fix: secure auto-format workflow against fork-based CI attacks #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Auto Format | ||
| on: | ||
| pull_request: | ||
| types: [opened, synchronize] | ||
| workflow_dispatch: | ||
| permissions: | ||
| contents: write | ||
| jobs: | ||
| auto-format: | ||
| # Only run on internal PRs (same repo), not forks | ||
| if: github.event.pull_request.head.repo.full_name == github.repository | ||
| runs-on: ubuntu-latest | ||
| container: osodevops/build-harness:latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| if: github.event.pull_request.state == 'open' | ||
| name: Checkout PR branch | ||
| with: ref: ${{ github.event.pull_request.head.ref }} | ||
| persist-credentials: true | ||
| - name: Auto Format | ||
| if: github.event.pull_request.state == 'open' | ||
| shell: bash | ||
| run: make BUILD_HARNESS_PATH=/build-harness PACKAGES_PREFER_HOST=true -f /build-harness/templates/Makefile.build-harness pr/readme/host | ||
| # Commit changes (if any) to the PR branch | ||
| - name: Commit changes to the PR branch | ||
| if: github.event.pull_request.state == 'open' | ||
| shell: bash | ||
| id: commit | ||
| env: | ||
| SENDER: ${{ github.event.sender.login }} | ||
| run: | | ||
| set -x | ||
| output=$(git diff --name-only) | ||
| if [ -n "$output" ]; then | ||
| echo "Changes detected. Pushing to the PR branch" | ||
| git config --global user.name 'osotopbot' | ||
| git config --global user.email '72751587+osotopbot@users.noreply.github.com' | ||
| git add -A | ||
| git commit -m "Auto Format" | ||
| # Prevent looping by not pushing changes in response to changes from osotopbot | ||
| [[ $SENDER == "osotopbot" ]] || git push | ||
| # Set status to fail, because the push should trigger another status check, | ||
| # and we use success to indicate the checks are finished. | ||
| echo "changed=true" >> "$GITHUB_OUTPUT" | ||
| exit 1 | ||
| else | ||
| echo "changed=false" >> "$GITHUB_OUTPUT" | ||
| echo "No changes detected" | ||
| fi | ||
