Skip to content

Problem: minor security issue in github workflow #9389

Problem: minor security issue in github workflow

Problem: minor security issue in github workflow #9389

Workflow file for this run

name: Build
on:
pull_request:
merge_group:
push:
branches:
- master
- release/**
issue_comment:
types: [created, edited]
jobs:
member:
name: Check whether it is triggered by team members with issue_comment or push or pull_request
runs-on: ubuntu-latest
if: github.event_name == 'push' || github.event_name == 'pull_request' || startsWith(github.event.comment.body, '/runsim')
outputs:
valid: ${{ steps.setValid.outputs.valid }}
steps:
- uses: tspascoal/get-user-teams-membership@v2
id: checkUserMember
if: github.event_name == 'issue_comment'
with:
username: ${{ github.actor }}
team: 'maintainers'
GITHUB_TOKEN: ${{ secrets.ORG_READ_BOT_PAT }}
- name: set valid if it is push/pull_request event or check if it is triggered by team members with issue_comment
id: setValid
run: |
if [[ "${{ steps.checkUserMember.outputs.isTeamMember }}" == "true" ]]; then
echo "valid=true" >> $GITHUB_OUTPUT
elif [[ "${{ github.event_name }}" == "push" || "${{ github.event_name }}" == "pull_request" ]]; then
echo "valid=true" >> $GITHUB_OUTPUT
else
echo "valid=false" >> $GITHUB_OUTPUT
fi
build:
name: Build
runs-on: ubuntu-latest
needs: [member]
permissions:
pull-requests: write
timeout-minutes: 10
if: needs.member.outputs.valid == 'true'
outputs:
repo_name: ${{ steps.pr_data.outputs.repo_name }}
ref: ${{ steps.pr_data.outputs.ref }}
steps:
- name: Comment PR for Sim test started
uses: crypto-org-chain/actions-pull-request-add-comment@master
if: github.event_name == 'issue_comment'
with:
message: |
Simulation tests started and triggered by `/runsim`.
Will update here when it succeeds or fails.
Can further check progress [here](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Github API Request
id: request
uses: octokit/[email protected]
if: github.event_name == 'issue_comment'
with:
route: ${{ github.event.issue.pull_request.url }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Get Comment PR informations
id: pr_data
if: github.event_name == 'issue_comment'
env:
COMMENT_BODY: ${{ github.event.comment.body }}
run: |
echo "repo_name=${{ fromJson(steps.request.outputs.data).head.repo.full_name }}" >> $GITHUB_OUTPUT
comment_hash=`echo "$COMMENT_BODY" | cut -d' ' -f2` # get commit hash if any
if [[ "${comment_hash}" == "/runsim" ]]; then
# use default head ref
echo "ref=${{ fromJson(steps.request.outputs.data).head.ref }}" >> $GITHUB_OUTPUT
else
# use comment provided ref
echo "ref=${comment_hash}" >> $GITHUB_OUTPUT
fi
- name: Set up Go
uses: actions/setup-go@v3
with:
go-version: 1.22
- name: Checkout Comment PR Branch
uses: actions/checkout@v3
if: github.event_name == 'issue_comment'
with:
submodules: true
token: ${{ secrets.GITHUB_TOKEN }}
repository: ${{ steps.pr_data.outputs.repo_name }}
ref: ${{ steps.pr_data.outputs.ref }}
- name: Normal check out code
uses: actions/checkout@v3
with:
submodules: true
if: github.event_name == 'push' || github.event_name == 'pull_request'
- id: changed-files
uses: tj-actions/changed-files@v41
with:
files: |
**/*.go
go.mod
go.sum
- name: Set GOBIN
run: |
echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
- name: build
if: |
steps.changed-files.outputs.any_changed == 'true' || github.event_name == 'issue_comment'
run: make build
- name: test
run: make test
if: "steps.changed-files.outputs.any_changed == 'true' || github.event_name == 'issue_comment'"
- name: Upload coverage report
uses: codecov/codecov-action@v4
with:
token: ${{ secrets.CODECOV_TOKEN }}
file: ./coverage.txt
flags: unit_tests
- name: Create file status_build.txt and write the job status into it
if: github.event_name == 'issue_comment'
run: |
echo ${{ job.status }} > status_build.txt
- name: Upload file status_build.txt as an artifact
if: github.event_name == 'issue_comment'
uses: actions/upload-artifact@v1
with:
name: pass_status_build
path: status_build.txt
build-rocksdb:
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest]
runs-on: ${{ matrix.os }}
permissions:
actions: read
contents: read
security-events: write
steps:
- uses: actions/checkout@v3
- uses: cachix/install-nix-action@v23
with:
nix_path: nixpkgs=channel:nixos-22.11
