This is an automated email from the ASF dual-hosted git repository.
diwu pushed a commit to branch branch-2.0
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/branch-2.0 by this push:
new 357e5ef5f0c [2.0-pick-26525](workflow) Fix security issues with
pull_request_target #26525 (#29289)
357e5ef5f0c is described below
commit 357e5ef5f0cbaa6c11311380c0d84eac5001602c
Author: Calvin Kirs <[email protected]>
AuthorDate: Wed Jan 3 10:42:37 2024 +0800
[2.0-pick-26525](workflow) Fix security issues with pull_request_target
#26525 (#29289)
* [2.0-pick-26525](workflow) Fix security issues with pull_request_target
#26525
* delete action-sh-checker.patch
---
.github/actions/action-sh-checker | 1 -
.github/actions/clang-format-lint-action | 1 -
.github/actions/clang-tidy-review | 1 -
.github/actions/patches/action-sh-checker.patch | 13 ----
.github/workflows/clang-format.yml | 25 ++++++-
.github/workflows/code-checks.yml | 98 ++++++++++++++++++-------
.gitmodules | 9 ---
7 files changed, 97 insertions(+), 51 deletions(-)
diff --git a/.github/actions/action-sh-checker
b/.github/actions/action-sh-checker
deleted file mode 160000
index 76ab0b22e1f..00000000000
--- a/.github/actions/action-sh-checker
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit 76ab0b22e1f194e4a582edc7969df6485c4e9246
diff --git a/.github/actions/clang-format-lint-action
b/.github/actions/clang-format-lint-action
deleted file mode 160000
index 6adbe14579e..00000000000
--- a/.github/actions/clang-format-lint-action
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit 6adbe14579e5b8e19eb3e31e5ff2479f3bd302c7
diff --git a/.github/actions/clang-tidy-review
b/.github/actions/clang-tidy-review
deleted file mode 160000
index 2c55ef8cfc9..00000000000
--- a/.github/actions/clang-tidy-review
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit 2c55ef8cfc9acb3715d433e58aea086dcec9b206
diff --git a/.github/actions/patches/action-sh-checker.patch
b/.github/actions/patches/action-sh-checker.patch
deleted file mode 100644
index ba6c8d1b902..00000000000
--- a/.github/actions/patches/action-sh-checker.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/entrypoint.sh b/entrypoint.sh
-index d3399e3..5c8ee7b 100755
---- a/entrypoint.sh
-+++ b/entrypoint.sh
-@@ -202,7 +202,7 @@ if ((CHECKBASHISMS_ENABLE == 1)); then
- fi
-
- if ((shellcheck_code != 0 || shfmt_code != 0)); then
-- if [ "$GITHUB_EVENT_NAME" == "pull_request" ] && ((SH_CHECKER_COMMENT
== 1)); then
-+ if [[ "$GITHUB_EVENT_NAME" == "pull_request" || "$GITHUB_EVENT_NAME" ==
"pull_request_target" ]] && ((SH_CHECKER_COMMENT == 1)); then
- _comment_on_github "$shellcheck_error" "$shfmt_error"
- fi
- fi
diff --git a/.github/workflows/clang-format.yml
b/.github/workflows/clang-format.yml
index d676f171ca8..0ef9adc7db0 100644
--- a/.github/workflows/clang-format.yml
+++ b/.github/workflows/clang-format.yml
@@ -30,7 +30,21 @@ jobs:
uses: actions/checkout@v3
with:
persist-credentials: false
- submodules: recursive
+
+ - name: Checkout ${{ github.ref }} ( ${{
github.event.pull_request.head.sha }} )
+ if: ${{ github.event_name == 'pull_request_target' }}
+ uses: actions/checkout@v3
+ with:
+ ref: ${{ github.event.pull_request.head.sha }}
+
+ - name: Checkout paths-filter
+ run: |
+ rm -rf ./.github/actions/paths-filter
+ git clone https://github.com/dorny/paths-filter
.github/actions/paths-filter
+
+ pushd .github/actions/paths-filter &>/dev/null
+ git checkout 4512585405083f25c027a35db413c2b3b9006d50
+ popd &>/dev/null
- name: Paths filter
uses: ./.github/actions/paths-filter
@@ -41,6 +55,15 @@ jobs:
- 'be/src/**'
- 'be/test/**'
+ - name: Checkout clang-format-lint-action
+ run: |
+ rm -rf ./.github/actions/clang-format-lint-action
+ git clone https://github.com/DoozyX/clang-format-lint-action
.github/actions/clang-format-lint-action
+
+ pushd .github/actions/clang-format-lint-action &>/dev/null
+ git checkout 6adbe14579e5b8e19eb3e31e5ff2479f3bd302c7
+ popd &>/dev/null
+
- name: "Format it!"
