(doris) branch master updated: [Fix](GA)Add sha check for auto-pick-script (#42500)

Fri, 25 Oct 2024 04:46:37 -0700 

This is an automated email from the ASF dual-hosted git repository.

kirs pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git


The following commit(s) were added to refs/heads/master by this push:
     new 864f359e33d [Fix](GA)Add sha check for auto-pick-script (#42500)
864f359e33d is described below

commit 864f359e33d0e82e041a86fe11f28cf1b4027620
Author: Calvin Kirs <[email protected]>
AuthorDate: Fri Oct 25 19:45:29 2024 +0800

    [Fix](GA)Add sha check for auto-pick-script (#42500)
    
    ## Proposed changes
    
    - Use pull_request_target to prevent unauthorized execution.
    - Add SHA checks to ensure that the file has not been tampered with,
    thus addressing security concerns.
---
 .github/workflows/auto-cherry-pick.yml | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/auto-cherry-pick.yml 
b/.github/workflows/auto-cherry-pick.yml
index 08ff3c7a0bb..4ee2614f0c9 100644
--- a/.github/workflows/auto-cherry-pick.yml
+++ b/.github/workflows/auto-cherry-pick.yml
@@ -18,7 +18,7 @@
 name: Auto Cherry-Pick to Branch
 
 on:
-  pull_request:
+  pull_request_target:
     types:
       - closed
     branches:
@@ -27,7 +27,6 @@ permissions:
   checks: write
   contents: write
   pull-requests: write
-  repository-projects: write
 jobs:
   auto_cherry_pick:
     runs-on: ubuntu-latest
@@ -44,7 +43,16 @@ jobs:
       - name: Install dependencies
         run: |
           pip install PyGithub
-
+      - name: Check SHA
+        run: |
+            
expected_sha="1941de05514e15c216067778e0287b4c3ebcd6f6042ee189a12257bfd0cdd9f764e18c7dae5de868e9b7128ce3be98dc8f78252932cee7d55552fc0cf8b69496"
+            calculated_sha=$(sha512sum tools/auto-pick-script.py | awk '{ 
print $1 }')
+            if [ "$calculated_sha" != "$expected_sha" ]; then
+              echo "SHA mismatch! Expected: $expected_sha, but got: 
$calculated_sha"
+              exit 1
+            else
+              echo "SHA matches: $calculated_sha"
+            fi
       - name: Auto cherry-pick
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to