From 4da91b0666a5be6c9525217188632c9b1f7c75e1 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 1 Nov 2022 13:15:49 +0000
Subject: [PATCH 1/2] Bump commons-compress from 1.21 to 1.22

Bumps commons-compress from 1.21 to 1.22.

---
updated-dependencies:
- dependency-name: org.apache.commons:commons-compress
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 engine/build.gradle.kts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/engine/build.gradle.kts b/engine/build.gradle.kts
index 28f8da8d..b9b61bc0 100644
--- a/engine/build.gradle.kts
+++ b/engine/build.gradle.kts
@@ -76,7 +76,7 @@ dependencies {
   implementation("com.squareup.okhttp3:okhttp:4.10.0")
   testImplementation("com.squareup.okhttp3:mockwebserver:4.10.0")
 
-  implementation("org.apache.commons:commons-compress:1.21")
+  implementation("org.apache.commons:commons-compress:1.22")
   testImplementation("org.apache.commons:commons-lang3:3.12.0")
 
   implementation("de.gesellix:docker-filesocket:2022-10-02T13-21-00")

From 6dfed0d0eda04798002bd0a44dd767d33a0abeed Mon Sep 17 00:00:00 2001
From: Tobias Gesellchen <tobias@gesellix.de>
Date: Sat, 5 Nov 2022 19:20:54 +0100
Subject: [PATCH 2/2] Apply recommended and secure workflow structure

---
 .github/workflows/ci.yml                   |  9 ++--
 .github/workflows/publish-test-results.yml | 50 ++++++++++++++++++++++
 2 files changed, 55 insertions(+), 4 deletions(-)
 create mode 100644 .github/workflows/publish-test-results.yml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 37ae7a19..70521d27 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -25,10 +25,11 @@ jobs:
           cache: 'gradle'
       - name: clean build
         run: ./gradlew clean build --no-daemon --info --stacktrace
-      - name: Publish Test Report
+      - name: Upload Test Results
+        # see publish-test-results.yml for workflow that publishes test results without security issues for forks
+        uses: actions/upload-artifact@v3
         if: ${{ always() }}
-        uses: scacap/action-surefire-report@v1
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          report_paths: '**/build/test-results/test/TEST-*.xml'
+          name: test-results
+          path: '**/build/test-results/test/TEST-*.xml'
 ...
diff --git a/.github/workflows/publish-test-results.yml b/.github/workflows/publish-test-results.yml
new file mode 100644
index 00000000..0a4cc3fb
--- /dev/null
+++ b/.github/workflows/publish-test-results.yml
@@ -0,0 +1,50 @@
+name: Publish Test results
+
+# WARNING:
+# workflow_run provides read-write repo token and access to secrets.
+# Do *not* merge changes to this file without the proper review.
+# We should only be running trusted code here.
+# See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+# Docs: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run
+on:
+  workflow_run:
+    workflows:
+      - CI
+    types:
+      - completed
+
+jobs:
+  # Job based on https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+  publish-test-results:
+    runs-on: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    steps:
+      # Unfortunately, the official actions/download-artifact action is very limited in scope.
+      # Can't use it yet in this context, https://github.com/actions/download-artifact/issues/60
+      - name: Download artifact
+        uses: actions/github-script@v6
+        with:
+          script: |
+            var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: ${{ github.event.workflow_run.id }},
+            });
+            var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "test-results"
+            })[0];
+            var download = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+            var fs = require('fs');
+            fs.writeFileSync('${{github.workspace}}/test-results.zip', Buffer.from(download.data));
+      - run: unzip test-results.zip
+      - name: Publish Test Results
+        uses: scacap/action-surefire-report@v1
+        with:
+          commit: ${{ github.event.workflow_run.head_commit.id }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          report_paths: '**/build/test-results/test/TEST-*.xml'