Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

plasma-infra: Handle external pull request #844

Merged
merged 7 commits into from
Nov 22, 2023
Merged

plasma-infra: Handle external pull request #844

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
6dafdf4
ci: pass ref to publish-common workflow [no ci]
Yakutoc Nov 13, 2023
2c38156
ci: pass ref to "Change detection" workflow [no ci]
Yakutoc Nov 13, 2023
ea180a8
ci(publish-canary): handle external pull request [no ci]
Yakutoc Nov 13, 2023
e67711b
ci(publish-rc): handle external pull request [no ci]
Yakutoc Nov 13, 2023
7f374cf
ci(docs): handle external pull request [no ci]
Yakutoc Nov 13, 2023
8d3b962
ci(performance-testing): handle external pull request
Yakutoc Nov 13, 2023
f3e3f11
ci: clean up by close pull_request_target [no ci]
Yakutoc Nov 13, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 9 additions & 3 deletions .github/workflows/change-detection.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,10 @@ on:
description: 'Get scope as "[plasma-temple,plasma-core,plasma-ui]", etc'
default: false
type: boolean
ref:
type: string
description: "Manual set repo ref"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

а что значит ручное выставление рефки на репозиторий?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Yeti-or

  scope:
    needs: [authorize]
    uses: ./.github/workflows/change-detection.yml
    with:
      exclude-dependents: true
      ref: refs/pull/${{github.event.pull_request.number}}/merge # <--- вот ручками поставили
    secrets: inherit

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ручками: типа в конфиге опция которую надо задать?

default: ''
outputs:
SCOPE:
description: "scope collection"
Expand Down Expand Up @@ -70,9 +74,11 @@ jobs:
PACKAGES_ENUMERATION: ${{ steps.set-output.outputs.PACKAGES_ENUMERATION }}

steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
show-progress: false
fetch-depth: 0
ref: ${{ inputs.ref }}

- name: Prepare environment
uses: ./.github/actions/prepare-environment
Expand All @@ -85,7 +91,7 @@ jobs:
shell: bash
id: changed-state
run: |
#INFO: `jq -c` => Делаем вывод в одну JSON строку
#INFO: `jq -c` => Делаем вывод в одну JSON строку
echo "CHANGED_STATE=$(npx lerna la --json --since=$(git merge-base --fork-point origin/dev) ${{ env.EXCLUDE_DEPENDENTS }} | jq -c)" >> "$GITHUB_OUTPUT"

- name: Computed scope state
Expand All @@ -97,7 +103,7 @@ jobs:
with:
script: |
const processingScope = require('./.github/processing-scope.js');

return processingScope();

- name: Set "GITHUB_OUTPUT"
Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/clean-pr-documentation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,11 @@ on:
pull_request:
types: [closed]
branches:
- dev
- master
pull_request_target:
Yeti-or marked this conversation as resolved.
Show resolved Hide resolved
types: [closed]
branches:
- dev

concurrency:
# New commit on branch cancels running workflows of the same branch
Expand Down
7 changes: 5 additions & 2 deletions .github/workflows/cleanup-cache-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@ on:
pull_request:
types:
- closed
pull_request_target:
types:
- closed

jobs:
cleanup:
Expand All @@ -16,14 +19,14 @@ jobs:
- name: Cleanup
run: |
gh extension install actions/gh-actions-cache

REPO=${{ github.repository }}
BRANCH="refs/pull/${{ github.event.pull_request.number }}/merge"

echo "Fetching list of cache key"
cacheKeysForPR=$(gh actions-cache list -R $REPO -B $BRANCH | cut -f 1 )

## Setting this to not fail the workflow while deleting cache keys.
## Setting this to not fail the workflow while deleting cache keys.
set +e
echo "Deleting caches..."
for cacheKey in $cacheKeysForPR
Expand Down
69 changes: 39 additions & 30 deletions .github/workflows/documentation-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,24 +3,32 @@ name: PR Documentation and Storybook
on:
pull_request:
branches:
- dev
- master
pull_request_target:
branches:
- dev

concurrency:
# New commit on branch cancels running workflows of the same branch
group: ${{ github.workflow }}-${{ github.head_ref }}
cancel-in-progress: true

jobs:
authorize:
name: Authorize external pull request
uses: ./.github/workflows/authorize-external-pr.yml

scope:
needs: [ authorize ]
uses: ./.github/workflows/change-detection.yml
with:
as-enumeration: true
ref: refs/pull/${{github.event.pull_request.number}}/merge
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Yeti-or

Вот здесь ручное выставление ref раньше оно само высчитывало.

