Securing workflows

npanuhin · Dec 24, 2023 · 4226fa3 · 4226fa3
1 parent 27ee91f
commit 4226fa3
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 19 deletions.
diff --git a/.github/src/postprocess.py b/.github/src/postprocess.py
@@ -21,7 +21,7 @@ def main():
             for changed_path in json.load(file):
                 changed_path = mkpath('../../', changed_path)
                 while changed_path:
-                    changed.add(changed_path)
+                    changed.add(os.path.abspath(changed_path))
                     changed_path = os.path.dirname(changed_path)
 
     print('Changed files:', changed)
@@ -41,7 +41,7 @@ def main():
             if not day.solved:
                 continue
 
-            if changed and day.path not in changed:
+            if changed and os.path.abspath(day.path) not in changed:
                 print(f"Skipping day {day.year}/{day.folder_name} as it wasn't changed")
                 continue
 

diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -9,6 +9,9 @@ on:
       - '**.py'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   linter:
     name: Lint code

diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml
@@ -1,32 +1,25 @@
-# Simple workflow for deploying static content to GitHub Pages
 name: Deploy static content to Pages
 
 on:
-  # Runs on pushes targeting the default branch
   # push:
   #   branches: ["master"]
   workflow_run:
     workflows: ["Postprocess"]
     types:
       - completed
 
-  # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
-# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
 permissions:
   contents: read
   pages: write
   id-token: write
 
-# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
-# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
 concurrency:
-  group: "all"
+  group: "pages"
   cancel-in-progress: false
 
 jobs:
-  # Single deploy job since we're just deploying
   deploy:
     environment:
       name: github-pages
@@ -35,13 +28,15 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+
       - name: Setup Pages
         uses: actions/configure-pages@v4
+
       - name: Upload artifact
         uses: actions/upload-pages-artifact@v2
         with:
-          # Upload docs folder
           path: 'docs'
+
       - name: Deploy to GitHub Pages
         id: deployment
         uses: actions/deploy-pages@v3
diff --git a/.github/workflows/postprocess.yaml b/.github/workflows/postprocess.yaml
@@ -1,9 +1,12 @@
 name: Postprocess
 
-on: [push, workflow_dispatch]
+on:
+  push:
+    branches: ["master"]
+  workflow_dispatch:
 
 concurrency:
-  group: "all"
+  group: "postprocess"
   cancel-in-progress: false
 
 jobs:
@@ -43,16 +46,18 @@ jobs:
       - name: Delete temporary files
         run: rm -rf .github/outputs
 
-      - name: Get last commit message
-        id: last-commit-message
-        run: echo "msg=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT
+      - name: Get last commit message and author
+        id: last-commit
+        run: |
+          echo "message=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT
+          echo "author=$(git log -1 --pretty=\"%an <%ae>\")" >> $GITHUB_OUTPUT
 
       - name: Commit and push changes
         uses: stefanzweifel/git-auto-commit-action@v5
         with:
-          commit_message: ${{ steps.last-commit-message.outputs.msg }}
-          commit_options: --amend --no-edit
+          commit_options: --amend
           push_options: --force
           skip_fetch: true
+          commit_message: ${{ steps.last-commit.outputs.message }}
           commit_user_name: GitHub Actions
-          # commit_author: GitHub Actions <41898282+github-actions[bot]@users.noreply.github.com>
+          commit_author: ${{ steps.last-commit.outputs.author }}