Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: action for manual file generation #400

Closed
wants to merge 2 commits into from
Closed

ci: action for manual file generation #400

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b431430
ci: action for manual file generation
lumtis Oct 16, 2024
baf4180
allow custom branch name
lumtis Oct 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 80 additions & 0 deletions .github/workflows/generate-manual.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
name: Manually Generate Files

on:
workflow_dispatch:
inputs:
branch:
description: 'The branch to create the pull request into'
required: true
default: 'main'
custom_branch_name:
description: 'The custom branch name for generated code changes'
required: true
default: 'update-generated-files'

defaults:
run:
working-directory: ./v2

jobs:
generate:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
ref: ${{ github.event.inputs.branch }}

- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: "21.1.0"
registry-url: "https://registry.npmjs.org"

- name: Install Foundry
uses: foundry-rs/foundry-toolchain@v1

- name: Install dependencies
run: |
sudo apt-get update
sudo apt-get install -y jq unzip
yarn install
forge soldeer update

- name: Install specific version of aibgen
run: |
wget https://gethstore.blob.core.windows.net/builds/geth-alltools-linux-amd64-1.11.5-a38f4108.tar.gz
tar -zxvf geth-alltools-linux-amd64-1.11.5-a38f4108.tar.gz
sudo mv geth-alltools-linux-amd64-1.11.5-a38f4108/abigen /usr/local/bin/
Comment on lines +28 to +48
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should install all these tools in a docker container then use that that container locally and in CI for a consistent experience


- name: Generate Go packages and types
run: |
yarn generate

- name: Check for changes
id: check_changes
run: |
if git diff --exit-code --ignore-space-change --ignore-all-space --ignore-cr-at-eol -- pkg types; then
echo "Generated Go files are up-to-date."
echo "::set-output name=changes::false"
else
echo "Generated files are not up-to-date. Creating a PR."
echo "::set-output name=changes::true"
git config user.name "github-actions[bot]"
Comment on lines +50 to +63
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Update deprecated command and add error handling.

  1. The set-output command is deprecated. Replace it with the new syntax:
- echo "::set-output name=changes::false"
+ echo "changes=false" >> $GITHUB_OUTPUT
- echo "::set-output name=changes::true"
+ echo "changes=true" >> $GITHUB_OUTPUT
  1. Consider adding error handling for the yarn generate command:
- name: Generate Go packages and types
  run: |
    if ! yarn generate; then
      echo "Error: Failed to generate files"
      exit 1
    fi

These changes will improve the workflow's compatibility with future GitHub Actions updates and make it more robust against potential errors.

🧰 Tools
🪛 actionlint

56-56: shellcheck reported issue in this script: SC1046:error:1:1: Couldn't find 'fi' for this 'if'

(shellcheck)

56-56: shellcheck reported issue in this script: SC1073:error:1:1: Couldn't parse this if expression. Fix to allow more checks

(shellcheck)

56-56: shellcheck reported issue in this script: SC1047:error:14:1: Expected 'fi' matching previously mentioned 'if'

(shellcheck)

56-56: shellcheck reported issue in this script: SC1072:error:14:1: Expected 'fi'. Fix any mentioned problems and try again

(shellcheck)

56-56: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)

56-56: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)

git config user.email "github-actions[bot]@users.noreply.github.com"
git checkout -b ${{ github.event.inputs.custom_branch_name }}
git add pkg types
git commit -m "ci: generate files"
git push origin ${{ github.event.inputs.custom_branch_name }}

gartnera marked this conversation as resolved.
Show resolved Hide resolved
Comment on lines +56 to +69

Check failure

Code scanning / Semgrep PRO

[Semgrep Code] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): 'run-shell-injection' High

Using variable interpolation ${...} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Comment on lines +63 to +69
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Potential security risk: Sanitize user input for branch name.

The custom_branch_name input is used directly in a shell command, which could potentially lead to command injection if not properly sanitized. To mitigate this risk, consider sanitizing the input or using it in a safer context.

Here's a suggested improvement:

- name: Prepare branch name
  run: |
    SAFE_BRANCH_NAME=$(echo "${{ github.event.inputs.custom_branch_name }}" | sed 's/[^a-zA-Z0-9_-]/-/g')
    echo "SAFE_BRANCH_NAME=${SAFE_BRANCH_NAME}" >> $GITHUB_ENV

- name: Create and push branch
  run: |
    git checkout -b $SAFE_BRANCH_NAME
    git add pkg types
    git commit -m "ci: generate files"
    git push origin $SAFE_BRANCH_NAME

This change sanitizes the branch name by replacing any characters that are not alphanumeric, underscore, or hyphen with a hyphen, reducing the risk of command injection.

🧰 Tools
🪛 GitHub Check: Semgrep Pro

[failure] 56-69: [Semgrep Code] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): 'run-shell-injection'
Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

- name: Create Pull Request
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not just push directly to the users branch?

if: steps.check_changes.outputs.changes == 'true'
uses: peter-evans/create-pull-request@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
branch: ${{ github.event.inputs.custom_branch_name }}
base: ${{ github.event.inputs.branch }}
title: "ci: generate files"
body: |
This PR updates the auto-generated files with `yarn generate`. Please review the changes.
labels: ["CI"]