From cdd77759ca038daabbb50c8db5c11ce9906493f6 Mon Sep 17 00:00:00 2001 From: Gamebuster19901 Date: Fri, 6 Jun 2025 00:00:54 -0400 Subject: [PATCH] Fix #17 - GHSA-m6r3-c73x-8fw5 --- .github/workflows/RebuildApprovedPR.yml | 98 ------------------------- .github/workflows/ValidateApproval.yaml | 72 +++++++++--------- .github/workflows/build.yml | 6 +- 3 files changed, 44 insertions(+), 132 deletions(-) delete mode 100644 .github/workflows/RebuildApprovedPR.yml diff --git a/.github/workflows/RebuildApprovedPR.yml b/.github/workflows/RebuildApprovedPR.yml deleted file mode 100644 index fb6c882..0000000 --- a/.github/workflows/RebuildApprovedPR.yml +++ /dev/null @@ -1,98 +0,0 @@ -name: Rebuild Approved PR - -on: - issue_comment: - types: [created] - -jobs: - rebuild_approved_pr: - runs-on: ubuntu-latest - if: > - github.event.comment.user.login == 'Gamebuster19901' && - github.event.comment.body == '@WilderForge rebuild' && - github.event.issue.pull_request != null - steps: - - name: Fetch Approval Workflow Run - id: fetch_approval_run - run: | - # Fetch the pull request details - PR_URL=$(jq -r '.pull_request.url' <<< '${{ toJson(github.event.issue) }}') - echo "PR URL: $PR_URL" - - PR_DETAILS=$(curl -s -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" "$PR_URL") - # echo "PR Details: $PR_DETAILS" # Debugging: output PR details to see its contents - - PR_NUMBER=$(echo "$PR_DETAILS" | jq -r '.number') - echo "PR Number: $PR_NUMBER" # Debugging: output the PR number - - # Get the commit SHA directly from the pull request head object - PR_SHA=$(echo "$PR_DETAILS" | jq -r '.head.sha') - echo "PR SHA: $PR_SHA" # Debugging: output the PR SHA - - if [ -z "$PR_SHA" ]; then - echo "Pull request head commit SHA is null. Exiting." - exit 1 - fi - - # Get the list of workflow runs for the repository - WORKFLOWS=$(curl -s -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ - "https://api.github.com/repos/${{ github.repository }}/actions/runs") - # echo "Workflow Runs: $WORKFLOWS" # Debugging: output workflow runs data - - # Find the latest completed run of the 'Validate Approval' workflow that matches the head SHA - APPROVAL_RUN=$(echo "$WORKFLOWS" | jq -r \ - '.workflow_runs[] | select(.name == "Validate Approval" and .head_sha == "'$PR_SHA'" and .status == "completed") | .id' | head -n 1) - echo "Approval Run: $APPROVAL_RUN" # Debugging: output the approval run ID - - if [ -z "$APPROVAL_RUN" ]; then - echo "The head of this PR has not been validated. Exiting." - exit 1 - fi - - # Save the approval run ID to environment variable for use in later steps - echo "APPROVAL_RUN=$APPROVAL_RUN" >> $GITHUB_ENV - - - name: Check Approval - id: check_approval_status - run: | - # Fetch the details of the approval workflow run using the saved APPROVAL_RUN ID - APPROVAL_STATUS=$(curl -s -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ - "https://api.github.com/repos/${{ github.repository }}/actions/runs/${{ env.APPROVAL_RUN }}") - - CONCLUSION=$(echo "$APPROVAL_STATUS" | jq -r '.conclusion') - STATUS=$(echo "$APPROVAL_STATUS" | jq -r '.status') - - echo "Approval Workflow Status: $STATUS" # Debugging: output the workflow status - echo "Approval Workflow Conclusion: $CONCLUSION" # Debugging: output the workflow conclusion - - if [[ "$CONCLUSION" != "success" || "$STATUS" != "completed" ]]; then - echo "The head of this PR has not been validated. Exiting." - exit 1 - fi - - echo "The head of this PR has been validated." - - - name: Trigger Build Commit Workflow - if: success() - run: | - # Get the source branch of the PR (from the pull_request object) - PR_BRANCH="${{ github.event.pull_request.head.ref }}" - - # Define the API endpoint for dispatching the workflow - WORKFLOW_URL="https://api.github.com/repos/${{ github.repository }}/actions/workflows/build.yml/dispatches" - - # Trigger the workflow for the branch of the pull request - echo "Triggering workflow for branch: $PR_BRANCH" - RESPONSE=$(curl -s -w "%{http_code}" -o response.json -X POST \ - -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ - -d '{"ref": "refs/heads/'${PR_BRANCH}'", "inputs": {"sha": "${{ github.event.review.commit_id }}"}}' \ - "$WORKFLOW_URL") - - # Check if the HTTP status code is 2xx (successful) - if [[ "$RESPONSE" -lt 200 || "$RESPONSE" -ge 300 ]]; then - echo "Error triggering the workflow: HTTP $RESPONSE" - cat response.json - exit 1 - else - echo "Successfully triggered the workflow." - fi diff --git a/.github/workflows/ValidateApproval.yaml b/.github/workflows/ValidateApproval.yaml index 6bed0e5..28ca247 100644 --- a/.github/workflows/ValidateApproval.yaml +++ b/.github/workflows/ValidateApproval.yaml @@ -4,6 +4,12 @@ on: pull_request_review: types: [submitted] +permissions: + contents: read + pull-requests: write + actions: write + statuses: write + jobs: approve_and_run: runs-on: ubuntu-latest @@ -24,29 +30,24 @@ jobs: ) ) steps: - - name: Checking Approval + - name: Handle Approved Review + if: | + github.event.review.state == 'approved' || startsWith(github.event.review.body, 'approved') id: "checking_approval" run: | - DESC="null" - if [[ "${{ github.event.review.state }}" == "approved" || "${{ github.event.review.body }}" == approved* ]]; then - DESC="${{ github.event.review.user.login }} APPROVED build for ${{ github.event.review.commit_id }}" - echo $DESC - echo "conclusion=success" >> "$GITHUB_ENV" - echo "description=$DESC" >> "$GITHUB_ENV" - exit 0 - elif [[ "${{ github.event.review.body }}" == reject* ]]; then - DESC="${{ github.event.review.user.login }} REJECTED build for ${{ github.event.review.commit_id }}" - echo $DESC - echo "conclusion=failure" >> "$GITHUB_ENV" - echo "description=$DESC" >> "$GITHUB_ENV" - exit 1 - else - DESC="Assertion Error: Review body expected start with 'approved' or 'reject'. This step should have been skipped but it ran anyway!" - echo $DESC - echo "conclusion=failure" >> "$GITHUB_ENV" - echo "description=$DESC" >> "$GITHUB_ENV" - exit 1 - fi + DESC="${{ github.event.review.user.login }} APPROVED build for ${{ github.event.review.commit_id }}" + echo "$DESC" + echo "conclusion=success" >> "$GITHUB_ENV" + echo "description=$DESC" >> "$GITHUB_ENV" + + - name: Rejected Review Handling + if: startsWith(github.event.review.body, 'reject') + run: | + DESC="${{ github.event.review.user.login }} REJECTED build for ${{ github.event.review.commit_id }}" + echo "$DESC" + echo "conclusion=failure" >> "$GITHUB_ENV" + echo "description=$DESC" >> "$GITHUB_ENV" + exit 1 - name: Post Status Check if: @@ -76,23 +77,28 @@ jobs: - name: Trigger Build Commit Workflow if: success() + env: + PR_BRANCH: ${{ github.event.pull_request.head.ref }} run: | - # Get the source branch of the PR (from the pull_request object) - PR_BRANCH="${{ github.event.pull_request.head.ref }}" - + echo "Triggering workflow for branch: $PR_BRANCH" + + # Construct JSON payload safely using jq + JSON_PAYLOAD=$(jq -n --arg ref "refs/heads/$PR_BRANCH" \ + --arg sha "${{ github.event.review.commit_id }}" \ + '{ref: $ref, inputs: {sha: $sha}}') + # Define the API endpoint for dispatching the workflow WORKFLOW_URL="https://api.github.com/repos/${{ github.repository }}/actions/workflows/build.yml/dispatches" - - # Trigger the workflow for the branch of the pull request - echo "Triggering workflow for branch: $PR_BRANCH" - RESPONSE=$(curl -s -w "%{http_code}" -o response.json -X POST \ + + # Trigger the workflow + HTTP_CODE=$(curl -s -o response.json -w "%{http_code}" -X POST \ -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ - -d '{"ref": "refs/heads/'${PR_BRANCH}'", "inputs": {"sha": "${{ github.event.review.commit_id }}"}}' \ + -H "Accept: application/vnd.github.v3+json" \ + -d "$JSON_PAYLOAD" \ "$WORKFLOW_URL") - - # Check if the HTTP status code is 2xx (successful) - if [[ "$RESPONSE" -lt 200 || "$RESPONSE" -ge 300 ]]; then - echo "Error triggering the workflow: HTTP $RESPONSE" + + if [[ "$HTTP_CODE" -lt 200 || "$HTTP_CODE" -ge 300 ]]; then + echo "Error triggering the workflow: HTTP $HTTP_CODE" cat response.json exit 1 else diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f82d89d..1c96de1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -13,6 +13,10 @@ on: branches: - master +permissions: + contents: read + statuses: write + jobs: build_commit: runs-on: [self-hosted, linux] @@ -95,4 +99,4 @@ jobs: \"context\": \"Build Status\", \"target_url\": \"$TARGET_URL\" }" \ - "https://api.github.com/repos/${{ github.repository }}/statuses/${{ env.COMMIT_SHA }}" \ No newline at end of file + "https://api.github.com/repos/${{ github.repository }}/statuses/${{ env.COMMIT_SHA }}"