if: ${{ steps.filter.outputs.be_changes == 'true' }}
uses: ./.github/actions/clang-format-lint-action
diff --git a/.github/workflows/code-checks.yml
b/.github/workflows/code-checks.yml
index 8119f152535..9e314bfb6df 100644
--- a/.github/workflows/code-checks.yml
+++ b/.github/workflows/code-checks.yml
@@ -27,21 +27,22 @@ jobs:
- name: Checkout ${{ github.ref }} ( ${{ github.sha }} )
if: ${{ github.event_name != 'pull_request_target' }}
uses: actions/checkout@v3
- with:
- submodules: recursive
- name: Checkout ${{ github.ref }} ( ${{
github.event.pull_request.head.sha }} )
if: ${{ github.event_name == 'pull_request_target' }}
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }}
- submodules: recursive
- - name: Patch
+ - name: Checkout action-sh-checker
run: |
- pushd .github/actions/action-sh-checker >/dev/null
- git apply ../patches/action-sh-checker.patch
- popd >/dev/null
+ rm -rf ./.github/actions/action-sh-checker
+ git clone https://github.com/luizm/action-sh-checker
.github/actions/action-sh-checker
+
+ pushd .github/actions/action-sh-checker &>/dev/null
+ git checkout 76ab0b22e1f194e4a582edc7969df6485c4e9246
+ sed -i 's/\[ "$GITHUB_EVENT_NAME" == "pull_request" \]/\[\[
"$GITHUB_EVENT_NAME" == "pull_request" || "$GITHUB_EVENT_NAME" ==
"pull_request_target" \]\]/' entrypoint.sh
+ popd &>/dev/null
- name: Run ShellCheck
uses: ./.github/actions/action-sh-checker
@@ -51,16 +52,27 @@ jobs:
sh_checker_comment: true
sh_checker_exclude: .git .github ^docker ^thirdparty/src
^thirdparty/installed ^ui ^docs/node_modules ^tools/clickbench-tools ^extension
^output ^fs_brokers/apache_hdfs_broker/output (^|.*/)Dockerfile$
^be/src/apache-orc ^be/src/clucene ^pytest
- clang-tidy:
- name: "Clang Tidy"
+ preparation:
+ name: "Clang Tidy Preparation"
if: ${{ github.event_name == 'pull_request_target' }}
runs-on: ubuntu-22.04
+ permissions: read-all
+ outputs:
+ should_check: ${{ steps.generate.outputs.should_check }}
steps:
- name: Checkout ${{ github.ref }} ( ${{
github.event.pull_request.head.sha }} )
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }}
- submodules: recursive
+
+ - name: Checkout paths-filter
+ run: |
+ rm -rf ./.github/actions/paths-filter
+ git clone https://github.com/dorny/paths-filter
.github/actions/paths-filter
+
+ pushd .github/actions/paths-filter &>/dev/null
+ git checkout 4512585405083f25c027a35db413c2b3b9006d50
+ popd &>/dev/null
- name: Paths Filter
uses: ./.github/actions/paths-filter
@@ -73,28 +85,64 @@ jobs:
- 'gensrc/thrift/**'
- name: Generate compile_commands.json
- if: ${{ steps.filter.outputs.be_changes == 'true' }}
+ id: generate
run: |
- export DEFAULT_DIR='/opt/doris'
+ if [[ "${{ steps.filter.outputs.be_changes }}" == 'true' ]]; then
+ export DEFAULT_DIR='/opt/doris'
- mkdir "${DEFAULT_DIR}"
- wget
https://github.com/amosbird/ldb_toolchain_gen/releases/download/v0.18/ldb_toolchain_gen.sh
\
- -q -O /tmp/ldb_toolchain_gen.sh
- bash /tmp/ldb_toolchain_gen.sh "${DEFAULT_DIR}/ldb-toolchain"
+ mkdir "${DEFAULT_DIR}"
+ wget
https://github.com/amosbird/ldb_toolchain_gen/releases/download/v0.18/ldb_toolchain_gen.sh
\
+ -q -O /tmp/ldb_toolchain_gen.sh
+ bash /tmp/ldb_toolchain_gen.sh "${DEFAULT_DIR}/ldb-toolchain"
- sudo DEBIAN_FRONTEND=noninteractive apt install --yes tzdata byacc
