-
Notifications
You must be signed in to change notification settings - Fork 3
214 lines (182 loc) · 8.76 KB
/
issue-build-trigger.yml
File metadata and controls
214 lines (182 loc) · 8.76 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
name: Issue Triggered Build
on:
issues:
types: [opened]
jobs:
parse-and-build:
runs-on: ubuntu-latest
steps:
- name: Parse issue body and update title
id: parse
uses: actions/github-script@v7
with:
script: |
const issueBody = context.payload.issue.body || '';
console.log('Issue body:', issueBody);
// Parse and validate the package name
let packageName = 'waterfox-bin'; // default
const packageMatch = issueBody.match(/### Package to Build\s*\n\s*([^\n]+)/);
if (packageMatch) {
packageName = packageMatch[1].trim();
}
// Check for custom package name
const customMatch = issueBody.match(/### Custom Package Name\s*\n\s*([^\n]+)/);
if (packageName === 'custom-package' && customMatch && customMatch[1].trim() !== '*No response*') {
packageName = customMatch[1].trim();
}
// Validate package name
const packageValidationErrors = [];
// Package name validation
if (packageName.length > 100) {
packageValidationErrors.push('Package name too long (max 100 characters)');
}
// Only allow package-name-like format
const validPackageName = /^[a-zA-Z0-9\-_.+]+$/;
if (!validPackageName.test(packageName)) {
packageValidationErrors.push('Package name contains invalid characters (only a-z, A-Z, 0-9, -, _, ., + allowed)');
}
// Prevent path traversal
if (packageName.includes('..') || packageName.includes('/') || packageName.includes('\\')) {
packageValidationErrors.push('Package name cannot contain path separators or traversal sequences');
}
if (packageValidationErrors.length > 0) {
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: `❌ **Build Request Rejected**\n\nPackage name validation errors:\n${packageValidationErrors.map(err => `- ${err}`).join('\n')}\n\nPlease create a new issue with a valid package name.`
});
await github.rest.issues.update({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
state: 'closed',
labels: ['invalid', 'security-rejected']
});
core.setFailed('Build request rejected due to package name validation errors');
return;
}
// Parse the reason with validation
let reason = 'Build requested';
const reasonMatch = issueBody.match(/### Reason for Build\s*\n\s*([^\n]+)/);
if (reasonMatch && reasonMatch[1].trim() !== '*No response*') {
let rawReason = reasonMatch[1].trim();
// Security validation for the reason field
const validationErrors = [];
// Length validation
if (rawReason.length > 200) {
validationErrors.push('Reason too long (max 200 characters)');
}
// Character whitelist - alphanumerics and safe punctuation only
const allowedChars = /^[a-zA-Z0-9\s\-_.,!?():;'"@#%&+=[\]{}\/\\*]+$/;
if (!allowedChars.test(rawReason)) {
validationErrors.push('Reason contains invalid characters');
}
// Block dangerous shell metacharacters and control sequences
const dangerousPatterns = [
/[`|<>$]/, // Shell metacharacters (backticks, pipes, redirections, variables)
/\r|\n/, // Line breaks
/\x00-\x1F/, // Control characters (except space)
/\x7F/, // DEL character
];
for (const pattern of dangerousPatterns) {
if (pattern.test(rawReason)) {
validationErrors.push('Reason contains potentially dangerous characters');
break;
}
}
if (validationErrors.length > 0) {
// Post validation errors and exit
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: `❌ **Build Request Rejected**\n\nValidation errors:\n${validationErrors.map(err => `- ${err}`).join('\n')}\n\nPlease create a new issue with a valid reason.`
});
await github.rest.issues.update({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
state: 'closed',
labels: ['invalid', 'security-rejected']
});
core.setFailed('Build request rejected due to validation errors');
return;
}
reason = rawReason;
}
// Update the issue title
const newTitle = `[BUILD REQUEST] ${packageName} - ${reason}`;
await github.rest.issues.update({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
title: newTitle
});
// Format as JSON array string for the manual build workflow
const packagesJson = `["${packageName}"]`;
console.log('Parsed package:', packageName);
console.log('Reason:', reason);
console.log('Updated title to:', newTitle);
console.log('Packages JSON:', packagesJson);
core.setOutput('packages_json', packagesJson);
core.setOutput('package_name', packageName);
core.setOutput('reason', reason);
- name: Add reaction to issue
uses: actions/github-script@v7
with:
script: |
github.rest.reactions.createForIssue({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
content: 'rocket'
});
- name: Comment on issue
uses: actions/github-script@v7
with:
script: |
const packageName = '${{ steps.parse.outputs.package_name }}';
const reason = '${{ steps.parse.outputs.reason }}';
github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: `🚀 Build request received for package: **${packageName}**\nReason: ${reason}\n\nTriggering build workflow...`
});
- name: Trigger manual build workflow
uses: actions/github-script@v7
with:
script: |
const packagesJson = '${{ steps.parse.outputs.packages_json }}';
await github.rest.actions.createWorkflowDispatch({
owner: context.repo.owner,
repo: context.repo.repo,
workflow_id: 'manual_build.yml',
ref: 'main',
inputs: {
packages_json: packagesJson,
build_mode: 'build'
}
});
console.log(`Triggered manual_build.yml with packages_json: ${packagesJson}`);
- name: Update issue with build status
uses: actions/github-script@v7
with:
script: |
const packageName = '${{ steps.parse.outputs.package_name }}';
github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: `✅ Build workflow triggered successfully for **${packageName}**\n\nYou can monitor the build progress in the [Actions tab](https://github.com/${context.repo.owner}/${context.repo.repo}/actions).`
});
// Close the issue since the build has been triggered
github.rest.issues.update({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
state: 'closed'
});
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}