forked from quarkusio/quarkus
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix two workflow issues in preview.yml
Fixes: - GHSL-2024-124 - GHSL-2024-125 The way the preview workflow was designed, you could potentially have injected code executed with the permissions of the preview.yml workflow. These issues were discovered and reported by the GitHub Sercurity Lab team in the person of Alvaro Muñoz (@pwntester).
- Loading branch information
Showing
1 changed file
with
29 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -6,42 +6,62 @@ on: | |
| types: | ||
| - completed | ||
|
|
||
| defaults: | ||
| run: | ||
| shell: bash | ||
|
|
||
| jobs: | ||
| preview: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| actions: read | ||
| # this should be enough to maintain comments as commenting on pull requests is done through an issues API | ||
| issues: write | ||
| if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| repository: quarkusio/quarkusio.github.io | ||
| fetch-depth: 5000 | ||
| fetch-tags: false | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| repository: quarkusio/quarkus | ||
| path: quarkus-main | ||
|
|
||
| - name: Install git-restore-time | ||
| run: sudo apt-get install -y git-restore-mtime | ||
|
|
||
| - name: Restore mtime | ||
| run: git restore-mtime | ||
|
|
||
| # There is a weird issue with download-artifact@v4 | ||
| # keeping the external action for now | ||
| - name: Download PR Artifact | ||
| uses: dawidd6/action-download-artifact@v3 | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| workflow: ${{ github.event.workflow_run.workflow_id }} | ||
| workflow_conclusion: success | ||
| run-id: ${{ github.event.workflow_run.id }} | ||
| name: documentation | ||
| path: documentation-temp | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Store PR id as variable | ||
| id: pr | ||
| run: | | ||
| echo "id=$(<documentation-temp/pr-id.txt)" >> $GITHUB_OUTPUT | ||
| pr=$(<documentation-temp/pr-id.txt) | ||
| if ! [[ $pr =~ ^[0-9]+$ ]] ; then | ||
| echo "PR id extracted from documentation-temp/pr-id.txt is not a number: $pr" | ||
| exit 1 | ||
| fi | ||
| echo "id=${pr}" >> $GITHUB_OUTPUT | ||
| - name: Sync documentation | ||
| shell: bash | ||
| # make sure we override the script coming from the artifact with the version from the main repository | ||
| run: | | ||
| rm ./documentation-temp/docs/sync-web-site.sh | ||
| cp -a ./quarkus-main/docs/sync-web-site.sh ./documentation-temp/docs/ | ||
| chmod 755 ./documentation-temp/docs/sync-web-site.sh | ||
| ./documentation-temp/docs/sync-web-site.sh main ../../ | ||
| rm -rf documentation-temp | ||
| rm -rf quarkus-main | ||
| - name: Set up ruby | ||
| uses: ruby/setup-ruby@v1 | ||
| with: | ||
|
|
@@ -94,7 +114,9 @@ jobs: | |
| - name: Publishing to surge for preview | ||
| id: deploy | ||
| run: npx surge ./_site --domain https://quarkus-pr-main-${{ steps.pr.outputs.id }}-preview.surge.sh --token ${{ secrets.SURGE_TOKEN }} | ||
| run: npx surge ./_site --domain https://quarkus-pr-main-${PR_ID}-preview.surge.sh --token ${{ secrets.SURGE_TOKEN }} | ||
| env: | ||
| PR_ID: ${{ steps.pr.outputs.id }} | ||
| - name: Update PR status comment on success | ||
| uses: actions-cool/[email protected] | ||
| with: | ||
|
|
||