From e53f780ac4963e85e7a0bea6123fee9f460e90a4 Mon Sep 17 00:00:00 2001 From: Chris Evich Date: Tue, 19 Sep 2023 10:26:17 -0400 Subject: [PATCH] Validate Cirrus-CI Repository settings in PRs There's a critical little "slider" on the webpage that's somewhat difficult to tell if it's enabled or not. Make a somewhat weak attempt to catch if it's state ever changes. This is better than not checking at all. Signed-off-by: Chris Evich --- ci/validate.sh | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/ci/validate.sh b/ci/validate.sh index c1dc985d..84be1e8e 100755 --- a/ci/validate.sh +++ b/ci/validate.sh @@ -13,7 +13,7 @@ REPO_DIRPATH=$(realpath "$SCRIPT_DIRPATH/../") # shellcheck source=./lib.sh source "$REPO_DIRPATH/lib.sh" -req_env_vars CIRRUS_PR CIRRUS_BASE_SHA CIRRUS_PR_TITLE +req_env_vars CIRRUS_PR CIRRUS_BASE_SHA CIRRUS_PR_TITLE CIRRUS_USER_PERMISSION show_env_vars @@ -21,6 +21,16 @@ show_env_vars [[ "$CIRRUS_CI" == "true" ]] || \ die "This script is only/ever intended to be run by Cirrus-CI." +# This is imperfect security-wise, but attempt to catch an accidental +# change in Cirrus-CI Repository settings. Namely the hard-to-read +# "slider" that enables non-contributors to run jobs. We don't want +# that on this repo, ever. because there are sensitive secrets in use. +# This variable is set by CI and validated non-empty above +# shellcheck disable=SC2154 +if [[ "$CIRRUS_USER_PERMISSION" != "write" ]] && [[ "$CIRRUS_USER_PERMISSION" != "admin" ]]; then + die "CI Execution not supported with permission level '$CIRRUS_USER_PERMISSION'" +fi + for target in image_builder/gce.json base_images/cloud.json \ cache_images/cloud.json win_images/win-server-wsl.json; do if ! make $target; then