forked from aaif-goose/goose
-
Notifications
You must be signed in to change notification settings - Fork 0
206 lines (177 loc) · 7.59 KB
/
pr-comment-bundle.yml
File metadata and controls
206 lines (177 loc) · 7.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
# This workflow is triggered by a comment on PR with the text ".bundle"
# It bundles the ARM64 Desktop App, then creates a PR comment with a link to download the app.
#
# SECURITY: This workflow checks out and builds code from PRs. To prevent
# malicious code execution (GHSA-4h72-4h3w-4587), we verify the commenter
# has write access before proceeding.
on:
issue_comment:
types: [created]
workflow_dispatch:
inputs:
pr_number:
description: 'PR number to comment on'
required: true
type: string
# permissions needed for reacting to IssueOps commands on PRs
permissions:
pull-requests: write
checks: read
name: Bundle ARM64 Desktop App
concurrency:
group: ${{ github.workflow }}-${{ (github.event.issue && github.event.issue.number) || github.event.inputs.pr_number }}
cancel-in-progress: true
jobs:
trigger-on-command:
if: >
github.event_name == 'workflow_dispatch' ||
(github.event.issue.pull_request && contains(github.event.comment.body, '.bundle'))
name: Trigger on ".bundle" PR comment
runs-on: ubuntu-latest
outputs:
continue: ${{ steps.security_check.outputs.authorized }}
pr_number: ${{ steps.command.outputs.issue_number || github.event.inputs.pr_number }}
pr_sha: ${{ steps.get_pr_info.outputs.sha }}
steps:
# SECURITY: Verify commenter has write access BEFORE any checkout
# This prevents attackers from triggering builds on their own malicious PRs
- name: Verify commenter permissions
id: security_check
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
with:
script: |
// workflow_dispatch requires repo write access, so it's inherently safe
if (context.eventName === 'workflow_dispatch') {
core.setOutput('authorized', 'true');
console.log('✅ workflow_dispatch - authorized');
return;
}
const commenter = context.payload.comment.user.login;
console.log(`Checking permissions for: ${commenter}`);
try {
const { data: permission } = await github.rest.repos.getCollaboratorPermissionLevel({
owner: context.repo.owner,
repo: context.repo.repo,
username: commenter
});
const allowed = ['admin', 'maintain', 'write'].includes(permission.permission);
console.log(`Permission level: ${permission.permission}, Authorized: ${allowed}`);
if (!allowed) {
// Post a comment explaining the rejection
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.issue.number,
body: `⚠️ @${commenter} Only repository collaborators with write access can trigger builds.`
});
core.setOutput('authorized', 'false');
} else {
core.setOutput('authorized', 'true');
}
} catch (error) {
console.log(`Permission check failed: ${error.message}`);
core.setOutput('authorized', 'false');
}
- name: Debug workflow trigger
if: steps.security_check.outputs.authorized == 'true'
env:
WORKFLOW_NAME: ${{ github.workflow }}
WORKFLOW_REF: ${{ github.ref }}
EVENT_NAME: ${{ github.event_name }}
EVENT_ACTION: ${{ github.event.action }}
ACTOR: ${{ github.actor }}
REPOSITORY: ${{ github.repository }}
run: |
echo "=== Workflow Trigger Info ==="
echo "Workflow: ${WORKFLOW_NAME}"
echo "Ref: ${WORKFLOW_REF}"
echo "Event: ${EVENT_NAME}"
echo "Action: ${EVENT_ACTION}"
echo "Actor: ${ACTOR}"
echo "Repository: ${REPOSITORY}"
- name: Run command action
if: steps.security_check.outputs.authorized == 'true'
uses: github/command@3442f3fa1efe01bdb024b157083c337902d17372 # v2.0.3
id: command
with:
command: ".bundle"
skip_reviews: true
reaction: "eyes"
allowed_contexts: pull_request
# Get the PR's SHA
- name: Get PR info
id: get_pr_info
if: steps.security_check.outputs.authorized == 'true'
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
with:
script: |
let prNumber;
if (context.eventName === 'workflow_dispatch') {
prNumber = context.payload.inputs.pr_number;
} else {
prNumber = context.payload.issue.number;
}
if (!prNumber) {
throw new Error('No PR number found');
}
console.log('Using PR number:', prNumber);
const { data: pr } = await github.rest.pulls.get({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: parseInt(prNumber, 10)
});
console.log('PR Details:', {
number: pr.number,
head: {
ref: pr.head.ref,
sha: pr.head.sha,
label: pr.head.label
},
base: {
ref: pr.base.ref,
sha: pr.base.sha,
label: pr.base.label
}
});
core.setOutput('sha', pr.head.sha);
bundle-desktop:
needs: [trigger-on-command]
if: ${{ needs.trigger-on-command.outputs.continue == 'true' }}
uses: ./.github/workflows/bundle-desktop.yml
permissions:
id-token: write
contents: read
with:
signing: false
ref: ${{ needs.trigger-on-command.outputs.pr_sha }}
pr-comment-arm64:
name: PR Comment with macOS ARM64 App
runs-on: ubuntu-latest
needs: [trigger-on-command, bundle-desktop]
permissions:
pull-requests: write
steps:
- name: Download ARM64 artifact
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
with:
name: Goose-darwin-arm64
path: arm64-dist
- name: Comment on PR with ARM64 download link
uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
with:
issue-number: ${{ needs.trigger-on-command.outputs.pr_number }}
body: |
### macOS ARM64 Desktop App (Apple Silicon)
[📱 Download macOS Desktop App (arm64, unsigned)](https://nightly.link/${{ github.repository }}/actions/runs/${{ github.run_id }}/Goose-darwin-arm64.zip)
**Instructions:**
The easiest way is to just run the following script:
`./scripts/pre-release.sh`
script which will download the latest release (or you can specify the release you need), does the
unzip, xattr to get it out of quarantine and signs it.
If you need to do this manually:
* Download the file
* Unzip
* run `xattr -r -d com.apple.quarantine '/path/to/Goose.app'`
* optionally run `codesign --force --deep --sign - --entitlements ui/desktop/entitlements.plist '/path/to/Goose.app'`
* start the app
The signing step is only needed if you do something that uses mac entitlements like speech to text