docker-client · gesellix · Nov 5, 2022 · Nov 1, 2022 · Nov 5, 2022
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -25,10 +25,11 @@ jobs:
           cache: 'gradle'
       - name: clean build
         run: ./gradlew clean build --no-daemon --info --stacktrace
-      - name: Publish Test Report
+      - name: Upload Test Results
+        # see publish-test-results.yml for workflow that publishes test results without security issues for forks
+        uses: actions/upload-artifact@v3
         if: ${{ always() }}
-        uses: scacap/action-surefire-report@v1
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          report_paths: '**/build/test-results/test/TEST-*.xml'
+          name: test-results
+          path: '**/build/test-results/test/TEST-*.xml'
 ...
diff --git a/.github/workflows/publish-test-results.yml b/.github/workflows/publish-test-results.yml
@@ -0,0 +1,50 @@
+name: Publish Test results
+
+# WARNING:
+# workflow_run provides read-write repo token and access to secrets.
+# Do *not* merge changes to this file without the proper review.
+# We should only be running trusted code here.
+# See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+# Docs: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run
+on:
+  workflow_run:
+    workflows:
+      - CI
+    types:
+      - completed
+
+jobs:
+  # Job based on https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+  publish-test-results:
+    runs-on: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    steps:
+      # Unfortunately, the official actions/download-artifact action is very limited in scope.
+      # Can't use it yet in this context, https://github.com/actions/download-artifact/issues/60
+      - name: Download artifact
+        uses: actions/github-script@v6
+        with:
+          script: |
+            var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: ${{ github.event.workflow_run.id }},
+            });
+            var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "test-results"
+            })[0];
+            var download = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+            var fs = require('fs');
+            fs.writeFileSync('${{github.workspace}}/test-results.zip', Buffer.from(download.data));
+      - run: unzip test-results.zip
+      - name: Publish Test Results
+        uses: scacap/action-surefire-report@v1
+        with:
+          commit: ${{ github.event.workflow_run.head_commit.id }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          report_paths: '**/build/test-results/test/TEST-*.xml'
diff --git a/engine/build.gradle.kts b/engine/build.gradle.kts
@@ -76,7 +76,7 @@ dependencies {
   implementation("com.squareup.okhttp3:okhttp:4.10.0")
   testImplementation("com.squareup.okhttp3:mockwebserver:4.10.0")
 
-  implementation("org.apache.commons:commons-compress:1.21")
+  implementation("org.apache.commons:commons-compress:1.22")
   testImplementation("org.apache.commons:commons-lang3:3.12.0")
 
   implementation("de.gesellix:docker-filesocket:2022-10-02T13-21-00")