow in two. * First workflow will run on the `pull_request` trigger and save the PR number in the artifact. This workflow is running with read-only permissions on `GITHUB_TOKEN`. * Second workflow will get triggered on `workflow_run`. It will be run directly in the `systemd/systemd` context and can get permission to be able to create comments on PR. GITHUB_TOKEN limitations: * https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token GitHub Security Labs Article - How to correctly and safely overcome GITHUB_TOKEN limitations: * https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
This commit is contained in:
parent
45ab6f2a37
commit
4dab1eb952
57
.github/workflows/development_freeze.yml
vendored
57
.github/workflows/development_freeze.yml
vendored
|
@ -3,27 +3,72 @@
|
||||||
|
|
||||||
name: Development Freeze
|
name: Development Freeze
|
||||||
on:
|
on:
|
||||||
pull_request:
|
workflow_run:
|
||||||
types: [ opened, reopened, synchronize ]
|
workflows: [ Gather Pull Request Metadata ]
|
||||||
branches: [ main ]
|
types:
|
||||||
|
- completed
|
||||||
|
|
||||||
|
env:
|
||||||
|
PULL_REQUEST_METADATA_DIR: pull_request
|
||||||
|
PULL_REQUEST_METADATA_FILE: metadata
|
||||||
|
|
||||||
permissions:
|
permissions:
|
||||||
contents: read
|
contents: read
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
freezer:
|
freezer:
|
||||||
|
if: >
|
||||||
|
github.event.workflow_run.event == 'pull_request' &&
|
||||||
|
github.event.workflow_run.conclusion == 'success' &&
|
||||||
|
github.repository == 'systemd/systemd'
|
||||||
runs-on: ubuntu-22.04
|
runs-on: ubuntu-22.04
|
||||||
if: github.repository == 'systemd/systemd'
|
|
||||||
|
|
||||||
permissions:
|
permissions:
|
||||||
pull-requests: write
|
pull-requests: write
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
|
- name: Download Pull Request Metadata artifact
|
||||||
|
uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975
|
||||||
|
with:
|
||||||
|
script: |
|
||||||
|
const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
|
||||||
|
owner: context.repo.owner,
|
||||||
|
repo: context.repo.repo,
|
||||||
|
run_id: ${{ github.event.workflow_run.id }},
|
||||||
|
});
|
||||||
|
|
||||||
|
const matchArtifact = artifacts.data.artifacts.filter((artifact) => {
|
||||||
|
return artifact.name == "${{ env.PULL_REQUEST_METADATA_FILE }}"
|
||||||
|
})[0];
|
||||||
|
|
||||||
|
const download = await github.rest.actions.downloadArtifact({
|
||||||
|
owner: context.repo.owner,
|
||||||
|
repo: context.repo.repo,
|
||||||
|
artifact_id: matchArtifact.id,
|
||||||
|
archive_format: 'zip',
|
||||||
|
});
|
||||||
|
|
||||||
|
const fs = require('fs');
|
||||||
|
fs.writeFileSync('${{ github.workspace }}/${{ env.PULL_REQUEST_METADATA_FILE }}.zip', Buffer.from(download.data));
|
||||||
|
|
||||||
|
- run: unzip ${{ env.PULL_REQUEST_METADATA_FILE }}.zip
|
||||||
|
|
||||||
|
- name: 'Get Pull Request number'
|
||||||
|
uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975
|
||||||
|
with:
|
||||||
|
github-token: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
script: |
|
||||||
|
const fs = require('fs');
|
||||||
|
const pr_number = Number(fs.readFileSync('./${{ env.PULL_REQUEST_METADATA_FILE }}'));
|
||||||
|
core.exportVariable('pr_number', pr_number);
|
||||||
|
|
||||||
|
- name: Repository checkout
|
||||||
|
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
|
||||||
with:
|
with:
|
||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
|
|
||||||
- name: Development Freezer
|
- name: Development Freezer
|
||||||
uses: redhat-plumbers-in-action/devel-freezer@1bce2d1d64db1a22f13cd6e4bff0b4f3847236c7
|
uses: redhat-plumbers-in-action/devel-freezer@13b6551f19ade74ca79be4cab06b815a4ffffa64
|
||||||
with:
|
with:
|
||||||
|
pr-number: ${{ env.pr_number }}
|
||||||
token: ${{ secrets.GITHUB_TOKEN }}
|
token: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
|
37
.github/workflows/gather-pr-metadata.yml
vendored
Normal file
37
.github/workflows/gather-pr-metadata.yml
vendored
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
name: Gather Pull Request Metadata
|
||||||
|
|
||||||
|
on:
|
||||||
|
pull_request:
|
||||||
|
branches: [ main ]
|
||||||
|
|
||||||
|
env:
|
||||||
|
PULL_REQUEST_METADATA_DIR: pull_request
|
||||||
|
PULL_REQUEST_METADATA_FILE: metadata
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
gather-metadata:
|
||||||
|
if: github.repository == 'systemd/systemd'
|
||||||
|
runs-on: ubuntu-22.04
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: Repository checkout
|
||||||
|
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
|
||||||
|
with:
|
||||||
|
fetch-depth: 0
|
||||||
|
|
||||||
|
- name: Store PR number in file
|
||||||
|
run: |
|
||||||
|
mkdir -p ./${{ env.PULL_REQUEST_METADATA_DIR }}
|
||||||
|
echo ${{ github.event.number }} > ./${{ env.PULL_REQUEST_METADATA_DIR }}/${{ env.PULL_REQUEST_METADATA_FILE }}
|
||||||
|
|
||||||
|
- name: Upload Pull Request Metadata artifact
|
||||||
|
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
|
||||||
|
with:
|
||||||
|
name: ${{ env.PULL_REQUEST_METADATA_FILE }}
|
||||||
|
path: ${{ env.PULL_REQUEST_METADATA_DIR }}
|
||||||
|
retention-days: 1
|
Loading…
Reference in a new issue