From 702433d4c5b11f119c8f7e7b61d99c41b249894f Mon Sep 17 00:00:00 2001 From: Ludy Date: Sun, 29 Dec 2024 15:44:50 +0100 Subject: [PATCH] removed `actions/checkout` for PR branch, use `gh` (#2567) # Description changes the permission https://github.com/Stirling-Tools/Stirling-PDF/security/code-scanning/104 ## Checklist - [x] I have read the [Contribution Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md) - [x] I have performed a self-review of my own code - [ ] I have attached images of the change if it is UI based - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] If my code has heavily changed functionality I have updated relevant docs on [Stirling-PDFs doc repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/) - [ ] My changes generate no new warnings - [ ] I have read the section [Add New Translation Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/HowToAddNewLanguage.md#add-new-translation-tags) (for new translation tags only) --- .github/workflows/check_properties.yml | 87 +++++++++++++------------- 1 file changed, 45 insertions(+), 42 deletions(-) diff --git a/.github/workflows/check_properties.yml b/.github/workflows/check_properties.yml index 8de65945..5fc4dce9 100644 --- a/.github/workflows/check_properties.yml +++ b/.github/workflows/check_properties.yml @@ -6,16 +6,14 @@ on: paths: - "src/main/resources/messages_*.properties" -permissions: read-all +permissions: + contents: read # Allow read access to repository content + issues: write # Allow posting comments on issues/PRs jobs: check-files: if: github.event_name == 'pull_request_target' runs-on: ubuntu-latest - permissions: - contents: write - pull-requests: write - issues: write steps: - name: Harden Runner uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 @@ -24,72 +22,77 @@ jobs: - name: Checkout main branch first uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - ref: main - path: main-branch - fetch-depth: 0 - - - name: Checkout PR branch - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - repository: ${{ github.event.pull_request.head.repo.full_name }} - ref: ${{ github.event.pull_request.head.ref }} - path: pr-branch - fetch-depth: 0 - name: Set up Python uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: "3.x" - - name: Install GitHub CLI - run: sudo apt-get update && sudo apt-get install -y gh - - name: Fetch PR changed files id: fetch-pr-changes env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | echo "Fetching PR changed files..." - cd pr-branch - gh repo set-default ${{ github.repository }} - # Store files in a safe way, only allowing valid properties files + + gh repo set-default ${{ github.event.pull_request.head.repo.full_name }} # Set the fork repository as default + + # Fetch the list of changed files in the PR echo "Getting list of changed files from PR..." - gh pr view ${{ github.event.pull_request.number }} --json files -q ".files[].path" | grep -E '^src/main/resources/messages_[a-zA-Z_]+\.properties$' > ../changed_files.txt - cd .. - - echo "Processing changed files..." - mapfile -t CHANGED_FILES < changed_files.txt - - CHANGED_FILES_STR="${CHANGED_FILES[*]}" - echo "CHANGED_FILES=${CHANGED_FILES_STR}" >> $GITHUB_ENV - - echo "Changed files: ${CHANGED_FILES_STR}" + gh pr view ${{ github.event.pull_request.number }} --json files -q ".files[].path" | grep -E '^src/main/resources/messages_[a-zA-Z_]+\.properties$' > changed_files.txt # Filter only matching property files - name: Determine reference file id: determine-file + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | echo "Determining reference file..." + REPO_OWNER=$(gh pr view ${{ github.event.pull_request.number }} --json author -q '.author.login') # Get PR author's username + REPO_NAME=$(gh pr view ${{ github.event.pull_request.number }} --json headRepository -q '.headRepository.name') # Get PR repository name + BRANCH=$(gh pr view ${{ github.event.pull_request.number }} --json headRefName -q '.headRefName') # Get PR branch name + + mkdir -p pr-branch # Create a directory for PR files + + # Download the content of each changed file + while IFS= read -r file; do + mkdir -p "pr-branch/$(dirname "$file")" # Create directories for files + gh api repos/$REPO_OWNER/$REPO_NAME/contents/$file?ref=$BRANCH --jq '.content' | base64 -d > "pr-branch/src/main/resources/$(basename "$file")" # Save decoded file content + done < changed_files.txt + + # Generate a list of files without the "pr-branch/" prefix + find pr-branch/ -type f | awk -F'pr-branch/' '{print $2}' > file_list.txt + + mapfile -t FILES_LIST < file_list.txt # Read the file list into an array + FILES_LIST_STR="${FILES_LIST[*]}" # Join array into a space-separated string + echo "FILES_LIST=${FILES_LIST_STR}" >> $GITHUB_ENV # Export the file list to the environment + echo "Changed files: ${FILES_LIST_STR}" + + cat file_list.txt # Display the file list + + # Determine which reference file to use if grep -Fxq "src/main/resources/messages_en_GB.properties" changed_files.txt; then echo "Using PR branch reference file" - echo "REFERENCE_FILE=pr-branch/src/main/resources/messages_en_GB.properties" >> $GITHUB_ENV + REFERENCE_FILE="pr-branch-messages_en_GB.properties" + gh api repos/$REPO_OWNER/$REPO_NAME/contents/src/main/resources/messages_en_GB.properties?ref=${{ github.event.pull_request.head.ref }} \ + --jq '.content' | base64 -d > $REFERENCE_FILE # Save PR branch reference file else echo "Using main branch reference file" - echo "REFERENCE_FILE=main-branch/src/main/resources/messages_en_GB.properties" >> $GITHUB_ENV + REFERENCE_FILE="main-branch-messages_en_GB.properties" + gh api repos/Ludy87/test_java/contents/src/main/resources/messages_en_GB.properties?ref=main \ + --jq '.content' | base64 -d > $REFERENCE_FILE # Save main branch reference file fi - - name: Show REFERENCE_FILE - run: echo "Reference file is set to ${REFERENCE_FILE}" + echo "REFERENCE_FILE=$REFERENCE_FILE" >> $GITHUB_ENV # Export reference file path to the environment - name: Run Python script to check files id: run-check run: | echo "Running Python script to check files..." - python main-branch/.github/scripts/check_language_properties.py \ + python .github/scripts/check_language_properties.py \ --actor ${{ github.event.pull_request.user.login }} \ --reference-file "${REFERENCE_FILE}" \ - --branch pr-branch \ - --files "${CHANGED_FILES[@]}" > result.txt || true + --branch "pr-branch" \ + --files "${FILES_LIST[@]}" > result.txt || true - name: Capture output id: capture-output @@ -102,7 +105,7 @@ jobs: echo "EOF" >> $GITHUB_ENV echo "${SCRIPT_OUTPUT}" - # Set FAIL_JOB to true if SCRIPT_OUTPUT contains ❌ + # Determine job failure based on script output if [[ "$SCRIPT_OUTPUT" == *"❌"* ]]; then echo "FAIL_JOB=true" >> $GITHUB_ENV else @@ -132,7 +135,7 @@ jobs: const comment = comments.data.find(c => c.body.includes("## 🚀 Translation Verification Summary")); - // Only allow the action user to update comments + // Only update or create comments by the action user const expectedActor = "github-actions[bot]"; if (comment && comment.user.login === expectedActor) {