Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Publish a comment when changes with the GNU testsuite are identified #4006

Closed
wants to merge 32 commits into from
Closed

Publish a comment when changes with the GNU testsuite are identified #4006

wants to merge 32 commits into from

Conversation

sylvestre
Copy link
Sponsor Contributor

No description provided.

@tertsdiepraam
Copy link
Member

I was able to post a comment to a PR on one of my own repositories as a test case: tertsdiepraam/aoc2021#1

permissions were not necessary for this repo. It did not work on push events though, which seems to require a workaround (see actions/github-script#273 (comment))

The YAML is:

name: PostComment

on: [pull_request]

jobs: 
  postcomment:
    runs-on: ubuntu-latest
    steps:
      - name: Publish the result if any change (spell check  test)
        uses: actions/github-script@v6
        with:
          github-token: ${{secrets.GITHUB_TOKEN}}
          script: |
              await github.rest.issues.createComment({
                issue_number: context.issue.number,
                owner: context.repo.owner,
                repo: context.repo.repo,
                body: 'Comment posted!'
              })

@tertsdiepraam
Copy link
Member

I wonder if there is some ownership issue going on here. Of course, we wouldn't want anyone to just open a PR which suddenly posts a bunch of comments on issues and pull requests. So github might be restricting the action until its merged or something like that?

@sylvestre
Copy link
Sponsor Contributor Author

your repo is private but I trust you :)

So github might be restricting the action until its merged or something like that?

Maybe? This is why I pushed
a612308

Oh, I just noticed that we have "Issues: write" maybe it needs PullRequests too! I will try
https://github.com/uutils/coreutils/actions/runs/3207061754/jobs/5241542982

@tertsdiepraam
Copy link
Member

tertsdiepraam commented Oct 8, 2022
edited

I think this explains the issue:

Due to the dangers inherent to automatic processing of PRs, GitHub’s standard pull_request workflow trigger by default prevents write permissions and secrets access to the target repository. However, in some scenarios such access is needed to properly process the PR. To this end the pull_request_target workflow trigger was introduced.

https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

your repo is private but I trust you :)

Oops, fixed :)

@sylvestre
Copy link
Sponsor Contributor Author

I tried with pull_request_target but the PR doesn't start ...
I just landed the commit but still

GITHUB_TOKEN Permissions
  Actions: read
  Contents: read
  Issues: read
  Metadata: read
  PullRequests: read

@tertsdiepraam
Copy link
Member

tertsdiepraam commented Oct 8, 2022
edited

Okay so here's what I understand from https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target

  • Normal PR workflows run from the merge commit, hence running untrusted (because unmerged) code.
  • So we cannot give them write permissions when they come from a fork, because that would mean running untrusted code with write access.
  • Hence, there is pull_request_target, which runs when a PR is created but runs on the target branch. So the PR author is not able to change the code of the workflow itself and cannot run untrusted code.
  • In pull_request_target we can checkout the code and run the spell check or GNU test. Though we must be careful not to run any files that we checked out, because that again means running untrusted code.
  • So the safest thing to do is to keep everything as is, but add additional workflows that run on pull_request_target that get info from the previous workflow. See the ReceivePR/CommentPR example here: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

@tertsdiepraam
Copy link
Member

I tried with pull_request_target but the PR doesn't start ...

This makes sense, because pull_request_target runs in the context of the main branch, without any knowledge of new code including the addition of the new job. I think it will only run on new PRs once its merged.

@sylvestre
Copy link
Sponsor Contributor Author

good idea, let's try then :)

sylvestre added a commit that referenced this pull request Oct 8, 2022
@sylvestre
Replace pull_request by pull_request_target
d78089e 
See #4006 (comment)
@sylvestre
Copy link
Sponsor Contributor Author

Looking great here:
https://github.com/uutils/coreutils/actions/runs/3210127098/jobs/5247357217


GITHUB_TOKEN Permissions
  Actions: read
  Contents: read
  Issues: write
  Metadata: read
  PullRequests: write

fingers crossed ;)

@tertsdiepraam
Copy link
Member

tertsdiepraam commented Oct 8, 2022
edited

I think this might work for the comment, but will not do what you expect because it will run on main not on the merge commit. But we can at least check whether the job will succeed and work from there.

Do you mind if I give this a shot in another PR?

@sylvestre
Copy link
Sponsor Contributor Author

@tertsdiepraam
not at all :) thanks!

@tertsdiepraam tertsdiepraam mentioned this pull request Oct 8, 2022
Merged
@tertsdiepraam
Copy link
Member

We're good now, right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@sylvestre @tertsdiepraam