From 0578b7f64a9b188d0810d54f60ef789c9c9429f6 Mon Sep 17 00:00:00 2001 From: Shunsuke Suzuki Date: Sat, 11 Nov 2023 14:42:49 +0900 Subject: [PATCH] ci: use pull_request_target - https://zenn.dev/shunsuke_suzuki/articles/secure-github-actions-by-pull-request-target - https://dev.to/suzukishunsuke/secure-github-actions-by-pullrequesttarget-641 --- .github/workflows/actionlint.yaml | 10 +++++----- .github/workflows/test.yaml | 20 ++++++++++++++++++- .github/workflows/wc-conftest-verify.yaml | 8 ++++++++ .github/workflows/wc-hide-comment.yaml | 8 ++++++++ .github/workflows/wc-opa-fmt.yaml | 6 ++++++ .../wc-renovate-config-validator.yaml | 11 ++++++++-- .github/workflows/wc-test.yaml | 12 +++++++++++ .../workflows/wc-update-aqua-checksums.yaml | 5 +++++ 8 files changed, 72 insertions(+), 8 deletions(-) diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml index c6a22e973..82aa20883 100644 --- a/.github/workflows/actionlint.yaml +++ b/.github/workflows/actionlint.yaml @@ -13,8 +13,8 @@ jobs: pull-requests: write contents: read steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: aquaproj/aqua-installer@d9c4b5d107a17831a8c8718efa4ce67a0923d1f5 # v2.1.3 - with: - aqua_version: v2.16.4 - - uses: suzuki-shunsuke/github-action-actionlint@60449a33b52da4f92a069b8af50d04515d6177bf # v0.1.3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: aquaproj/aqua-installer@d9c4b5d107a17831a8c8718efa4ce67a0923d1f5 # v2.1.3 + with: + aqua_version: v2.16.4 + - uses: suzuki-shunsuke/github-action-actionlint@60449a33b52da4f92a069b8af50d04515d6177bf # v0.1.3 diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 854b484d1..6a2cfb063 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -1,6 +1,6 @@ --- name: test -on: pull_request +on: pull_request_target concurrency: group: ${{ github.workflow }}--${{ github.ref }} @@ -10,6 +10,8 @@ jobs: path-filter: # Get changed files to filter jobs outputs: + merge_commit_sha: ${{steps.pr.outputs.merge_commit_sha}} + update-aqua-checksums: ${{steps.changes.outputs.update-aqua-checksums}} renovate-config-validator: ${{steps.changes.outputs.renovate-config-validator}} conftest-verify: ${{steps.changes.outputs.conftest-verify}} @@ -18,6 +20,8 @@ jobs: permissions: pull-requests: read # To get pull requests of the private repository steps: + - uses: suzuki-shunsuke/get-pr-action@b002e41164d7a39586b41f17f9caca4e98a1efe4 # v0.1.0 + id: pr - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: changes with: @@ -74,10 +78,13 @@ jobs: test: uses: ./.github/workflows/wc-test.yaml if: 'false' # CHANGEME Please remove this. + needs: path-filter permissions: id-token: write contents: read pull-requests: write + with: + ref: ${{needs.path-filter.outputs.merge_commit_sha}} secrets: gh_app_id: ${{secrets.APP_ID}} gh_app_private_key: ${{secrets.APP_PRIVATE_KEY}} @@ -92,6 +99,8 @@ jobs: permissions: contents: read pull-requests: write + with: + ref: ${{needs.path-filter.outputs.merge_commit_sha}} secrets: gh_app_id: ${{secrets.APP_ID}} gh_app_private_key: ${{secrets.APP_PRIVATE_KEY}} @@ -104,15 +113,20 @@ jobs: permissions: contents: read pull-requests: write + with: + ref: ${{needs.path-filter.outputs.merge_commit_sha}} secrets: gh_app_id: ${{secrets.APP_ID}} gh_app_private_key: ${{secrets.APP_PRIVATE_KEY}} hide-comment: uses: ./.github/workflows/wc-hide-comment.yaml + needs: path-filter permissions: contents: read pull-requests: write + with: + ref: ${{needs.path-filter.outputs.merge_commit_sha}} secrets: gh_app_id: ${{secrets.APP_ID}} gh_app_private_key: ${{secrets.APP_PRIVATE_KEY}} @@ -121,6 +135,8 @@ jobs: uses: ./.github/workflows/wc-renovate-config-validator.yaml needs: path-filter if: needs.path-filter.outputs.renovate-config-validator == 'true' + with: + ref: ${{needs.path-filter.outputs.merge_commit_sha}} permissions: contents: read @@ -130,6 +146,8 @@ jobs: if: needs.path-filter.outputs.update-aqua-checksums == 'true' permissions: contents: read + with: + ref: ${{needs.path-filter.outputs.merge_commit_sha}} secrets: gh_app_id: ${{secrets.APP_ID}} gh_app_private_key: ${{secrets.APP_PRIVATE_KEY}} diff --git a/.github/workflows/wc-conftest-verify.yaml b/.github/workflows/wc-conftest-verify.yaml index 110a4f288..6e73bf3c6 100644 --- a/.github/workflows/wc-conftest-verify.yaml +++ b/.github/workflows/wc-conftest-verify.yaml @@ -2,6 +2,10 @@ name: conftest-verify on: