From 61a492241d84414bc5215e19b74d6730a5d51fba Mon Sep 17 00:00:00 2001 From: heitorlessa Date: Fri, 22 Jul 2022 10:58:38 +0200 Subject: [PATCH 1/5] chore: dummy for PR test --- .github/workflows/on_opened_pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml index 4e74530f8c5..64b9a8897a6 100644 --- a/.github/workflows/on_opened_pr.yml +++ b/.github/workflows/on_opened_pr.yml @@ -20,7 +20,7 @@ jobs: steps: - uses: actions/checkout@v3 - name: "Debug workflow_run event" - run: echo ${{ toJSON(github.event) }} + run: echo "${{ toJSON(github.event) }}" - name: "Ensure related issue is present" uses: actions/github-script@v6 env: From b44b462e7d45c53cdc5925a43f372888f58a373d Mon Sep 17 00:00:00 2001 From: heitorlessa Date: Fri, 22 Jul 2022 11:05:24 +0200 Subject: [PATCH 2/5] chore: print full event depth --- .github/workflows/on_opened_pr.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml index 64b9a8897a6..15cf5db0d92 100644 --- a/.github/workflows/on_opened_pr.yml +++ b/.github/workflows/on_opened_pr.yml @@ -20,7 +20,9 @@ jobs: steps: - uses: actions/checkout@v3 - name: "Debug workflow_run event" - run: echo "${{ toJSON(github.event) }}" + env: + event_payload: ${{ toJSON(github.event) }} + run: echo $event_payload - name: "Ensure related issue is present" uses: actions/github-script@v6 env: From fd3fc0f6753ccad6e0768e85c55e84d96cbd5d84 Mon Sep 17 00:00:00 2001 From: heitorlessa Date: Fri, 22 Jul 2022 11:10:54 +0200 Subject: [PATCH 3/5] chore: print full workflow event depth --- .github/workflows/on_opened_pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml index 15cf5db0d92..b2b0950537e 100644 --- a/.github/workflows/on_opened_pr.yml +++ b/.github/workflows/on_opened_pr.yml @@ -21,7 +21,7 @@ jobs: - uses: actions/checkout@v3 - name: "Debug workflow_run event" env: - event_payload: ${{ toJSON(github.event) }} + event_payload: ${{ toJSON(github) }} run: echo $event_payload - name: "Ensure related issue is present" uses: actions/github-script@v6 From 2de2bac3f3285393498a990e98b6f94f74e1fd65 Mon Sep 17 00:00:00 2001 From: heitorlessa Date: Fri, 22 Jul 2022 11:29:48 +0200 Subject: [PATCH 4/5] chore: debug full event --- .github/scripts/enforce_acknowledgment.js | 40 +++++++++++++++++++++++ .github/workflows/on_opened_pr.yml | 4 +-- 2 files changed, 41 insertions(+), 3 deletions(-) create mode 100644 .github/scripts/enforce_acknowledgment.js diff --git a/.github/scripts/enforce_acknowledgment.js b/.github/scripts/enforce_acknowledgment.js new file mode 100644 index 00000000000..3e3be636ede --- /dev/null +++ b/.github/scripts/enforce_acknowledgment.js @@ -0,0 +1,40 @@ +const { +PR_ACTION, +PR_AUTHOR, +PR_BODY, +PR_NUMBER, +IGNORE_AUTHORS, +LABEL_BLOCK, +LABEL_BLOCK_REASON +} = require("./constants") + +module.exports = async ({github, context, core}) => { + if (IGNORE_AUTHORS.includes(PR_AUTHOR)) { + return core.notice("Author in IGNORE_AUTHORS list; skipping...") + } + + if (PR_ACTION != "opened") { + return core.notice("Only newly open PRs are labelled to avoid spam; skipping") + } + + const RELATED_ISSUE_REGEX = /Issue number:[^\d\r\n]+(?\d+)/; + const isMatch = RELATED_ISSUE_REGEX.exec(PR_BODY); + if (isMatch == null) { + core.info(`No related issue found, maybe the author didn't use the template but there is one.`) + + let msg = "No related issues found. Please ensure there is an open issue related to this change to avoid significant delays or closure."; + await github.rest.