Но теперь из-за того как работает pull_request_target нам самим нужно указать, а на что сделать checkout

secrets: inherit

build:
name: Build
needs: scope
needs: [ authorize, scope ]
if: ${{ needs.scope.outputs.HAS_DOCUMENTATION_CHANGED == 'true' }}
runs-on: ubuntu-latest
env:
Expand All @@ -30,11 +38,12 @@ jobs:
steps:
- uses: actions/checkout@v4
with:
show-progress: false

show-progress: false
ref: refs/pull/${{github.event.pull_request.number}}/merge

- name: Prepare environment
uses: ./.github/actions/prepare-environment

- name: Computed scope
id: scope
uses: actions/github-script@v6
Expand All @@ -46,19 +55,19 @@ jobs:
const { ENUMERATION } = process.env;

const enumeration = JSON.parse(JSON.parse(ENUMERATION));

if (!enumeration.includes('plasma-core')) {
enumeration.push('plasma-core');
}

if (!enumeration.includes('plasma-hope')) {
enumeration.push('plasma-hope');
}

if (!enumeration.includes('plasma-new-hope')) {
enumeration.push('plasma-new-hope');
}

if (!enumeration.includes('plasma-tokens-utils')) {
enumeration.push('plasma-tokens-utils');
}
Expand Down Expand Up @@ -87,81 +96,81 @@ jobs:
enumeration.push('plasma-web');
}

return enumeration.join(',');

return enumeration.join(',');
- name: Lerna bootstrap
run: npx lerna bootstrap --scope=@salutejs/{${{steps.scope.outputs.result}}}

- name: Prepare directory
run: mkdir -p s3_build/${PR_NAME}

# TODO: https://github.com/salute-developers/plasma/issues/603
- name: Plasma Website
run: |
export NODE_OPTIONS=--openssl-legacy-provider
npm run build --prefix="./website/plasma-website"
cp -R ./website/plasma-website/build/. ./s3_build/${PR_NAME}

- name: Plasma UI Docs
if: ${{ needs.scope.outputs.HAS_PLASMA_UI_DOCS == 'true' && needs.scope.outputs.HAS_PLASMA_UI == 'true' }}
run: |
export NODE_OPTIONS=--openssl-legacy-provider
npm run build --prefix="./website/plasma-ui-docs"
cp -R ./website/plasma-ui-docs/build ./s3_build/${PR_NAME}/ui

- name: Plasma Web Docs
if: ${{ needs.scope.outputs.HAS_PLASMA_WEB_DOCS == 'true' }}
run: |
export NODE_OPTIONS=--openssl-legacy-provider
npm run build --prefix="./website/plasma-web-docs"
cp -R ./website/plasma-web-docs/build ./s3_build/${PR_NAME}/web

- name: Plasma Web Temple
if: ${{ needs.scope.outputs.HAS_PLASMA_TEMPLE_DOCS == 'true' && needs.scope.outputs.HAS_PLASMA_TEMPLE == 'true' }}
run: |
export NODE_OPTIONS=--openssl-legacy-provider
npm run build --prefix="./website/plasma-temple-docs"
cp -R ./website/plasma-temple-docs/build ./s3_build/${PR_NAME}/temple

- name: Plasma UI Storybook
if: ${{ needs.scope.outputs.HAS_PLASMA_UI == 'true' }}
run: |
npm run storybook:build --prefix="./packages/plasma-ui"
cp -R ./packages/plasma-ui/build-sb ./s3_build/${PR_NAME}/ui-storybook

- name: Plasma Web Storybook
if: ${{ needs.scope.outputs.HAS_PLASMA_WEB == 'true' }}
run: |
npm run storybook:build --prefix="./packages/plasma-web"
cp -R ./packages/plasma-web/build-sb ./s3_build/${PR_NAME}/web-storybook

- name: Plasma B2C Storybook
if: ${{ needs.scope.outputs.HAS_PLASMA_B2C == 'true' }}
run: |
npm run storybook:build --prefix="./packages/plasma-b2c"
cp -R ./packages/plasma-b2c/build-sb ./s3_build/${PR_NAME}/b2c-storybook

- name: Plasma Temple Storybook
if: ${{ needs.scope.outputs.HAS_PLASMA_TEMPLE == 'true' }}
run: |
npm run storybook:build --prefix="./packages/plasma-temple"
cp -R ./packages/plasma-temple/build-sb ./s3_build/${PR_NAME}/temple-storybook

