Try to separate the workflow into privileged / unprivileged

Update the workflow triggered by workflow_run Update workflow Update Upd Debug Separete Too tired More debugging d Try fixing this Make this work Fix yet agian... Hmmm Try to delete label Try to delete label, triggered workflow side Another try Fix typo Try fixing conditional Try random stuff Do less random stuff checkout Fix label name: Add logic to comment on PR, triggered workflow side Fix order Give PR write permission to token
pitag-ha · Dec 19, 2023 · 74f80e2 · 74f80e2
1 parent 53eaad5
commit 74f80e2
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 0 deletions.
diff --git a/.github/fuzzy-ci-helpers/label_name.txt b/.github/fuzzy-ci-helpers/label_name.txt
@@ -0,0 +1 @@
+fuzzy-diff-looks-good
diff --git a/.github/fuzzy-ci-helpers/msg.txt b/.github/fuzzy-ci-helpers/msg.txt
@@ -0,0 +1,8 @@
+This PR changes the response of some of the `ocamlmerlin` queries, that were
+run and analyzed by the
+[Merlin Fuzzy CI](https://github.com/ocaml/merlin/wiki/Merlin-Fuzzy-CI).
+The change is not considered a regression, the analysis of this PR has been
+approved in its following state: |
+- URL to download the generated data sets and their diffs between PR base
+branch and merge branch (at the moment of approval): $ARTIFACTS_URL |
+- 256-sha of full responses diff: $HASH
diff --git a/.github/workflows/fuzzy-ci-privileged.yml b/.github/workflows/fuzzy-ci-privileged.yml
@@ -0,0 +1,54 @@
+name: Execute privileged instructions for the Fuzzy CI
+
+# The main workflow fuzzy-ci.yml is triggered by PRs. For security reasons, if
+# the PR comes from a fork, that workflow cannot execute instructions such as
+# comment on PR or delete label on PR:
+# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+# Instead, fuzzy-ci.yml forwards those instructions to this workflow.
+
+
+on:
+  workflow_run:
+    workflows: ["Fuzzy CI"]
+    types:
+      - completed
+
+jobs:
+  execute-instruction:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Download instruction artifact
+        env:
+          GH_API_ACTIONS: https://api.github.com/repos/${{ github.repository }}/actions
+        run: |
+          all_artifacts=$(curl -sSL  "$GH_API_ACTIONS/runs/${{ github.event.workflow_run.id }}/artifacts")
+          forward_artifact=$(echo $all_artifacts | jq '.artifacts[] | select(.name == "forwarded_instructions")')
+          id=$(echo $forward_artifact | jq -r '.id')
+          curl -sSLO -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" "$GH_API_ACTIONS/artifacts/$id/zip" -D headers.txt
+      - name: Unzip artifact
+        run: |
+          unzip -q zip -d forward || (cat zip && cat headers.txt)
+      - name: Retreive instruction contents
+        id: instruction
+        run: |
+          instruction=$(jq -r '.instruction' forward/instruction.json)
+          echo "instruction=$instruction" | tee -a $GITHUB_OUTPUT
+      - name: Delete the label
+        if: ${{ steps.instruction.outputs.instruction == 'delete_label' }}
+        run: |
+          ENDPOINT=$(jq -r '.endpoint' forward/instruction.json)
+          LABEL_NAME=$(cat .github/fuzzy-ci-helpers/label_name.txt)
+          curl -sL -w "%{http_code}" -o output.txt -X DELETE -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" "$ENDPOINT/$LABEL_NAME"
+      - name: Comment on PR
+        if: ${{ steps.instruction.outputs.instruction == 'comment' }}
+        run: |
+          export ARTIFACTS_URL=$(jq -r '.artifacts_url' forward/instruction.json)
+          export HASH=$(jq -r '.hash' forward/instruction.json)
+          msg=$(cat .github/fuzzy-ci-helpers/msg.txt | tr '\n' ' ' | tr '|' '\n' | envsubst)
+          jq -n --arg msg "$msg" '{ body: $msg }' | tee -a body.json
+          ENDPOINT=$(jq -r '.endpoint' forward/instruction.json)
+          curl -LsX POST -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" -d @body.json "$ENDPOINT"