particle-os/debian-forge-composer
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
debian-forge-composer/.github/workflows/trigger-gitlab.yml
Ondřej Budai 3561202acc github: prevent script injections via PR branch names 
Prior this commit, ${{ github.event.workflow_run.head_branch }} got
expanded in the bash script. A malicious actor could inject
an arbitrary shell script. Since this action has access to a token
with write rights the malicious actor can easily steal this token.

This commit moves the expansion into an env block where such an
injection cannot happen. This is the preferred way according to the
github docs:
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
2024-12-05 18:13:17 +01:00

109 lines
3.9 KiB
YAML
Raw Blame History

# inspired by rhinstaller/anaconda
name: Trigger GitLab CI
on:
workflow_run:
workflows: ["Tests"]
types: [completed]
jobs:
trigger-gitlab:
if: ${{ github.event.workflow_run.conclusion == 'success' }}
runs-on: ubuntu-latest
env:
IMAGEBUILDER_BOT_GITLAB_SSH_KEY: ${{ secrets.IMAGEBUILDER_BOT_GITLAB_SSH_KEY }}
GITLAB_TOKEN: ${{ secrets.IMAGEBUILDER_BOT_GITLAB_PIPELINE_TRIGGER_TOKEN }}
steps:
- name: Report status
uses: haya14busa/action-workflow_run-status@v1
- name: Install Dependencies
run: |
sudo apt install -y jq
- name: Clone repository
uses: actions/checkout@v4
with:
ref: ${{ github.event.workflow_run.head_sha }}
fetch-depth: 0
- uses: octokit/request-action@v2.x
id: fetch_pulls
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
route: GET /repos/${{ github.repository }}/pulls
per_page: 100
- name: Checkout branch
id: pr_data
env:
BRANCH: ${{ github.event.workflow_run.head_branch }}
run: |
PR_DATA=$(mktemp)
# use uuid as a file terminator to avoid conflicts with data content
cat > "$PR_DATA" <<'a21b3e7f-d5eb-44a3-8be0-c2412851d2e6'
${{ steps.fetch_pulls.outputs.data }}
a21b3e7f-d5eb-44a3-8be0-c2412851d2e6
PR=$(jq -rc '.[] | select(.head.sha | contains("${{ github.event.workflow_run.head_sha }}")) | select(.state | contains("open"))' "$PR_DATA" | jq -r .number)
if [ ! -z "$PR" ]; then
echo "pr_branch=PR-$PR" >> "$GITHUB_OUTPUT"
git checkout -b PR-$PR
else
git checkout "${BRANCH}"
fi
- name: Download artifacts
uses: actions/github-script@v7
with:
script: |
let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: context.payload.workflow_run.id,
});
let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
return artifact.name == "PR_STATUS"
})[0];
let download = await github.rest.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
});
let fs = require('fs');
fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/PR_STATUS.zip`, Buffer.from(download.data));
- name: Unzip artifact
run: unzip PR_STATUS.zip
- name: Push to gitlab
run: |
mkdir -p ~/.ssh
echo "${IMAGEBUILDER_BOT_GITLAB_SSH_KEY}" > ~/.ssh/id_rsa
chmod 400 ~/.ssh/id_rsa
touch ~/.ssh/known_hosts
ssh-keyscan -t rsa gitlab.com >> ~/.ssh/known_hosts
git remote add ci git@gitlab.com:redhat/services/products/image-builder/ci/osbuild-composer.git
SKIP_CI=$(cat SKIP_CI.txt)
if [[ "${SKIP_CI}" == true ]];then
git push -f -o ci.variable="SKIP_CI=true" ci
else
git push -f ci
fi
- name: Trigger GitLab nightly pipeline against this PR
if: env.GITLAB_TOKEN && steps.pr_data.outputs.pr_branch
run: |
# osbuild-composer
PROJECT_ID=34771166
# Simulate a nightly CI pipeline against this PR
curl --request POST --fail --form "token=$GITLAB_TOKEN" \
--form ref=${{ steps.pr_data.outputs.pr_branch }} \
--form "variables[CI_PIPELINE_SOURCE]=schedule" \
--form "variables[NIGHTLY]=true" \
--form "variables[RHEL_MAJOR]=9" \
"https://gitlab.com/api/v4/projects/$PROJECT_ID/trigger/pipeline"
Reference in a new issue View git blame Copy permalink