extra_nix_config: |
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
- id: changed-files
uses: tj-actions/changed-files@v41
with:
files: |
**/*.go
go.mod
go.sum
- uses: cachix/cachix-action@v12
if: steps.changed-files.outputs.any_changed == 'true'
with:
name: crypto-com
# github don't pass secrets for pull request from fork repos,
# in that case the push is disabled naturally.
signingKey: "${{ secrets.CACHIX_SIGNING_KEY }}"
- name: Run build
run: ./scripts/release.sh
if: steps.changed-files.outputs.any_changed == 'true'
- uses: actions/upload-artifact@v3
with:
name: "chain-maind-tarball-${{ matrix.os }}"
path: "*.tar.gz"
if-no-files-found: ignore
install-runsim:
runs-on: ubuntu-latest
needs: build
if: github.event_name == 'push' || github.event_name == 'issue_comment'
steps:
- uses: actions/setup-go@v3
with:
go-version: 1.22
- name: install runsim
run: |
export GO111MODULE="on" && go install github.com/cosmos/tools/cmd/[email protected]
- uses: actions/[email protected]
with:
path: ~/go/bin
key: ${{ runner.os }}-go-runsim-binary
- name: Create file status_install.txt and write the job status into it
if: github.event_name == 'issue_comment'
run: |
echo ${{ job.status }} > status_install.txt
- name: Upload file status_install.txt as an artifact
if: github.event_name == 'issue_comment'
uses: actions/upload-artifact@v1
with:
name: pass_status_install
path: status_install.txt
test-sim-nondeterminism:
runs-on: ubuntu-latest
needs: [build, install-runsim]
steps:
- uses: actions/setup-go@v3
with:
go-version: 1.22
- name: Checkout Comment PR Branch
uses: actions/checkout@v3
if: github.event_name == 'issue_comment'
with:
submodules: true
token: ${{ secrets.GITHUB_TOKEN }}
repository: ${{ needs.build.outputs.repo_name }}
ref: ${{ needs.build.outputs.ref }}
- name: Normal check out code
uses: actions/checkout@v3
if: github.event_name == 'push' || github.event_name == 'pull_request'
with:
submodules: true
- id: changed-files
uses: tj-actions/changed-files@v41
with:
files: |
**/*.go
go.mod
go.sum
- uses: actions/[email protected]
with:
path: ~/go/bin
key: ${{ runner.os }}-go-runsim-binary
if: "steps.changed-files.outputs.any_changed == 'true' || github.event_name == 'issue_comment'"
- name: test-sim-nondeterminism
run: |
make test-sim-nondeterminism
if: "steps.changed-files.outputs.any_changed == 'true' || github.event_name == 'issue_comment'"
- name: Create file status_sim1.txt and write the job status into it
if: github.event_name == 'issue_comment'
run: |
echo ${{ job.status }} > status_sim1.txt
- name: Upload file status_sim1.txt as an artifact
if: github.event_name == 'issue_comment'
uses: actions/upload-artifact@v1
with:
name: pass_status_sim1
path: status_sim1.txt
test-sim-import-export:
runs-on: ubuntu-latest
needs: [build, install-runsim]
steps:
- uses: actions/setup-go@v3
with:
go-version: 1.22
- name: Checkout Comment PR Branch
uses: actions/checkout@v3
if: github.event_name == 'issue_comment'
with:
submodules: true
token: ${{ secrets.GITHUB_TOKEN }}
repository: ${{ needs.build.outputs.repo_name }}
ref: ${{ needs.build.outputs.ref }}
- name: Normal check out code
uses: actions/checkout@v3
if: github.event_name == 'push' || github.event_name == 'pull_request'
with:
submodules: true
- id: changed-files
uses: tj-actions/changed-files@v41
with:
files: |
**/*.go
go.mod
go.sum
- uses: actions/[email protected]
with:
path: ~/go/bin
key: ${{ runner.os }}-go-runsim-binary
if: "steps.changed-files.outputs.any_changed == 'true' || github.event_name == 'issue_comment'"
- name: test-sim-import-export
run: |
make test-sim-import-export
if: "steps.changed-files.outputs.any_changed == 'true' || github.event_name == 'issue_comment'"
- name: Create file status_sim2.txt and write the job status into it
if: github.event_name == 'issue_comment'
run: |
echo ${{ job.status }} > status_sim2.txt
- name: Upload file status_sim2.txt as an artifact
if: github.event_name == 'issue_comment'
uses: actions/upload-artifact@v1
with:
name: pass_status_sim2
path: status_sim2.txt
test-sim-after-import:
runs-on: ubuntu-latest
needs: [build, install-runsim]
steps:
- uses: actions/setup-go@v3
with:
go-version: 1.22
- name: Checkout Comment PR Branch
uses: actions/checkout@v3
if: github.event_name == 'issue_comment'
with:
submodules: true
token: ${{ secrets.GITHUB_TOKEN }}