workflow_call: + inputs: + ref: + required: false + type: string secrets: gh_token: required: false @@ -9,6 +13,8 @@ on: required: false gh_app_private_key: required: false +env: + GH_COMMENT_SHA1: ${{inputs.ref}} jobs: conftest-verify: runs-on: ubuntu-latest @@ -17,6 +23,8 @@ jobs: pull-requests: write steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{inputs.ref}} - uses: suzuki-shunsuke/github-token-action@04d633c696e9d09e958c8b815c75db9606d6d927 # v0.2.0 id: token with: diff --git a/.github/workflows/wc-hide-comment.yaml b/.github/workflows/wc-hide-comment.yaml index 61aaee681..7721da93c 100644 --- a/.github/workflows/wc-hide-comment.yaml +++ b/.github/workflows/wc-hide-comment.yaml @@ -2,6 +2,10 @@ name: Hide comments on: workflow_call: + inputs: + ref: + required: false + type: string secrets: gh_token: required: false @@ -12,11 +16,15 @@ on: permissions: contents: read pull-requests: write +env: + GH_COMMENT_SHA1: ${{inputs.ref}} jobs: hide-comment: runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{inputs.ref}} - uses: suzuki-shunsuke/github-token-action@04d633c696e9d09e958c8b815c75db9606d6d927 # v0.2.0 id: token with: diff --git a/.github/workflows/wc-opa-fmt.yaml b/.github/workflows/wc-opa-fmt.yaml index 7033100d9..b4dfe1364 100644 --- a/.github/workflows/wc-opa-fmt.yaml +++ b/.github/workflows/wc-opa-fmt.yaml @@ -2,6 +2,10 @@ name: opa-fmt on: workflow_call: + inputs: + ref: + required: false + type: string secrets: gh_token: required: false @@ -17,6 +21,8 @@ jobs: pull-requests: write steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{inputs.ref}} - uses: suzuki-shunsuke/github-token-action@04d633c696e9d09e958c8b815c75db9606d6d927 # v0.2.0 id: token with: diff --git a/.github/workflows/wc-renovate-config-validator.yaml b/.github/workflows/wc-renovate-config-validator.yaml index 09b417b49..8147056f4 100644 --- a/.github/workflows/wc-renovate-config-validator.yaml +++ b/.github/workflows/wc-renovate-config-validator.yaml @@ -1,9 +1,16 @@ --- name: renovate-config-validator -on: workflow_call +on: + workflow_call: + inputs: + ref: + required: false + type: string jobs: renovate-config-validator: # Validate Renovate Configuration by renovate-config-validator. - uses: suzuki-shunsuke/renovate-config-validator-workflow/.github/workflows/validate.yaml@35f1c78014c423fd37eb792c73f11ec0898098f4 # v0.2.2 + uses: suzuki-shunsuke/renovate-config-validator-workflow/.github/workflows/validate.yaml@4a378742d05b4e67aae34039d7c779ac913cd79d # v0.2.3 + with: + ref: ${{inputs.ref}} permissions: contents: read diff --git a/.github/workflows/wc-test.yaml b/.github/workflows/wc-test.yaml index df59ce56d..b4b8ff936 100644 --- a/.github/workflows/wc-test.yaml +++ b/.github/workflows/wc-test.yaml @@ -2,6 +2,10 @@ name: test on: workflow_call: + inputs: + ref: + required: false + type: string secrets: gh_token: required: false @@ -16,6 +20,8 @@ on: env: TFACTION_IS_APPLY: 'false' + GH_COMMENT_SHA1: ${{inputs.ref}} + TFCMT_SHA: ${{inputs.ref}} permissions: id-token: write @@ -30,6 +36,8 @@ jobs: modules: ${{ steps.list-targets.outputs.modules }} steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{inputs.ref}} - uses: suzuki-shunsuke/github-token-action@04d633c696e9d09e958c8b815c75db9606d6d927 # v0.2.0 id: token with: @@ -60,6 +68,8 @@ jobs: target: ${{fromJSON(needs.setup.outputs.modules)}} steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{inputs.ref}} - uses: suzuki-shunsuke/github-token-action@04d633c696e9d09e958c8b815c75db9606d6d927 # v0.2.0 id: token with: @@ -95,6 +105,8 @@ jobs: TFACTION_JOB_TYPE: ${{matrix.target.job_type}} steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{inputs.ref}} - uses: suzuki-shunsuke/github-token-action@04d633c696e9d09e958c8b815c75db9606d6d927 # v0.2.0 id: token with: diff --git a/.github/workflows/wc-update-aqua-checksums.yaml b/.github/workflows/wc-update-aqua-checksums.yaml index 18e449df7..14d07d926 100644 --- a/.github/workflows/wc-update-aqua-checksums.yaml +++ b/.github/workflows/wc-update-aqua-checksums.yaml @@ -2,6 +2,10 @@ name: update-aqua-checksums on: workflow_call: + inputs: + ref: + required: false + type: string secrets: gh_token: required: false @@ -18,6 +22,7 @@ jobs: with: aqua_version: v2.16.4 prune: true + ref: ${{inputs.ref}} secrets: gh_token: ${{secrets.gh_token}} gh_app_id: ${{secrets.gh_app_id}}