slsa-github-generator/.github/workflows/update-actions-dist-post-commit.yml at main · MyndScript/slsa-github-generator · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
# Copyright 2023 SLSA Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# A workflow to run against renovate-bot's PRs,
# such as `make package` after it updates the package.json and package-lock.json files.

# The potentially untrusted code is first run inside a low-privilege Job, and the diff is uploaded as an artifact.
# Then a higher-privilege Job applies the diff and pushes the changes to the PR.
# It's important to only run this workflow against PRs from trusted sources, after also reviewing the changes!

# There have been vulnerabilities with using `git apply` https://github.blog/2023-04-25-git-security-vulnerabilities-announced-4/
# At this point a compromised git binary cannot modify any of this repo's branches, only the PR fork's branch,
# due to our branch protection rules and CODEOWNERS.
# It aslso cannot submit a new release or modify exsiting releases due to tag protection rules.

name: Update actions dist post-commit

permissions: {}

on:
  workflow_dispatch:
    inputs:
      pr_number:
        description: "The pull request number."
        required: true
        type: number

jobs:
  diff:
    permissions:
      # This Job executes the PR's untrusted code, so it must how low permissions.
      pull-requests: read
    outputs:
      patch_not_empty: ${{ steps.diff.outputs.patch_not_empty }}
    runs-on: ubuntu-latest
    steps:
      - name: checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          repository: ${{ github.repository }}
          persist-credentials: false
      - name: checkout-pr
        env:
          GH_TOKEN: ${{ github.token }}
          PR_NUMBER: ${{ inputs.pr_number }}
        run: gh pr checkout "$PR_NUMBER"
      - name: run-command
        run: |
          find ./ -name "dist" -not -path "*/node_modules/*" -print0 \
            | xargs -0 dirname \
            | xargs -I {} sh -c '(
              echo "Updating {}" && \
              cd {} && \
              make clean \
              && make package
            )'

      - name: diff
        id: diff
        run: |
          git add .
          git status
          git diff HEAD > changes.patch
          [ -z "$(cat changes.patch)" ] && RESULT=false || RESULT=true
          echo "patch_not_empty=$RESULT" >> "$GITHUB_OUTPUT"
      - name: upload
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: changes.patch
          path: changes.patch

  push:
    if: needs.diff.outputs.patch_not_empty == 'true'
    needs: diff
    runs-on: ubuntu-latest
    permissions:
      # This Job does not run untrusted code, but it does need to push changes to the PR's branch.
      pull-requests: read
      contents: write
    steps:
      - name: checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: checkout-pr
        env:
          GH_TOKEN: ${{ github.token }}
          PR_NUMBER: ${{ inputs.pr_number }}
        run: gh pr checkout "$PR_NUMBER"
      - name: download-patch
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: changes.patch
      - id: apply
        run: |
          git apply changes.patch
          rm changes.patch
      # example from
      # https://github.com/actions/checkout/blob/cd7d8d697e10461458bc61a30d094dc601a8b017/README.md#push-a-commit-using-the-built-in-token
      - name: push
        run: |
          git config user.name github-actions
          git config user.email github-actions@github.com
          git add .
          git status
          git commit -s -m "update actions dist"
          git push