This is an automated email from the ASF dual-hosted git repository.
morningman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new 72b909b5e8 [enhancement](workflow) Enable the shellcheck workflow to
comment the PRs (#12633)
72b909b5e8 is described below
commit 72b909b5e8ea56c315b960f81ce86d4d8a9a61fe
Author: Adonis Ling <[email protected]>
AuthorDate: Tue Sep 27 09:08:12 2022 +0800
[enhancement](workflow) Enable the shellcheck workflow to comment the PRs
(#12633)
> Due to the dangers inherent to automatic processing of PRs, GitHub’s
standard pull_request workflow trigger by
default prevents write permissions and secrets access to the target
repository. However, in some scenarios such
access is needed to properly process the PR. To this end the
pull_request_target workflow trigger was introduced.
According to the article [Keeping your GitHub Actions and workflows
secure](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)
, the trigger condition in
`shellcheck.yml` which is `pull_request` can't comment the PR due to the
lack of write permissions of the workflow.
Despite the `ShellCheck` workflow checkouts the source, but it doesn't
build and test the source code. I think it is safe
to change the trigger condition from `pull_request` to
`pull_request_target` which can make the workflow have write
permissions to comment the PR.
---
.github/actions/patches/action-sh-checker.patch | 13 +++++++++++++
.github/workflows/shellcheck.yml | 16 +++++++++++++++-
2 files changed, 28 insertions(+), 1 deletion(-)
diff --git a/.github/actions/patches/action-sh-checker.patch
b/.github/actions/patches/action-sh-checker.patch
new file mode 100644
index 0000000000..ba6c8d1b90
--- /dev/null
+++ b/.github/actions/patches/action-sh-checker.patch
@@ -0,0 +1,13 @@
+diff --git a/entrypoint.sh b/entrypoint.sh
+index d3399e3..5c8ee7b 100755
+--- a/entrypoint.sh
++++ b/entrypoint.sh
+@@ -202,7 +202,7 @@ if ((CHECKBASHISMS_ENABLE == 1)); then
+ fi
+
+ if ((shellcheck_code != 0 || shfmt_code != 0)); then
+- if [ "$GITHUB_EVENT_NAME" == "pull_request" ] && ((SH_CHECKER_COMMENT
== 1)); then
++ if [[ "$GITHUB_EVENT_NAME" == "pull_request" || "$GITHUB_EVENT_NAME" ==
"pull_request_target" ]] && ((SH_CHECKER_COMMENT == 1)); then
+ _comment_on_github "$shellcheck_error" "$shfmt_error"
+ fi
+ fi
diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml
index 38925140d4..840ebfe198 100644
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@@ -17,7 +17,7 @@
name: ShellCheck
-on: [push, pull_request]
+on: [push, pull_request_target]
jobs:
shellcheck:
@@ -25,10 +25,24 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout ${{ github.ref }} ( ${{ github.sha }} )
+ if: ${{ github.event_name != 'pull_request_target' }}
uses: actions/checkout@v3
with:
submodules: recursive
+ - name: Checkout ${{ github.ref }} ( ${{
github.event.pull_request.head.sha }} )
+ if: ${{ github.event_name == 'pull_request_target' }}
+ uses: actions/checkout@v3
+ with:
+ ref: ${{ github.event.pull_request.head.sha }}
+ submodules: recursive
+
+ - name: Patch
+ run: |
+ pushd .github/actions/action-sh-checker >/dev/null
+ git apply ../patches/action-sh-checker.patch
+ popd >/dev/null
+
- name: Run ShellCheck
uses: ./.github/actions/action-sh-checker
env:
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
