From 6cd71a3f1eec098d0de61bf9bb742737cb3aa5fa Mon Sep 17 00:00:00 2001 From: Henning Becker <43133967+beckerhe@users.noreply.github.com> Date: Mon, 22 May 2023 13:34:24 +0200 Subject: [PATCH] Remove Report Workflows (#4830) There is a chance that these workflows allow an attacker to write to the repo without going through a proper review workflows. The chance is slim since to run malicious code a review is required in the first place. Nevertheless we remove the problematic workflows in this PR. --- .github/workflows/iwyu.yml | 180 -------------------- .github/workflows/report-build-and-test.yml | 55 +----- .github/workflows/report-checks.yml | 95 +---------- 3 files changed, 2 insertions(+), 328 deletions(-) delete mode 100644 .github/workflows/iwyu.yml diff --git a/.github/workflows/iwyu.yml b/.github/workflows/iwyu.yml deleted file mode 100644 index 029b2955ce8..00000000000 --- a/.github/workflows/iwyu.yml +++ /dev/null @@ -1,180 +0,0 @@ -# Copyright (c) 2022 The Orbit Authors. All rights reserved. -# Use of this source code is governed by a BSD-style license that can be -# found in the LICENSE file. - -name: include-what-you-use -on: - push: - branches: - - 'main' - paths: - - 'src/**' - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} - cancel-in-progress: true - -jobs: - iwyu: - permissions: - contents: write - pull-requests: write - runs-on: ubuntu-22.04 - timeout-minutes: 180 - steps: - - name: Checkout Orbit - uses: actions/checkout@v3 - with: - fetch-depth: '0' - token: '${{ secrets.ORBITPROFILER_BOT_PAT }}' - path: orbit - - name: Setup git - working-directory: ./orbit - run: | - git config user.name orbitprofiler-bot - git config user.email orbitprofiler-bot@google.com - - name: Check IWYU PR already open - id: check_has_open_iwyu_pr - uses: actions/github-script@v6 - with: - github-token: '${{ secrets.ORBITPROFILER_BOT_PAT }}' - script: | - const {repo, owner} = context.repo; - const openPrs = await github.paginate( - 'GET /repos/{owner}/{repo}/pulls{?state,head,base,sort,direction,per_page,page}', - { - owner: owner, - repo: repo, - state: 'open' - }); - const hasOpenIwyuPr = openPrs.some( - pr => pr.title === 'Automatically apply IWYU to the codebase' - && pr.user.login === 'orbitprofiler-bot'); - core.setOutput('has_open_iwyu_pr', hasOpenIwyuPr); - - name: Add llvm-15 repo - if: steps.check_has_open_iwyu_pr.outputs.has_open_iwyu_pr == 'false' - run: | - sudo bash -c 'echo "deb http://apt.llvm.org/jammy/ llvm-toolchain-jammy-15 main" >> /etc/apt/sources.list' - wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key|sudo apt-key add - - - name: Install dependencies - if: steps.check_has_open_iwyu_pr.outputs.has_open_iwyu_pr == 'false' - run: | - sudo apt-get update && \ - sudo apt-get install --yes --no-install-recommends \ - build-essential \ - cmake \ - ccache \ - libboost-dev \ - libcapstone-dev \ - libgrpc++-dev \ - libssh2-1-dev \ - vulkan-validationlayers-dev \ - libz-dev \ - llvm-dev \ - protobuf-compiler-grpc \ - pkg-config \ - libvulkan-volk-dev \ - libvulkan-dev \ - libopengl-dev \ - libglx-dev \ - mesa-common-dev \ - qtbase5-dev \ - libgtest-dev \ - libgmock-dev \ - git \ - ninja-build \ - clang-format-14 \ - llvm-15-dev \ - libclang-15-dev \ - clang-15 \ - patchutils \ - libprotobuf-dev - - name: Checkout IWYU - if: steps.check_has_open_iwyu_pr.outputs.has_open_iwyu_pr == 'false' - uses: actions/checkout@v3 - with: - repository: include-what-you-use/include-what-you-use - ref: 7f0b6c304acf69c42bb7f6e03c63f836924cb7e0 # clang_15 @ Nov 2, 2022 - path: iwyu - - run: mkdir build - if: steps.check_has_open_iwyu_pr.outputs.has_open_iwyu_pr == 'false' - working-directory: ./iwyu - - name: Configure IWYU - if: steps.check_has_open_iwyu_pr.outputs.has_open_iwyu_pr == 'false' - working-directory: ./iwyu/build - run: | - cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=/usr/lib/llvm-15 -DCMAKE_INSTALL_PREFIX=/usr "${GITHUB_WORKSPACE}/iwyu" - - name: Build and install IWYU - if: steps.check_has_open_iwyu_pr.outputs.has_open_iwyu_pr == 'false' - working-directory: ./iwyu/build - run: sudo cmake --build "${GITHUB_WORKSPACE}/iwyu/build" --target install - - run: mkdir build - if: steps.check_has_open_iwyu_pr.outputs.has_open_iwyu_pr == 'false' - working-directory: ./orbit - - name: CMake Configure - if: steps.check_has_open_iwyu_pr.outputs.has_open_iwyu_pr == 'false' - working-directory: ./orbit/build - run: | - cmake -DCMAKE_BUILD_TYPE=Release \ - -DCMAKE_CXX_FLAGS="-march=sandybridge -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer" \ - "${GITHUB_WORKSPACE}/orbit" - - name: CMake Build - if: steps.check_has_open_iwyu_pr.outputs.has_open_iwyu_pr == 'false' - working-directory: ./orbit/build - run: cmake --build . --target iwyu - - name: Export branch name - if: steps.check_has_open_iwyu_pr.outputs.has_open_iwyu_pr == 'false' - run: | - export IWYU_CLEANUP_BRANCH="cleanup/iwyu-${GITHUB_SHA}" - echo "IWYU_CLEANUP_BRANCH=${IWYU_CLEANUP_BRANCH}" >> $GITHUB_ENV - - run: cat orbit/build/include-what-you-use.log - - run: cat orbit/build/iwyu_unformatted.diff - - run: cat orbit/build/iwyu.diff - - name: Try to apply changes - if: steps.check_has_open_iwyu_pr.outputs.has_open_iwyu_pr == 'false' - working-directory: ./orbit - run: | - git checkout -b ${{ env.IWYU_CLEANUP_BRANCH }} - git update-index --refresh - git apply --index --allow-empty build/iwyu.diff - - name: Check for changes - if: steps.check_has_open_iwyu_pr.outputs.has_open_iwyu_pr == 'false' - working-directory: ./orbit - id: check_changes - run: | - if git diff --cached --exit-code >/dev/null; then - echo "has_changes=false" >> $GITHUB_OUTPUT - else - echo "has_changes=true" >> $GITHUB_OUTPUT - fi - - name: Apply and push changes - if: steps.check_changes.outputs.has_changes == 'true' && - steps.check_has_open_iwyu_pr.outputs.has_open_iwyu_pr == 'false' - working-directory: ./orbit - run: | - git commit --message="Automatically apply IWYU to the codebase" - git push --set-upstream origin ${{ env.IWYU_CLEANUP_BRANCH }} - - name: Create Pull Request - if: steps.check_changes.outputs.has_changes == 'true' && - steps.check_has_open_iwyu_pr.outputs.has_open_iwyu_pr == 'false' - uses: actions/github-script@v6 - with: - github-token: '${{ secrets.ORBITPROFILER_BOT_PAT }}' - script: | - const { repo, owner } = context.repo; - const result = await github.rest.pulls.create({ - title: 'Automatically apply IWYU to the codebase', - owner, - repo, - head: process.env.IWYU_CLEANUP_BRANCH, - base: 'main', - body: [ - 'This is an automatically generated pull request.', - 'Review the changes carefully and merge the pull request after approval.', - 'The changes are based on commit ' + context.sha + '.', - '\n', - 'Please delete the branch after merging the pull request.' - ].join('\n') - }); diff --git a/.github/workflows/report-build-and-test.yml b/.github/workflows/report-build-and-test.yml index 01626f947d6..d8ad2734a51 100644 --- a/.github/workflows/report-build-and-test.yml +++ b/.github/workflows/report-build-and-test.yml @@ -24,57 +24,4 @@ jobs: artifact: /test-results-(.*)-(.*)/ name: '$2 $1 Test Results' path: '**/*.xml' - reporter: java-junit - - report-clang-tidy-diff: - permissions: - pull-requests: write - runs-on: ubuntu-latest - steps: - - name: Download PR metadata - uses: dawidd6/action-download-artifact@e6e25ac3a2b93187502a8be1ef9e9603afc34925 # v2.24.2 - with: - workflow: ${{ github.event.workflow_run.workflow_id }} - workflow_conclusion: '' - name: pr_metadata - if_no_artifact_found: 'ignore' - - name: Download clang_tidy_fixes - uses: dawidd6/action-download-artifact@e6e25ac3a2b93187502a8be1ef9e9603afc34925 # v2.24.2 - with: - workflow: ${{ github.event.workflow_run.workflow_id }} - workflow_conclusion: '' - name: clang_tidy_fixes - if_no_artifact_found: 'ignore' - - name: Set found_files - id: set_found_files - run: | - if [ -f clang-tidy-fixes.yml ] && [ -f pr_number.txt ] && [ -f pr_head_repo.txt ] && [ -f pr_head_ref.txt ]; then - echo "found_files=true" >> $GITHUB_OUTPUT - else - echo "found_files=false" >> $GITHUB_OUTPUT - fi - - run: | - echo "PR_NUMBER=$(cat pr_number.txt | jq -r .)" >> $GITHUB_ENV - echo "PR_HEAD_REPO=$(cat pr_head_repo.txt | jq -Rr .)" >> $GITHUB_ENV - echo "PR_HEAD_REF=$(cat pr_head_ref.txt | jq -Rr .)" >> $GITHUB_ENV - if: steps.set_found_files.outputs.found_files == 'true' - - uses: actions/checkout@v3 - if: steps.set_found_files.outputs.found_files == 'true' - with: - repository: ${{ env.PR_HEAD_REPO }} - ref: ${{ env.PR_HEAD_REF }} - persist-credentials: false - - name: Redownload clang_tidy_fixes - if: steps.set_found_files.outputs.found_files == 'true' - uses: dawidd6/action-download-artifact@e6e25ac3a2b93187502a8be1ef9e9603afc34925 # v2.24.2 - with: - workflow: ${{ github.event.workflow_run.workflow_id }} - workflow_conclusion: '' - name: clang_tidy_fixes - if_no_artifact_found: 'ignore' - - uses: platisd/clang-tidy-pr-comments@89ea1b828cdac1a6ec993d225972adea3b8841b6 - if: steps.set_found_files.outputs.found_files == 'true' - with: - github_token: ${{ secrets.ORBITPROFILER_BOT_PAT }} - clang_tidy_fixes: clang-tidy-fixes.yml - pull_request_id: ${{ env.PR_NUMBER }} \ No newline at end of file + reporter: java-junit \ No newline at end of file diff --git a/.github/workflows/report-checks.yml b/.github/workflows/report-checks.yml index d6c6374e008..50ce54bb879 100644 --- a/.github/workflows/report-checks.yml +++ b/.github/workflows/report-checks.yml @@ -33,97 +33,4 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} COMMIT_SHA: ${{ github.event.workflow_run.head_commit.id }} - shell: bash - - report-clang-format-diff: - permissions: - pull-requests: write - runs-on: ubuntu-latest - steps: - - name: Download artifact - uses: dawidd6/action-download-artifact@e6e25ac3a2b93187502a8be1ef9e9603afc34925 # v2.24.2 - with: - workflow: ${{ github.event.workflow_run.workflow_id }} - workflow_conclusion: '' - - run: echo "PR_NUMBER=$(cat pr_number/pr_number.txt | jq -r .)" >> $GITHUB_ENV - - run: npm install gitdiff-parser escape-json-node - if: ${{ github.event.workflow_run.conclusion == 'failure' }} - - name: Report clang-format suggestions - if: ${{ github.event.workflow_run.conclusion == 'failure' }} - uses: actions/github-script@v6 - env: - COMMIT_SHA: ${{ github.event.workflow_run.head_commit.id }} - with: - github-token: ${{ secrets.ORBITPROFILER_BOT_PAT }} - script: | - const {repo, owner} = context.repo; - - function* createComments() { - const gitDiffParser = require('gitdiff-parser'); - const escapeJSON = require('escape-json-node'); - const gitDiffText = require("fs").readFileSync( - "clang_format_diff/clang_format.diff").toString(); - const diffFiles = gitDiffParser.parse(gitDiffText); - - for (const diffFile of diffFiles) { - for (const hunk of diffFile.hunks) { - let comment = {}; - comment.path = diffFile.oldPath; - if (hunk.oldLines > 1) { - comment.start_line = hunk.oldStart; - comment.line = hunk.oldStart + hunk.oldLines - 1; - } else { - comment.line = hunk.oldStart; - } - comment.start_side = 'RIGHT'; - comment.side = 'RIGHT'; - const suggestion = hunk.changes.filter(change => !change.isDelete).map( - change => escapeJSON(change.content)).join("\n"); - comment.body = `clang-format:\n\`\`\`suggestion\n${suggestion}\n\`\`\``; - - yield comment; - } - } - } - - async function deleteOldBotComments(pr_number) { - const comments = await github.paginate( - 'GET /repos/{owner}/{repo}/pulls/{pull_number}/comments{?sort,direction,since,per_page,page}', - { - owner: owner, - repo: repo, - pull_number: pr_number - }); - const comment_ids = comments.filter( - comment => comment.user.login === 'orbitprofiler-bot' - && comment.body.startsWith('clang-format:')).map( - comment => comment.id); - await Promise.all(comment_ids.map(async (comment_id) => { - console.log(`deleting comment: ${comment_id}`); - await github.request( - 'DELETE /repos/{owner}/{repo}/pulls/comments/{comment_id}', { - owner: owner, - repo: repo, - comment_id: comment_id - }); - })); - } - - deleteOldBotComments(process.env.PR_NUMBER); - - const comments = [...createComments()]; - - const request = { - owner: owner, - repo: repo, - pull_number: process.env.PR_NUMBER, - commit_id: process.env.COMMIT_SHA, - body: 'Thanks for your change. Please address the suggested formatting changes.', - event: 'COMMENT', - comments: comments - } - - console.log(`Sending request:\n${request}\n\n`); - - const result = await github.request(`POST /repos/${owner}/${repo}/pulls/${process.env.PR_NUMBER}/reviews`, request); - console.log(`Received:\n${result}`); \ No newline at end of file + shell: bash \ No newline at end of file