feature: move default config location to inside workflow for safety r…

…easons (#789) * feature: move default config location to inside workflow for safety reasons * chore: update the ci workflow * feature: read votes from PR approval/needs changes * feature: recreate the voting comment on every change, don't try to reuse the comment or preserve it * feature: Use the time of pull_request last update instead for voting clock * chore: update readme
myyk · May 29, 2023 · 7800e25 · 7800e25
1 parent 5539252
commit 7800e25
Show file tree

Hide file tree

Showing 15 changed files with 201 additions and 269 deletions.
diff --git a/.eslintignore b/.eslintignore
@@ -1,3 +1,4 @@
 dist/
 lib/
-node_modules/
+node_modules/
+__tests__/
diff --git a/.voters.yml → .github/workflows/.voters.yml b/.voters.yml → .github/workflows/.voters.yml
diff --git a/.voting.yml → .github/workflows/.voting.yml b/.voting.yml → .github/workflows/.voting.yml
diff --git a/.github/workflows/reusable_ci.yml b/.github/workflows/reusable_ci.yml
@@ -32,4 +32,5 @@ jobs:
         with:
           repository: myyk/git-democracy
           payloadAction: opened # this is overriden so that this can work when triggered by other PRs for their CIs
+          configPath: .github/workflows
           issueNumber: 71 # this is a permenant PR left for testing
diff --git a/.gitignore b/.gitignore
@@ -105,4 +105,5 @@ Thumbs.db
 
 # Ignore built ts files
 __tests__/runner/*
+__tests__/*.test.js
 lib/**/*
diff --git a/README.md b/README.md
@@ -32,6 +32,8 @@ with the default settings.
 
 This Github action requires the ability to read/write comments on Pull Requests (Issues api).
 
+All potential voters will need to be able to post Pull Request reviews, this should be safe after you have integrated `git-democracy` as it will be what blocks merge approvals.
+
 #### Enable through Settings UI
 
 Under `Settings` > `Actions` > `General` (ex: `https://github.com/<org>/<repo>/settings/actions`)
@@ -60,7 +62,7 @@ jobs:
     steps:
       - uses: actions/checkout@v2
       - name: Evaluate vote
-        uses: myyk/git-democracy@v1
+        uses: myyk/git-democracy@v2
 ```
 
 The name of the workflow must be `Voting` to match the badge that will be
@@ -80,6 +82,13 @@ new workflow is selectable in the UI.
 
 ### Configuration
 
+The configurations should be in the workflow definition's folder to get protections from being run with different configurations from a pull requester (with using `pull_request_target` trigger).
+
+The default location is to be in the same directory as the action's definition for composite actions. For everything else, the location must be specified manually using the `configPath` parameter.
+
+    with:
+      configPath: .github/workflows
+
 #### Voting
 
 The action expects a `.voting.yml` defining the rules of voting.
@@ -118,3 +127,13 @@ jienormous: 1
 ## Sample Project
 
 An example of a fully wired up project: https://github.com/myyk/git-democracy-example
+
+# Migration from v1 to v2 guide
+
+Please do not use `v1` tag as it is not secure since a pull requester could overwrite your `.voters.yml` and `.voting.yml` files.
+
+Easy upgrade steps:
+
+1. Move your `.voters.yml` and `.voting.yml` files into your `.github/workflows/` directory somewhere.
+1. Make sure all your voters are also Pull Requesters in your repo/org/account settings.
+1. Update `uses: myyk/git-democracy@v1` -> `uses: myyk/git-democracy@v2`
diff --git a/__tests__/main.test.ts b/__tests__/main.test.ts
@@ -1,11 +1,16 @@
 import * as github from '@actions/github'
+import {GitHub} from '@actions/github/lib/utils'
 import {run} from '../src/main'
 
 test('test runs', () => {
-  // make sure to run with `INPUT_TOKEN=your-token npm test`
+  // make sure to run with `INPUT_TOKEN=your-token yarn run test`
   // Example on mocking patterns: https://github.com/actions/checkout/blob/master/__test__/input-helper.test.ts
   process.env['INPUT_REPOSITORY'] = 'myyk/git-democracy'
 
+  const octokit = new GitHub({
+    auth: process.env['INPUT_TOKEN'] as string
+  })
+
   // Mock github context
   jest.spyOn(github.context, 'issue', 'get').mockImplementation(() => {
     return {

diff --git a/__tests__/reactions.test.ts b/__tests__/reactions.test.ts
@@ -1,65 +1,14 @@
-import {
-  readReactionsCounts,
-  readReactionsCountsFromSummary,
-  weightedVoteTotaling
-} from '../src/reactions'
+import {readReactionsCounts, weightedVoteTotaling} from '../src/reactions'
 import {GitHub} from '@actions/github/lib/utils'
 
-test('readReactionsCounts throws invalid number', async () => {
-  const octokit = new GitHub()
-  await expect(
-    readReactionsCounts(
-      octokit,
-      'foo',
-      'bar',
-      Promise.reject('commentId not a number')
-    )
-  ).rejects.toEqual('commentId not a number')
-})
-
-test('readReactionsCounts can reactions on issue', async () => {
-  // make sure to run with `INPUT_TOKEN=your-token npm test`
+test('readReactionsCounts can count reactions on issue', async () => {
+  // make sure to run with `INPUT_TOKEN=your-token yarn run test`
   const octokit = new GitHub({
     auth: process.env['INPUT_TOKEN'] as string
   })
   // TODO: Setup a better test case with values that are not the same. Probably need to lock commment if possible.
-  const result = readReactionsCounts(
-    octokit,
-    'myyk',
-    'git-democracy',
-    Promise.resolve(677573350)
-  )
-  await expect(result).resolves.toEqual(new Map([['myyk', 0]]))
-})
-
-test('readReactionsCountsFromSummary throws invalid number', async () => {
-  const octokit = new GitHub()
-  await expect(
-    readReactionsCountsFromSummary(
-      octokit,
-      'foo',
-      'bar',
-      Promise.reject('commentId not a number')
-    )
-  ).rejects.toEqual('commentId not a number')
-})
-
-test('readReactionsCountsFromSummary can getComment on issue', async () => {
-  // make sure to run with `INPUT_TOKEN=your-token npm test`
-  const octokit = new GitHub({
-    auth: process.env['INPUT_TOKEN'] as string,
-    previews: ['squirrel-girl']
-  })
-  // TODO: Setup a better test case with values that are not the same. Probably need to lock commment if possible.
-  const result = readReactionsCountsFromSummary(
-    octokit,
-    'myyk',
-    'git-democracy',
-    Promise.resolve(677573350)
-  )
-  await expect(result).resolves.toHaveProperty('+1', 1)
-  await expect(result).resolves.toHaveProperty('-1', 1)
-  await expect(result).resolves.toHaveProperty('numVoters', 0)
+  const result = readReactionsCounts(octokit, 'myyk', 'git-democracy', 71)
+  await expect(result).resolves.toEqual(new Map([['myyk', 1]]))
 })
 
 type weightedVoteTotalingTestCase = {

diff --git a/action.yml b/action.yml
@@ -8,6 +8,9 @@ inputs:
   repository:
     description: "The full name of the repository in which to tally votes."
     default: ${{ github.repository }}
+  configPath:
+    description: "The path to the config files for this action."
+    default: ${{ github.action_path }}
   payloadAction:
     description: "Testing Parameter: Action payload override."
     default: ""