This is an automated email from the ASF dual-hosted git repository.
adonisling pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new e9ef6c7da7 [chore](workflow) Fix security issues in Code Checks
(#24761)
e9ef6c7da7 is described below
commit e9ef6c7da71af7a73ca45e60cc9587d774629254
Author: Adonis Ling <[email protected]>
AuthorDate: Fri Sep 22 10:39:39 2023 +0800
[chore](workflow) Fix security issues in Code Checks (#24761)
The workflow `Code Checks` needs write permissions granted by the event
`pull_request_target` to comment on pull requests. However, if the workflow ran
users' code, the malicious code would do some dangerous actions on our
repository.
The following changes are made in this PR:
1. Instead of applying patches, we use `sed` to modify the `entrypoint.sh`
in action-sh-checker explicitly in the workflow.
2. Revoke the write permissions when generating `compile_commands.json`
which is produced by executing the build script `build.sh`.
---
.github/actions/patches/action-sh-checker.patch | 13 ----
.github/workflows/code-checks.yml | 69 ++++++++++++++++------
...-project.properties => sonar-project.properties | 0
3 files changed, 50 insertions(+), 32 deletions(-)
diff --git a/.github/actions/patches/action-sh-checker.patch
b/.github/actions/patches/action-sh-checker.patch
deleted file mode 100644
index ba6c8d1b90..0000000000
--- a/.github/actions/patches/action-sh-checker.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/entrypoint.sh b/entrypoint.sh
-index d3399e3..5c8ee7b 100755
---- a/entrypoint.sh
-+++ b/entrypoint.sh
-@@ -202,7 +202,7 @@ if ((CHECKBASHISMS_ENABLE == 1)); then
- fi
-
- if ((shellcheck_code != 0 || shfmt_code != 0)); then
-- if [ "$GITHUB_EVENT_NAME" == "pull_request" ] && ((SH_CHECKER_COMMENT
== 1)); then
-+ if [[ "$GITHUB_EVENT_NAME" == "pull_request" || "$GITHUB_EVENT_NAME" ==
"pull_request_target" ]] && ((SH_CHECKER_COMMENT == 1)); then
- _comment_on_github "$shellcheck_error" "$shfmt_error"
- fi
- fi
diff --git a/.github/workflows/code-checks.yml
b/.github/workflows/code-checks.yml
index 85dee3e63f..652aa7f81e 100644
--- a/.github/workflows/code-checks.yml
+++ b/.github/workflows/code-checks.yml
@@ -40,7 +40,7 @@ jobs:
- name: Patch
run: |
pushd .github/actions/action-sh-checker >/dev/null
- git apply ../patches/action-sh-checker.patch
+ sed -i 's/\[ "$GITHUB_EVENT_NAME" == "pull_request" \]/\[\[
"$GITHUB_EVENT_NAME" == "pull_request" || "$GITHUB_EVENT_NAME" ==
"pull_request_target" \]\]/' entrypoint.sh
popd >/dev/null
- name: Run ShellCheck
@@ -51,10 +51,13 @@ jobs:
sh_checker_comment: true
sh_checker_exclude: .git .github ^docker ^thirdparty/src
^thirdparty/installed ^ui ^docs/node_modules ^tools/clickbench-tools ^extension
^output ^fs_brokers/apache_hdfs_broker/output (^|.*/)Dockerfile$
^be/src/apache-orc ^be/src/clucene ^pytest
- clang-tidy:
- name: "Clang Tidy"
+ preparation:
+ name: "Clang Tidy Preparation"
if: ${{ github.event_name == 'pull_request_target' }}
runs-on: ubuntu-22.04
+ permissions: read-all
+ outputs:
+ should_check: ${{ steps.generate.outputs.should_check }}
steps:
- name: Checkout ${{ github.ref }} ( ${{
github.event.pull_request.head.sha }} )
uses: actions/checkout@v3
@@ -73,28 +76,56 @@ jobs:
- 'gensrc/thrift/**'
- name: Generate compile_commands.json
- if: ${{ steps.filter.outputs.be_changes == 'true' }}
+ id: generate
run: |
- export DEFAULT_DIR='/opt/doris'
+ if [[ "${{ steps.filter.outputs.be_changes }}" == 'true' ]]; then
+ export DEFAULT_DIR='/opt/doris'
- mkdir "${DEFAULT_DIR}"
- wget
https://github.com/amosbird/ldb_toolchain_gen/releases/download/v0.18/ldb_toolchain_gen.sh
\
- -q -O /tmp/ldb_toolchain_gen.sh
- bash /tmp/ldb_toolchain_gen.sh "${DEFAULT_DIR}/ldb-toolchain"
+ mkdir "${DEFAULT_DIR}"
+ wget
https://github.com/amosbird/ldb_toolchain_gen/releases/download/v0.18/ldb_toolchain_gen.sh
\
+ -q -O /tmp/ldb_toolchain_gen.sh
+ bash /tmp/ldb_toolchain_gen.sh "${DEFAULT_DIR}/ldb-toolchain"
- sudo DEBIAN_FRONTEND=noninteractive apt install --yes tzdata byacc
+ sudo DEBIAN_FRONTEND=noninteractive apt install --yes tzdata byacc
- pushd thirdparty
- curl -L
https://github.com/apache/doris-thirdparty/releases/download/automation/doris-thirdparty-prebuilt-linux-x86_64.tar.xz
\
- -o doris-thirdparty-prebuilt-linux-x86_64.tar.xz
- tar -xvf doris-thirdparty-prebuilt-linux-x86_64.tar.xz
- popd
+ pushd thirdparty
+ curl -L
https://github.com/apache/doris-thirdparty/releases/download/automation/doris-thirdparty-prebuilt-linux-x86_64.tar.xz
\
+ -o doris-thirdparty-prebuilt-linux-x86_64.tar.xz
+ tar -xvf doris-thirdparty-prebuilt-linux-x86_64.tar.xz
+ popd
- export
PATH="${DEFAULT_DIR}/ldb-toolchain/bin/:$(pwd)/thirdparty/installed/bin/:${PATH}"
- DISABLE_JAVA_UDF=ON DORIS_TOOLCHAIN=clang OUTPUT_BE_BINARY=0
./build.sh --be
+ export
PATH="${DEFAULT_DIR}/ldb-toolchain/bin/:$(pwd)/thirdparty/installed/bin/:${PATH}"
+ DISABLE_JAVA_UDF=ON DORIS_TOOLCHAIN=clang ENABLE_PCH=OFF
OUTPUT_BE_BINARY=0 ./build.sh --be
+ fi
- - name: Run clang-tidy review
+ echo "should_check=${{ steps.filter.outputs.be_changes }}"
>>${GITHUB_OUTPUT}
+
+ - name: Upload
+ uses: actions/upload-artifact@v3
if: ${{ steps.filter.outputs.be_changes == 'true' }}
+ with:
+ name: compile_commands
+ path: ./be/build_Release/compile_commands.json
+
+ clang-tidy:
+ name: "Clang Tidy"
+ needs: preparation
+ if: ${{ needs.preparation.outputs.should_check == 'true' }}
+ runs-on: ubuntu-22.04
+ steps:
+ - name: Checkout ${{ github.ref }} ( ${{
github.event.pull_request.head.sha }} )
+ uses: actions/checkout@v3
+ with:
+ ref: ${{ github.event.pull_request.head.sha }}
+ submodules: recursive
+
+ - name: Download
+ uses: actions/download-artifact@v3
+ with:
+ name: compile_commands
+ path: ./be/build_Release
+
+ - name: Run clang-tidy review
uses: ./.github/actions/clang-tidy-review
id: review
with:
@@ -103,4 +134,4 @@ jobs:
# clang-tidy review not required now
# - if: steps.review.outputs.total_comments > 0
- # run: exit 1
\ No newline at end of file
+ # run: exit 1
diff --git a/be/sonar-project.properties b/sonar-project.properties
similarity index 100%
rename from be/sonar-project.properties
rename to sonar-project.properties
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
