forked from aaif-goose/goose
-
Notifications
You must be signed in to change notification settings - Fork 0
146 lines (128 loc) · 5.91 KB
/
pr-comment-build-cli.yml
File metadata and controls
146 lines (128 loc) · 5.91 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
# This workflow is triggered by a comment on PR with the text ".build-cli"
#
# SECURITY: This workflow checks out and builds code from PRs. To prevent
# malicious code execution (GHSA-4h72-4h3w-4587, GHSA-mqm8-hhf6-wvjq),
# we verify the commenter has write access before proceeding.
on:
issue_comment:
types: [created]
workflow_dispatch:
inputs:
pr_number:
description: 'PR number to comment on'
required: true
type: string
# permissions needed for reacting to IssueOps commands on PRs
permissions:
pull-requests: write
checks: read
name: Build CLI
concurrency:
group: ${{ github.workflow }}-${{ (github.event.issue && github.event.issue.number) || github.event.inputs.pr_number }}
cancel-in-progress: true
jobs:
trigger-on-command:
if: >
github.event_name == 'workflow_dispatch' ||
(github.event.issue.pull_request && contains(github.event.comment.body, '.build-cli'))
name: Trigger on ".build-cli" PR comment
runs-on: ubuntu-latest
outputs:
continue: ${{ steps.security_check.outputs.authorized }}
pr_number: ${{ steps.command.outputs.issue_number || github.event.inputs.pr_number }}
head_sha: ${{ steps.set_head_sha.outputs.head_sha || github.sha }}
steps:
# SECURITY: Verify commenter has write access BEFORE any checkout
# This prevents attackers from triggering builds on their own malicious PRs
- name: Verify commenter permissions
id: security_check
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
with:
script: |
// workflow_dispatch requires repo write access, so it's inherently safe
if (context.eventName === 'workflow_dispatch') {
core.setOutput('authorized', 'true');
console.log('✅ workflow_dispatch - authorized');
return;
}
const commenter = context.payload.comment.user.login;
console.log(`Checking permissions for: ${commenter}`);
try {
const { data: permission } = await github.rest.repos.getCollaboratorPermissionLevel({
owner: context.repo.owner,
repo: context.repo.repo,
username: commenter
});
const allowed = ['admin', 'maintain', 'write'].includes(permission.permission);
console.log(`Permission level: ${permission.permission}, Authorized: ${allowed}`);
if (!allowed) {
// Post a comment explaining the rejection
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.issue.number,
body: `⚠️ @${commenter} Only repository collaborators with write access can trigger builds.`
});
core.setOutput('authorized', 'false');
} else {
core.setOutput('authorized', 'true');
}
} catch (error) {
console.log(`Permission check failed: ${error.message}`);
core.setOutput('authorized', 'false');
}
- name: Run command action
if: steps.security_check.outputs.authorized == 'true'
uses: github/[email protected]
id: command
with:
command: ".build-cli"
skip_reviews: true
reaction: "eyes"
allowed_contexts: pull_request
- name: Checkout code
if: steps.security_check.outputs.authorized == 'true'
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
- name: Get PR head SHA with gh
id: set_head_sha
if: steps.security_check.outputs.authorized == 'true'
run: |
echo "Get PR head SHA with gh"
HEAD_SHA=$(gh pr view "$ISSUE_NUMBER" --json headRefOid -q .headRefOid)
echo "head_sha=$HEAD_SHA" >> $GITHUB_OUTPUT
echo "head_sha=$HEAD_SHA"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ISSUE_NUMBER: ${{ steps.command.outputs.issue_number }}
build-cli:
needs: [trigger-on-command]
if: ${{ needs.trigger-on-command.outputs.continue == 'true' }}
uses: ./.github/workflows/build-cli.yml
with:
ref: ${{ needs.trigger-on-command.outputs.head_sha }}
pr-comment-cli:
name: PR Comment with CLI builds
runs-on: ubuntu-latest
needs: [trigger-on-command, build-cli]
permissions:
pull-requests: write
steps:
- name: Download CLI artifacts
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
with:
pattern: goose-*
path: cli-dist
merge-multiple: true
- name: Comment on PR with CLI download links
uses: peter-evans/create-or-update-comment@v5
with:
issue-number: ${{ needs.trigger-on-command.outputs.pr_number }}
body: |
### CLI Builds
Download CLI builds for different platforms:
- [📦 Linux (x86_64)](https://nightly.link/${{ github.repository }}/actions/runs/${{ github.run_id }}/goose-x86_64-unknown-linux-gnu.zip)
- [📦 Linux (aarch64)](https://nightly.link/${{ github.repository }}/actions/runs/${{ github.run_id }}/goose-aarch64-unknown-linux-gnu.zip)
- [📦 macOS (x86_64)](https://nightly.link/${{ github.repository }}/actions/runs/${{ github.run_id }}/goose-x86_64-apple-darwin.zip)
- [📦 macOS (aarch64)](https://nightly.link/${{ github.repository }}/actions/runs/${{ github.run_id }}/goose-aarch64-apple-darwin.zip)
- [📦 Windows (x86_64)](https://nightly.link/${{ github.repository }}/actions/runs/${{ github.run_id }}/goose-x86_64-pc-windows-gnu.zip)
These links are provided by nightly.link and will work even if you're not logged into GitHub.