[llvm] Reapply [workflows] Split pr-code-format into two parts to make it more secure (#78215) (PR #80495)
James Y Knight via llvm-commits
llvm-commits at lists.llvm.org
Tue Feb 6 13:20:24 PST 2024
================
@@ -0,0 +1,122 @@
+name: Comment on an issue
+
+on:
+ workflow_run:
+ workflows: ["Check code formatting"]
+ types:
+ - completed
+
+permissions:
+ contents: read
+
+jobs:
+ pr-comment:
+ runs-on: ubuntu-latest
+ permissions:
+ pull-requests: write
+ if: >
+ github.event.workflow_run.event == 'pull_request'
+ steps:
+ - name: 'Download artifact'
+ uses: actions/download-artifact at 6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
+ with:
+ github-token: ${{ secrets.ISSUE_WRITE_DOWNLOAD_ARTIFACT }}
+ run-id: ${{ github.event.workflow_run.id }}
+ name: workflow-args
+
+ - name: 'Comment on PR'
+ uses: actions/github-script at v3
+ with:
+ github-token: ${{ secrets.GITHUB_TOKEN }}
+ script: |
+ var fs = require('fs');
+ const comments = JSON.parse(fs.readFileSync('./comments'));
+ if (!comments) {
+ return;
+ }
+
+ let runInfo = await github.actions.getWorkflowRun({
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ run_id: context.payload.workflow_run.id
+ });
+
+ console.log(runInfo);
+
+
+ // Query to find the number of the pull request that triggered this job.
+ const gql_query = `
+ query($repo_owner : String!, $repo_name : String!, $branch: String!) {
+ repository(owner: $repo_owner, name: $repo_name) {
+ ref (qualifiedName: $branch) {
+ associatedPullRequests(first: 100) {
+ nodes {
+ baseRepository {
+ owner {
+ login
+ }
+ }
+ number
+ state
+ }
+ }
+ }
+ }
+ }
+ `
+ const gql_variables = {
+ repo_owner: runInfo.data.head_repository.owner.login,
+ repo_name: runInfo.data.head_repository.name,
+ branch: runInfo.data.head_branch
+ }
+ const gql_result = await github.graphql(gql_query, gql_variables);
+ console.log(gql_result);
+ console.log(gql_result.repository.ref.associatedPullRequests.nodes);
+
+ var pr_number = 0;
+ gql_result.repository.ref.associatedPullRequests.nodes.forEach((pr) => {
+ if (pr.baseRepository.owner.login = context.repo.owner && pr.state == 'OPEN') {
+ pr_number = pr.number;
+ }
+ });
+ if (pr_number == 0) {
+ console.log("Error retrieving pull request number");
+ return;
+ }
+
+ await comments.forEach(function (comment) {
+ if (comment.id) {
+ // Security check: Ensure that this comment was created by
+ // the github-actions bot, so a malisious input won't overwrite
----------------
jyknight wrote:
Typo: malicious
https://github.com/llvm/llvm-project/pull/80495
More information about the llvm-commits
mailing list