|
|
|
|
@ -11,14 +11,13 @@ jobs:
|
|
|
|
|
runs-on: ubuntu-latest
|
|
|
|
|
if: github.repository == 'sveltejs/svelte' && github.event.issue.pull_request && startsWith(github.event.comment.body, '/ecosystem-ci run')
|
|
|
|
|
permissions:
|
|
|
|
|
issues: write # to add / delete reactions
|
|
|
|
|
issues: write # to add / delete reactions, post comments
|
|
|
|
|
pull-requests: write # to read PR data, and to add labels
|
|
|
|
|
actions: read # to check workflow status
|
|
|
|
|
contents: read # to clone the repo
|
|
|
|
|
steps:
|
|
|
|
|
- name: monitor action permissions
|
|
|
|
|
- name: check user authorization # user needs triage permission
|
|
|
|
|
uses: actions/github-script@v7
|
|
|
|
|
- name: Check User Permissions
|
|
|
|
|
uses: actions/github-script@v8
|
|
|
|
|
id: check-permissions
|
|
|
|
|
with:
|
|
|
|
|
script: |
|
|
|
|
|
@ -57,7 +56,7 @@ jobs:
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
- name: Get PR Data
|
|
|
|
|
uses: actions/github-script@v7
|
|
|
|
|
uses: actions/github-script@v8
|
|
|
|
|
id: get-pr-data
|
|
|
|
|
with:
|
|
|
|
|
script: |
|
|
|
|
|
@ -67,6 +66,37 @@ jobs:
|
|
|
|
|
repo: context.repo.repo,
|
|
|
|
|
pull_number: context.issue.number
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
const commentCreatedAt = new Date(context.payload.comment.created_at)
|
|
|
|
|
const commitPushedAt = new Date(pr.head.repo.pushed_at)
|
|
|
|
|
|
|
|
|
|
console.log(`Comment created at: ${commentCreatedAt.toISOString()}`)
|
|
|
|
|
console.log(`PR last pushed at: ${commitPushedAt.toISOString()}`)
|
|
|
|
|
|
|
|
|
|
// Check if any commits were pushed after the comment was created
|
|
|
|
|
if (commitPushedAt > commentCreatedAt) {
|
|
|
|
|
const errorMsg = [
|
|
|
|
|
'⚠️ Security warning: PR was updated after the trigger command was posted.',
|
|
|
|
|
'',
|
|
|
|
|
`Comment posted at: ${commentCreatedAt.toISOString()}`,
|
|
|
|
|
`PR last pushed at: ${commitPushedAt.toISOString()}`,
|
|
|
|
|
'',
|
|
|
|
|
'This could indicate an attempt to inject code after approval.',
|
|
|
|
|
'Please review the latest changes and re-run /ecosystem-ci run if they are acceptable.'
|
|
|
|
|
].join('\n')
|
|
|
|
|
|
|
|
|
|
core.setFailed(errorMsg)
|
|
|
|
|
|
|
|
|
|
await github.rest.issues.createComment({
|
|
|
|
|
owner: context.repo.owner,
|
|
|
|
|
repo: context.repo.repo,
|
|
|
|
|
issue_number: context.issue.number,
|
|
|
|
|
body: errorMsg
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
throw new Error('PR was pushed to after comment was created')
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return {
|
|
|
|
|
num: context.issue.number,
|
|
|
|
|
branchName: pr.head.ref,
|
|
|
|
|
@ -85,15 +115,16 @@ jobs:
|
|
|
|
|
svelte-ecosystem-ci
|
|
|
|
|
|
|
|
|
|
- name: Trigger Downstream Workflow
|
|
|
|
|
uses: actions/github-script@v7
|
|
|
|
|
uses: actions/github-script@v8
|
|
|
|
|
id: trigger
|
|
|
|
|
env:
|
|
|
|
|
COMMENT: ${{ github.event.comment.body }}
|
|
|
|
|
PR_DATA: ${{ steps.get-pr-data.outputs.result }}
|
|
|
|
|
with:
|
|
|
|
|
github-token: ${{ steps.generate-token.outputs.token }}
|
|
|
|
|
script: |
|
|
|
|
|
const comment = process.env.COMMENT.trim()
|
|
|
|
|
const prData = ${{ steps.get-pr-data.outputs.result }}
|
|
|
|
|
const prData = JSON.parse(process.env.PR_DATA)
|
|
|
|
|
|
|
|
|
|
const suite = comment.split('\n')[0].replace(/^\/ecosystem-ci run/, '').trim()
|
|
|
|
|
|
|
|
|
|
|
Dominik G.
4 weeks ago
committed by
GitHub