Split dep checker into pull_request and workflow_run since

pull_request_target did not work the way I thought, and also is a potential security risk (see https://securitylab.github.com/research/github-actions-preventing-pwn-requests for details)
wildfly · Jan 7, 2021 · 0adb861 · 0adb861
1 parent 2cdafff
commit 0adb861
Show file tree

Hide file tree

Showing 4 changed files with 121 additions and 26 deletions.
diff --git a/.github/workflows/dep-diff.yml → .github/workflows/dep-diff-pull_request.yml b/.github/workflows/dep-diff.yml → .github/workflows/dep-diff-pull_request.yml
@@ -1,30 +1,32 @@
-name: Dependency Tree
-
+name: Dependency Tree Input Builder
+# To deal with https://securitylab.github.com/research/github-actions-preventing-pwn-requests
+# we need to split this across two jobs. The part that writes to the pull request lives in
+# ./dep-diff-workflow_run.yml
 on:
-  pull_request_target:
+  pull_request:
     branches:
     - master
 env:
   # The modules to check for dependencies. If there is more than one they are comma separated
   MODULES_TO_CHECK: core-feature-pack/common
-  # The name of the labels to use if the dependencies are ok
-  DEPS_OK_LABEL_NAME: deps-ok
-  # The name of the labels to use if the dependencies changed
-  DEPS_CHANGED_LABEL_NAME: deps-changed
-  # People/teams to mention in the PR comment if dependencies changed
-  CHANGE_MENTIONS: '@wildfly/prod'
 jobs:
   check:
     runs-on: ubuntu-latest
+    env:
+      ARTIFACTS: .pr_artifacts
     steps:
-      - name: Set needed env vars in outputs
+      - name: Prepare
         id: prepare
         run: |
+          # Make ARTIFACTS absolute
+          ARTIFACTS="${GITHUB_WORKSPACE}/${ARTIFACTS}"
+          echo "ARTIFACTS=${ARTIFACTS}" >> $GITHUB_ENV
+
+          mkdir ${ARTIFACTS}
+          echo ${{ github.event.number }} > "${ARTIFACTS}/pr"
+
           echo "::set-output name=base::${GITHUB_BASE_REF}"
-          echo "::set-output name=modules_to_check::${MODULES_TO_CHECK}"
-          echo "::set-output name=deps_ok_label_name::${DEPS_OK_LABEL_NAME}"
-          echo "::set-output name=deps_changed_label_name::${DEPS_CHANGED_LABEL_NAME}"
-          echo "::set-output name=change_mentions::${CHANGE_MENTIONS}"
+          echo "::set-output name=artifacts::${ARTIFACTS}"
 
       - name: Clone base version
         uses: actions/checkout@v2
@@ -65,7 +67,7 @@ jobs:
           for module in $(echo "${MODULES_TO_CHECK}" | sed "s/,/ /g")
           do
             baseVersionFile="_base-versions-$i.txt"
-            mvn -B dependency:tree -pl "${module}" -DoutputFile="${GITHUB_WORKSPACE}/${baseVersionFile}" || exit 1
+            mvn -B dependency:tree -pl "${module}" -DoutputFile="${ARTIFACTS}/${baseVersionFile}" || exit 1
 
             if [ $i -gt 0 ]; then
               baseVersionFiles="${baseVersionFiles},${baseVersionFile}"
@@ -74,7 +76,7 @@ jobs:
             fi
             i=$((i + 1))
           done
-          echo "::set-output name=files::${baseVersionFiles}"
+          echo "${baseVersionFiles}" > ${ARTIFACTS}/baseVersions
 
       - name: Build PR
         working-directory: pr
@@ -90,7 +92,7 @@ jobs:
           for module in $(echo "${MODULES_TO_CHECK}" | sed "s/,/ /g")
           do
             newVersionFile="_new-versions-$i.txt"
-            mvn -B dependency:tree -pl "${module}" -DoutputFile="${GITHUB_WORKSPACE}/${newVersionFile}" || exit 1
+            mvn -B dependency:tree -pl "${module}" -DoutputFile="${ARTIFACTS}/${newVersionFile}" || exit 1
 
             if [ $i -gt 0 ]; then
               newVersionFiles="${newVersionFiles},${newVersionFile}"
@@ -99,14 +101,9 @@ jobs:
             fi
             i=$((i + 1))
           done
-          echo "::set-output name=files::${newVersionFiles}"
+          echo "${newVersionFiles}" > ${ARTIFACTS}/newVersions
 
