-
Notifications
You must be signed in to change notification settings - Fork 406
81 lines (76 loc) · 3.27 KB
/
on_opened_pr.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
name: On new PR
# PROCESS
#
# 1. Fetch PR details previously saved from untrusted location
# 2. Parse details for safety
# 3. Confirm there is a related issue for newly opened PR
# 4. Verify if PR template is used and legal acknowledgement hasn't been removed
# USAGE
#
# NOTE: meant to be used with ./.github/workflows/record_pr.yml
#
# Security Note:
#
# This workflow depends on "Record PR" workflow that runs in an untrusted location (forks) instead of `pull_request_target`.
# This enforces zero trust where "Record PR" workflow always runs on fork with zero permissions on GH_TOKEN.
# When "Record PR" completes, this workflow runs in our repository with the appropriate permissions and sanitize inputs.
#
# Coupled with "Approve GitHub Action to run on forks", we have confidence no privilege can be escalated,
# since any malicious change would need to be approved, and upon social engineering, it'll have zero permissions.
on:
workflow_run:
workflows: ["Record PR details"]
types:
- completed
permissions:
contents: read
jobs:
get_pr_details:
permissions:
actions: read # download PR artifact
contents: read # checkout code
if: ${{ github.event.workflow_run.conclusion == 'success' }}
uses: ./.github/workflows/reusable_export_pr_details.yml
with:
record_pr_workflow_id: ${{ github.event.workflow_run.id }}
workflow_origin: ${{ github.event.repository.full_name }}
secrets:
token: ${{ secrets.GITHUB_TOKEN }}
check_related_issue:
permissions:
pull-requests: write # label and comment on PR if missing related issue (requirement)
needs: get_pr_details
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: "Ensure related issue is present"
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
env:
PR_BODY: ${{ needs.get_pr_details.outputs.prBody }}
PR_NUMBER: ${{ needs.get_pr_details.outputs.prNumber }}
PR_ACTION: ${{ needs.get_pr_details.outputs.prAction }}
PR_AUTHOR: ${{ needs.get_pr_details.outputs.prAuthor }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const script = require('.github/scripts/label_missing_related_issue.js')
await script({github, context, core})
check_acknowledge_section:
needs: get_pr_details
runs-on: ubuntu-latest
permissions:
pull-requests: write # label and comment on PR if missing acknowledge section (requirement)
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: "Ensure acknowledgement section is present"
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
env:
PR_BODY: ${{ needs.get_pr_details.outputs.prBody }}
PR_NUMBER: ${{ needs.get_pr_details.outputs.prNumber }}
PR_ACTION: ${{ needs.get_pr_details.outputs.prAction }}
PR_AUTHOR: ${{ needs.get_pr_details.outputs.prAuthor }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const script = require('.github/scripts/label_missing_acknowledgement_section.js')
await script({github, context, core})