+ sudo DEBIAN_FRONTEND=noninteractive apt install --yes tzdata byacc
- pushd thirdparty
- curl -L
https://github.com/apache/doris-thirdparty/releases/download/automation/doris-thirdparty-prebuilt-linux-x86_64.tar.xz
\
- -o doris-thirdparty-prebuilt-linux-x86_64.tar.xz
- tar -xvf doris-thirdparty-prebuilt-linux-x86_64.tar.xz
- popd
+ pushd thirdparty
+ curl -L
https://github.com/apache/doris-thirdparty/releases/download/automation/doris-thirdparty-prebuilt-linux-x86_64.tar.xz
\
+ -o doris-thirdparty-prebuilt-linux-x86_64.tar.xz
+ tar -xvf doris-thirdparty-prebuilt-linux-x86_64.tar.xz
+ popd
- export
PATH="${DEFAULT_DIR}/ldb-toolchain/bin/:$(pwd)/thirdparty/installed/bin/:${PATH}"
- DISABLE_JAVA_UDF=ON DORIS_TOOLCHAIN=clang OUTPUT_BE_BINARY=0
./build.sh --be
+ export
PATH="${DEFAULT_DIR}/ldb-toolchain/bin/:$(pwd)/thirdparty/installed/bin/:${PATH}"
+ DISABLE_JAVA_UDF=ON DORIS_TOOLCHAIN=clang ENABLE_PCH=OFF
OUTPUT_BE_BINARY=0 ./build.sh --be
+ fi
- - name: Run clang-tidy review
+ echo "should_check=${{ steps.filter.outputs.be_changes }}"
>>${GITHUB_OUTPUT}
+
+ - name: Upload
+ uses: actions/upload-artifact@v3
if: ${{ steps.filter.outputs.be_changes == 'true' }}
+ with:
+ name: compile_commands
+ path: ./be/build_Release/compile_commands.json
+
+ clang-tidy:
+ name: "Clang Tidy"
+ needs: preparation
+ if: ${{ needs.preparation.outputs.should_check == 'true' }}
+ runs-on: ubuntu-22.04
+ steps:
+ - name: Checkout ${{ github.ref }} ( ${{
github.event.pull_request.head.sha }} )
+ uses: actions/checkout@v3
+ with:
+ ref: ${{ github.event.pull_request.head.sha }}
+
+ - name: Download
+ uses: actions/download-artifact@v3
+ with:
+ name: compile_commands
+ path: ./be/build_Release
+
+ - name: Checkout clang-tidy review
+ run: |
+ rm -rf ./.github/actions/clang-tidy-review
+ git clone https://github.com/ZedThree/clang-tidy-review
.github/actions/clang-tidy-review
+
+ pushd .github/actions/clang-tidy-review &>/dev/null
+ git checkout 2c55ef8cfc9acb3715d433e58aea086dcec9b206
+ popd &>/dev/null
+
+ - name: Run clang-tidy review
uses: ./.github/actions/clang-tidy-review
id: review
with:
diff --git a/.gitmodules b/.gitmodules
index 729354ec9c7..fe2ecf0dc5e 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -4,9 +4,6 @@
[submodule ".github/actions/get-workflow-origin"]
path = .github/actions/get-workflow-origin
url = https://github.com/potiuk/get-workflow-origin.git
-[submodule ".github/actions/clang-format-lint-action"]
- path = .github/actions/clang-format-lint-action
- url = https://github.com/DoozyX/clang-format-lint-action.git
[submodule ".github/actions/setup-maven"]
path = .github/actions/setup-maven
url = https://github.com/stCarolas/setup-maven.git
@@ -19,12 +16,6 @@
[submodule ".github/actions/ccache-action"]
path = .github/actions/ccache-action
url = https://github.com/hendrikmuhs/ccache-action
-[submodule ".github/actions/action-sh-checker"]
- path = .github/actions/action-sh-checker
- url = https://github.com/luizm/action-sh-checker
-[submodule ".github/actions/clang-tidy-review"]
- path = .github/actions/clang-tidy-review
- url = https://github.com/ZedThree/clang-tidy-review.git
[submodule "be/src/apache-orc"]
path = be/src/apache-orc
url = https://github.com/apache/doris-thirdparty.git
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