-      - name: Check versions
-        uses: wildfly/dep-tree-diff@master
+      - uses: actions/upload-artifact@v2
         with:
-          token: '${{ secrets.GITHUB_TOKEN }}'
-          deps-ok-label: ${{ steps.prepare.outputs.deps_ok_label_name }}
-          deps-changed-label: ${{ steps.prepare.outputs.deps_changed_label_name }}
-          tool-change-mentions: ${{ steps.prepare.outputs.change_mentions }}
-          base-version-files: ${{ steps.base-versions.outputs.files }}
-          new-version-files: ${{ steps.new-versions.outputs.files }}
+          name: input-artifacts
+          path: ${{ steps.prepare.outputs.artifacts }}
diff --git a/.github/workflows/dep-diff-workflow_run.yml b/.github/workflows/dep-diff-workflow_run.yml
@@ -0,0 +1,84 @@
+name: Dependency Tree Reporter
+# This gets called when ./dep-diff-pull_request.yml has completed. See that file
+# for why this is split into two.
+on:
+  workflow_run:
+    workflows: [ "Dependency Tree Input Builder" ]
+    types:
+      - completed
+env:
+  # The name of the labels to use if the dependencies are ok
+  DEPS_OK_LABEL_NAME: deps-ok
+  # The name of the labels to use if the dependencies changed
+  DEPS_CHANGED_LABEL_NAME: deps-changed
+  # People/teams to mention in the PR comment if dependencies changed
+  CHANGE_MENTIONS: '@wildfly/prod'
+jobs:
+  compare:
+    runs-on: ubuntu-latest
+    if: >
+      ${{ github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success' }}
+    steps:
+      - name: Download artifacts
+        # It would have been nice to be able to use actions/download-artifact@v2
+        # for this, but as the artifacts are uploaded by another workflow it does
+        # not seem possible - so we need to do this stuff instead
+        uses: actions/[email protected]
+        with:
+          script: |
+            var artifacts = await github.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: ${{github.event.workflow_run.id }},
+            });
+            console.log(artifacts);
+            var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "input-artifacts"
+            })[0];
+            var download = await github.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+            var fs = require('fs');
+            fs.writeFileSync('${{github.workspace}}/input.zip', Buffer.from(download.data));
+
+
+      - name: Set needed env vars in outputs
+        id: prepare
+        run: |
+          unzip input.zip
+          echo current directory contents
+          ls -al
+          echo "::set-output name=deps_ok_label_name::${DEPS_OK_LABEL_NAME}"
+          echo "::set-output name=deps_changed_label_name::${DEPS_CHANGED_LABEL_NAME}"
+          echo "::set-output name=change_mentions::${CHANGE_MENTIONS}"
+
+          echo Reading PR number
+          tmp=$(<pr)
+          echo "PR: ${tmp}"
+
+          echo Reading base version files
+          tmp=$(<baseVersions)
+          echo "Base version files: ${tmp}"
+          echo "::set-output name=base_files::${tmp}"
+
+          echo Reading new version files
+          tmp=$(<newVersions)
+          echo "New version files: ${tmp}"
+          echo "::set-output name=new_files::${tmp}"
+
+#      - name: Setup tmate session
+#        uses: mxschmitt/action-tmate@v3
+
+      - name: Check versions
+        uses: wildfly/dep-tree-diff@master
+        with:
+          token: '${{ secrets.GITHUB_TOKEN }}'
+          deps-ok-label: ${{ steps.prepare.outputs.deps_ok_label_name }}
+          deps-changed-label: ${{ steps.prepare.outputs.deps_changed_label_name }}
+          tool-change-mentions: ${{ steps.prepare.outputs.change_mentions }}
+          base-version-files: ${{ steps.prepare.outputs.base_files }}
+          new-version-files: ${{ steps.prepare.outputs.new_files }}
diff --git a/core-feature-pack/common/pom.xml b/core-feature-pack/common/pom.xml
@@ -823,6 +823,18 @@
             <artifactId>xercesImpl</artifactId>
         </dependency>
 
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-reactive-datasource</artifactId>
+            <version>1.5.0.Final</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>*</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+
     </dependencies>
 
     <build>

diff --git a/temp.txt b/temp.txt
@@ -0,0 +1,2 @@
+yyyy
+xxx