- name: Plasma "New Hope" Storybook
if: ${{ needs.scope.outputs.HAS_PLASMA_HOPE == 'true' }}
run: |
npm run storybook:build --prefix="./packages/plasma-new-hope"
cp -R ./packages/plasma-new-hope/build-sb ./s3_build/${PR_NAME}/new-hope-storybook

- name: Plasma "ASDK" Storybook
if: ${{ needs.scope.outputs.HAS_PLASMA_ASDK == 'true' }}
run: |
npm run storybook:build --prefix="./packages/plasma-asdk"
cp -R ./packages/plasma-asdk/build-sb ./s3_build/${PR_NAME}/asdk-storybook

- name: Install s3cmd
run: pip3 install s3cmd

- name: s3 Upload builds
run: >
s3cmd
Expand All @@ -176,7 +185,7 @@ jobs:
sync
./s3_build/${PR_NAME}/
s3://${{ secrets.AWS_S3_BUCKET_2 }}/pr/${PR_NAME}/

- name: Post success comment
uses: actions/github-script@v6
env:
Expand All @@ -190,10 +199,10 @@ jobs:
github-token: ${{secrets.GH_TOKEN}}
script: |
const { HAS_PLASMA_B2C, HAS_PLASMA_WEB, HAS_PLASMA_UI, HAS_PLASMA_TEMPLE, HAS_PLASMA_HOPE, HAS_PLASMA_ASDK } = process.env;
const {
issue: { number },
repo: { owner, repo }

const {
issue: { number },
repo: { owner, repo }
} = context;

const links = [
Expand Down Expand Up @@ -223,7 +232,7 @@ jobs:
if (HAS_PLASMA_ASDK === 'true') {
links.push(`asdk storybook: http://plasma.sberdevices.ru/pr/pr-${number}/asdk-storybook/`)
}

github.rest.issues.createComment({
issue_number: number,
owner,
Expand Down
24 changes: 18 additions & 6 deletions .github/workflows/performance-test-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,31 +4,42 @@ name: Component Performance Testing

on:
pull_request:
branches:
- master
- dev
branches:
- master
pull_request_target:
branches:
- dev

concurrency:
# New commit on branch cancels running workflows of the same branch
group: ${{ github.workflow }}-${{ github.head_ref }}
cancel-in-progress: true

jobs:
authorize:
name: Authorize external pull request
uses: ./.github/workflows/authorize-external-pr.yml

scope:
needs: [authorize]
uses: ./.github/workflows/change-detection.yml
with:
exclude-dependents: true
ref: refs/pull/${{github.event.pull_request.number}}/merge
secrets: inherit

perftest:
needs: scope
needs: [authorize, scope]
if: ${{ needs.scope.outputs.HAS_SCOPE == 'true' }}
runs-on: ubuntu-latest
env:
NPM_REGISTRY_TOKEN: ${{ secrets.NPM_REGISTRY_TOKEN }}
PR_NAME: pr-${{ github.event.number }}
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
show-progress: false
ref: refs/pull/${{github.event.pull_request.number}}/merge
Comment on lines +39 to +42

Check warning

Code scanning / Semgrep

Semgrep Finding: yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout

This GitHub Actions workflow file uses `pull_request_target` and checks out code from the incoming pull request. When using `pull_request_target`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.

- name: Install s3cmd
run: pip3 install s3cmd
Expand Down Expand Up @@ -106,8 +117,9 @@ jobs:
./.perftool/cache/
s3://${{ secrets.AWS_S3_BUCKET_2 }}/perftool-cache/

- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
show-progress: false
ref: ${{ github.event.pull_request.base.ref }}
clean: false

Expand Down
9 changes: 9 additions & 0 deletions .github/workflows/publish-canary.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ on:
pull_request:
branches:
- master
pull_request_target:
branches:
- dev

concurrency:
Expand All @@ -12,9 +14,16 @@ concurrency:
cancel-in-progress: true

jobs:
authorize:
name: Authorize external pull request
uses: ./.github/workflows/authorize-external-pr.yml

publish:
name: Publish canary version
needs: [ authorize ]
uses: ./.github/workflows/publish-common.yml
with:
ref: refs/pull/${{github.event.pull_request.number}}/merge
secrets:
gh_token: ${{ secrets.GH_TOKEN }}
npm_registry_token: ${{ secrets.NPM_REGISTRY_TOKEN }}
Expand Down
Loading
Loading