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + body: msg, + issue_number: PR_NUMBER, + }); + + return await github.rest.issues.addLabels({ + issue_number: PR_NUMBER, + owner: context.repo.owner, + repo: context.repo.repo, + labels: [LABEL_BLOCK, LABEL_BLOCK_REASON] + }) + } +} diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml index b2b0950537e..385bdfffa85 100644 --- a/.github/workflows/on_opened_pr.yml +++ b/.github/workflows/on_opened_pr.yml @@ -20,9 +20,7 @@ jobs: steps: - uses: actions/checkout@v3 - name: "Debug workflow_run event" - env: - event_payload: ${{ toJSON(github) }} - run: echo $event_payload + run: echo "${{ github }}" - name: "Ensure related issue is present" uses: actions/github-script@v6 env: From 879fcbe8c4e23f12dee0c3047f06b15992ecabe2 Mon Sep 17 00:00:00 2001 From: heitorlessa Date: Fri, 22 Jul 2022 12:38:37 +0200 Subject: [PATCH 5/5] chore(ci): experiment hardening origin --- .github/workflows/label_pr_on_title.yml | 1 + .github/workflows/on_merged_pr.yml | 1 + .github/workflows/on_opened_pr.yml | 2 ++ .github/workflows/reusable_export_pr_details.yml | 6 ++++++ 4 files changed, 10 insertions(+) diff --git a/.github/workflows/label_pr_on_title.yml b/.github/workflows/label_pr_on_title.yml index 562959bb516..3815a49e9bd 100644 --- a/.github/workflows/label_pr_on_title.yml +++ b/.github/workflows/label_pr_on_title.yml @@ -14,6 +14,7 @@ jobs: uses: ./.github/workflows/reusable_export_pr_details.yml with: record_pr_workflow_id: ${{ github.event.workflow_run.id }} + workflow_origin: ${{ github.event.repository.full_name }} secrets: token: ${{ secrets.GITHUB_TOKEN }} label_pr: diff --git a/.github/workflows/on_merged_pr.yml b/.github/workflows/on_merged_pr.yml index 3f1bcb57237..cd97e1c306e 100644 --- a/.github/workflows/on_merged_pr.yml +++ b/.github/workflows/on_merged_pr.yml @@ -12,6 +12,7 @@ jobs: uses: ./.github/workflows/reusable_export_pr_details.yml with: record_pr_workflow_id: ${{ github.event.workflow_run.id }} + workflow_origin: ${{ github.event.repository.full_name }} secrets: token: ${{ secrets.GITHUB_TOKEN }} release_label_on_merge: diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml index 385bdfffa85..39bdf612c7f 100644 --- a/.github/workflows/on_opened_pr.yml +++ b/.github/workflows/on_opened_pr.yml @@ -10,8 +10,10 @@ jobs: get_pr_details: if: ${{ github.event.workflow_run.conclusion == 'success' }} uses: ./.github/workflows/reusable_export_pr_details.yml + env: with: record_pr_workflow_id: ${{ github.event.workflow_run.id }} + workflow_origin: ${{ github.event.repository.full_name }} secrets: token: ${{ secrets.GITHUB_TOKEN }} check_related_issue: diff --git a/.github/workflows/reusable_export_pr_details.yml b/.github/workflows/reusable_export_pr_details.yml index dcbb959a4ea..dce5017c085 100644 --- a/.github/workflows/reusable_export_pr_details.yml +++ b/.github/workflows/reusable_export_pr_details.yml @@ -6,6 +6,11 @@ on: record_pr_workflow_id: required: true type: number + # this protects from anyone mimicking "Record PR details" dependency + # regardless of our untrusted input validation + workflow_origin: + required: true + type: string secrets: token: required: true @@ -32,6 +37,7 @@ on: jobs: export_pr_details: + if: inputs.workflow_origin == "bla/bla" runs-on: ubuntu-latest env: FILENAME: pr.txt