msb-public
/
svelte
mirror of https://github.com/sveltejs/svelte
1
0
Code Issues Projects Releases Wiki Activity

chore: port security improvements from vite-ecosystem-ci trigger workflow in vite repo (#16902)

Browse Source
pull/16908/head
Dominik G. 4 days ago committed by GitHub
parent acdd93053d
commit fc39f2ed0d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 38 additions and 7 deletions
Show Stats Download Patch File Download Diff File

45
.github/workflows/ecosystem-ci-trigger.yml vendored
Unescape View File

@ -11,14 +11,13 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: github.repository == 'sveltejs/svelte' && github.event.issue.pull_request && startsWith(github.event.comment.body, '/ecosystem-ci run') if: github.repository == 'sveltejs/svelte' && github.event.issue.pull_request && startsWith(github.event.comment.body, '/ecosystem-ci run')
permissions: permissions:
issues: write # to add / delete reactions issues: write # to add / delete reactions, post comments
pull-requests: write # to read PR data, and to add labels pull-requests: write # to read PR data, and to add labels
actions: read # to check workflow status actions: read # to check workflow status
contents: read # to clone the repo contents: read # to clone the repo
steps: steps:
- name: monitor action permissions - name: Check User Permissions
- name: check user authorization # user needs triage permission uses: actions/github-script@v8
uses: actions/github-script@v7
id: check-permissions id: check-permissions
with: with:
script: | script: |
@ -57,7 +56,7 @@ jobs:
} }
- name: Get PR Data - name: Get PR Data
uses: actions/github-script@v7 uses: actions/github-script@v8
id: get-pr-data id: get-pr-data
with: with:
script: | script: |
@ -67,6 +66,37 @@ jobs:
repo: context.repo.repo, repo: context.repo.repo,
pull_number: context.issue.number pull_number: context.issue.number
}) })
const commentCreatedAt = new Date(context.payload.comment.created_at)
const commitPushedAt = new Date(pr.head.repo.pushed_at)
console.log(`Comment created at: ${commentCreatedAt.toISOString()}`)
console.log(`PR last pushed at: ${commitPushedAt.toISOString()}`)
// Check if any commits were pushed after the comment was created
if (commitPushedAt > commentCreatedAt) {
const errorMsg = [
'⚠️ Security warning: PR was updated after the trigger command was posted.',
'',
`Comment posted at: ${commentCreatedAt.toISOString()}`,
`PR last pushed at: ${commitPushedAt.toISOString()}`,
'',
'This could indicate an attempt to inject code after approval.',
'Please review the latest changes and re-run /ecosystem-ci run if they are acceptable.'
].join('\n')
core.setFailed(errorMsg)
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: errorMsg
})
throw new Error('PR was pushed to after comment was created')
}
return { return {
num: context.issue.number, num: context.issue.number,
branchName: pr.head.ref, branchName: pr.head.ref,
@ -85,15 +115,16 @@ jobs:
svelte-ecosystem-ci svelte-ecosystem-ci
- name: Trigger Downstream Workflow - name: Trigger Downstream Workflow
uses: actions/github-script@v7 uses: actions/github-script@v8
id: trigger id: trigger
env: env:
COMMENT: ${{ github.event.comment.body }} COMMENT: ${{ github.event.comment.body }}
PR_DATA: ${{ steps.get-pr-data.outputs.result }}
with: with:
github-token: ${{ steps.generate-token.outputs.token }} github-token: ${{ steps.generate-token.outputs.token }}
script: | script: |
const comment = process.env.COMMENT.trim() const comment = process.env.COMMENT.trim()
const prData = ${{ steps.get-pr-data.outputs.result }} const prData = JSON.parse(process.env.PR_DATA)
const suite = comment.split('\n')[0].replace(/^\/ecosystem-ci run/, '').trim() const suite = comment.split('\n')[0].replace(/^\/ecosystem-ci run/, '').trim()

Write Preview
Loading…
Cancel
Save