b3123a1c19
Prior this commit, ${{ github.event.workflow_run.head_branch }} got
expanded in the bash script. A malicious actor could inject
an arbitrary shell script. Since this action has access to a token
with write rights the malicious actor can easily steal this token.
This commit moves the expansion into an env block where such an
injection cannot happen. This is the preferred way according to the
github docs:
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
63 lines
2 KiB
YAML
63 lines
2 KiB
YAML
# inspired by rhinstaller/anaconda
|
|
|
|
name: Trigger GitLab CI
|
|
|
|
on:
|
|
workflow_run:
|
|
workflows: ["Checks"]
|
|
types: [completed]
|
|
|
|
jobs:
|
|
trigger-gitlab:
|
|
if: ${{ github.event.workflow_run.conclusion == 'success' }}
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
IMAGEBUILDER_BOT_GITLAB_SSH_KEY: ${{ secrets.IMAGEBUILDER_BOT_GITLAB_SSH_KEY }}
|
|
steps:
|
|
- name: Report status
|
|
uses: haya14busa/action-workflow_run-status@v1
|
|
|
|
- name: Install Dependencies
|
|
run: |
|
|
sudo apt install -y jq
|
|
|
|
- name: Clone repository
|
|
uses: actions/checkout@v4
|
|
with:
|
|
ref: ${{ github.event.workflow_run.head_sha }}
|
|
fetch-depth: 0
|
|
|
|
- uses: octokit/request-action@v2.x
|
|
id: fetch_pulls
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
with:
|
|
route: GET /repos/${{ github.repository }}/pulls
|
|
|
|
- name: Checkout branch
|
|
env:
|
|
BRANCH: ${{ github.event.workflow_run.head_branch }}
|
|
run: |
|
|
PR_DATA=$(mktemp)
|
|
# use uuid as a file terminator to avoid conflicts with data content
|
|
cat > "$PR_DATA" <<'a21b3e7f-d5eb-44a3-8be0-c2412851d2e6'
|
|
${{ steps.fetch_pulls.outputs.data }}
|
|
a21b3e7f-d5eb-44a3-8be0-c2412851d2e6
|
|
|
|
PR=$(jq -rc '.[] | select(.head.sha | contains("${{ github.event.workflow_run.head_sha }}")) | select(.state | contains("open"))' "$PR_DATA" | jq -r .number)
|
|
if [ ! -z "$PR" ]; then
|
|
git checkout -b PR-$PR
|
|
else
|
|
git checkout "${BRANCH}"
|
|
fi
|
|
|
|
- name: Push to gitlab
|
|
run: |
|
|
mkdir -p ~/.ssh
|
|
echo "${IMAGEBUILDER_BOT_GITLAB_SSH_KEY}" > ~/.ssh/id_rsa
|
|
chmod 400 ~/.ssh/id_rsa
|
|
touch ~/.ssh/known_hosts
|
|
ssh-keyscan -t rsa gitlab.com >> ~/.ssh/known_hosts
|
|
git remote add ci git@gitlab.com:redhat/services/products/image-builder/ci/osbuild.git
|
|
git push -f ci
|
|
git push -f --tags ci
|