mirror of
https://github.com/morgan9e/systemd
synced 2026-04-14 16:37:19 +09:00
4dab1eb952
Due to the limitation of `GITHUB_TOKEN` when running workflows from forks, it's required to split the `development_freeze` workflow in two. * First workflow will run on the `pull_request` trigger and save the PR number in the artifact. This workflow is running with read-only permissions on `GITHUB_TOKEN`. * Second workflow will get triggered on `workflow_run`. It will be run directly in the `systemd/systemd` context and can get permission to be able to create comments on PR. GITHUB_TOKEN limitations: * https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token GitHub Security Labs Article - How to correctly and safely overcome GITHUB_TOKEN limitations: * https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
75 lines
2.4 KiB
YAML
75 lines
2.4 KiB
YAML
# doc: https://github.com/redhat-plumbers-in-action/devel-freezer#readme
|
|
---
|
|
|
|
name: Development Freeze
|
|
on:
|
|
workflow_run:
|
|
workflows: [ Gather Pull Request Metadata ]
|
|
types:
|
|
- completed
|
|
|
|
env:
|
|
PULL_REQUEST_METADATA_DIR: pull_request
|
|
PULL_REQUEST_METADATA_FILE: metadata
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
freezer:
|
|
if: >
|
|
github.event.workflow_run.event == 'pull_request' &&
|
|
github.event.workflow_run.conclusion == 'success' &&
|
|
github.repository == 'systemd/systemd'
|
|
runs-on: ubuntu-22.04
|
|
|
|
permissions:
|
|
pull-requests: write
|
|
|
|
steps:
|
|
- name: Download Pull Request Metadata artifact
|
|
uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975
|
|
with:
|
|
script: |
|
|
const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
run_id: ${{ github.event.workflow_run.id }},
|
|
});
|
|
|
|
const matchArtifact = artifacts.data.artifacts.filter((artifact) => {
|
|
return artifact.name == "${{ env.PULL_REQUEST_METADATA_FILE }}"
|
|
})[0];
|
|
|
|
const download = await github.rest.actions.downloadArtifact({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
artifact_id: matchArtifact.id,
|
|
archive_format: 'zip',
|
|
});
|
|
|
|
const fs = require('fs');
|
|
fs.writeFileSync('${{ github.workspace }}/${{ env.PULL_REQUEST_METADATA_FILE }}.zip', Buffer.from(download.data));
|
|
|
|
- run: unzip ${{ env.PULL_REQUEST_METADATA_FILE }}.zip
|
|
|
|
- name: 'Get Pull Request number'
|
|
uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975
|
|
with:
|
|
github-token: ${{ secrets.GITHUB_TOKEN }}
|
|
script: |
|
|
const fs = require('fs');
|
|
const pr_number = Number(fs.readFileSync('./${{ env.PULL_REQUEST_METADATA_FILE }}'));
|
|
core.exportVariable('pr_number', pr_number);
|
|
|
|
- name: Repository checkout
|
|
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Development Freezer
|
|
uses: redhat-plumbers-in-action/devel-freezer@13b6551f19ade74ca79be4cab06b815a4ffffa64
|
|
with:
|
|
pr-number: ${{ env.pr_number }}
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|