repository: ${{ needs.build.outputs.repo_name }}
ref: ${{ needs.build.outputs.ref }}
- name: Normal check out code
uses: actions/checkout@v3
if: github.event_name == 'push' || github.event_name == 'pull_request'
with:
submodules: true
- id: changed-files
uses: tj-actions/changed-files@v41
with:
files: |
**/*.go
go.mod
go.sum
- uses: actions/[email protected]
with:
path: ~/go/bin
key: ${{ runner.os }}-go-runsim-binary
if: "steps.changed-files.outputs.any_changed == 'true' || github.event_name == 'issue_comment'"
- name: test-sim-after-import
run: |
make test-sim-after-import
if: "steps.changed-files.outputs.any_changed == 'true' || github.event_name == 'issue_comment'"
- name: Create file status_sim3.txt and write the job status into it
if: github.event_name == 'issue_comment'
run: |
echo ${{ job.status }} > status_sim3.txt
- name: Upload file status_sim3.txt as an artifact
if: github.event_name == 'issue_comment'
uses: actions/upload-artifact@v1
with:
name: pass_status_sim3
path: status_sim3.txt
report-status-pr:
runs-on: ubuntu-latest
needs: [member, test-sim-nondeterminism, test-sim-import-export, test-sim-after-import]
permissions:
pull-requests: write
if: always() && github.event_name == 'issue_comment' && needs.member.outputs.valid == 'true'
steps:
- name: Download artifact pass_status_build
uses: actions/download-artifact@v1
continue-on-error: true
with:
name: pass_status_build
- name: Download artifact pass_status_install
uses: actions/download-artifact@v1
continue-on-error: true
with:
name: pass_status_install
- name: Download artifact pass_status_sim1
uses: actions/download-artifact@v1
continue-on-error: true
with:
name: pass_status_sim1
- name: Download artifact pass_status_sim2
uses: actions/download-artifact@v1
continue-on-error: true
with:
name: pass_status_sim2
- name: Download artifact pass_status_sim3
uses: actions/download-artifact@v1
continue-on-error: true
with:
name: pass_status_sim3
- name: Set the statuses of Jobs as output parameters
id: set_outputs
continue-on-error: true
run: |
echo "status_job01=$(<pass_status_build/status_build.txt)" >> $GITHUB_OUTPUT
echo "status_job02=$(<pass_status_install/status_install.txt)" >> $GITHUB_OUTPUT
echo "status_job03=$(<pass_status_sim1/status_sim1.txt)" >> $GITHUB_OUTPUT
echo "status_job04=$(<pass_status_sim2/status_sim2.txt)" >> $GITHUB_OUTPUT
echo "status_job05=$(<pass_status_sim3/status_sim3.txt)" >> $GITHUB_OUTPUT
- name: The sim jobs has succeed
uses: crypto-org-chain/actions-pull-request-add-comment@master
if: >-
steps.set_outputs.outputs.status_job01 == 'success' && steps.set_outputs.outputs.status_job02 == 'success'
&& steps.set_outputs.outputs.status_job03 == 'success' && steps.set_outputs.outputs.status_job04 == 'success'
&& steps.set_outputs.outputs.status_job05 == 'success'
with:
message: |
✅ `/runsim` simulation test has succeeded 🎉
Can further check [here](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: The sim jobs has failed
uses: crypto-org-chain/actions-pull-request-add-comment@master
if: >-
steps.set_outputs.outputs.status_job01 != 'success' || steps.set_outputs.outputs.status_job02 != 'success'
|| steps.set_outputs.outputs.status_job03 != 'success' || steps.set_outputs.outputs.status_job04 != 'success'
|| steps.set_outputs.outputs.status_job05 != 'success'
with:
message: |
❌ `/runsim` simulation test has failed 😅
Can further check [here](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
gomod2nix:
runs-on: ubuntu-latest
if: github.event_name == 'push' || github.event_name == 'pull_request'
steps:
- uses: actions/checkout@v3
- id: changed-files
uses: tj-actions/changed-files@v41
with:
files: |
go.mod
go.sum
- uses: cachix/install-nix-action@v23
if: steps.changed-files.outputs.any_changed == 'true'
with:
extra_nix_config: |
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
- name: update gomod2nix
run: nix run .#update-gomod2nix
if: steps.changed-files.outputs.any_changed == 'true'
- name: check working directory is clean
id: changes
run: |
set +e
(git diff --no-ext-diff --exit-code)
echo "changed=$?" >> $GITHUB_OUTPUT
- uses: actions/upload-artifact@v2
if: steps.changes.outputs.changed == 1
with:
name: gomod2nix.toml
path: ./gomod2nix.toml
- if: steps.changes.outputs.changed == 1
run: echo "Working directory is dirty" && exit 1