forked from ossf/pvtr-github-repo-scanner
-
Notifications
You must be signed in to change notification settings - Fork 0
106 lines (95 loc) · 3.8 KB
/
Copy pathbuild-binaries.yml
File metadata and controls
106 lines (95 loc) · 3.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
name: Build Binaries
on:
workflow_run:
workflows: ["build"]
types: [completed]
branches: [main, develop]
workflow_dispatch:
permissions:
contents: read
actions: read
checks: read
env:
GO_VERSION: "1.25.1"
jobs:
build-binaries:
name: Build Multi-Platform Binaries
runs-on: ubuntu-latest
if: ${{ github.event_name == 'workflow_dispatch' || (github.event.workflow_run.conclusion == 'success' && (github.event.workflow_run.event == 'push' || github.event.workflow_run.event == 'workflow_dispatch')) }}
strategy:
matrix:
include:
- os: linux
arch: amd64
output: github-repo-linux-amd64
- os: linux
arch: arm64
output: github-repo-linux-arm64
- os: darwin
arch: amd64
output: github-repo-darwin-amd64
- os: darwin
arch: arm64
output: github-repo-darwin-arm64
- os: windows
arch: amd64
output: github-repo-windows-amd64.exe
steps:
- name: Validate workflow_run security
if: github.event_name == 'workflow_run'
uses: actions/github-script@v7
with:
script: |
const workflowRun = context.payload.workflow_run;
// Validate workflow_run is from the same repository (not a fork)
if (!workflowRun || workflowRun.repository.full_name !== context.repo.owner + '/' + context.repo.repo) {
core.setFailed('Security: workflow_run must be from the same repository');
return;
}
// Validate head SHA format
const headSha = workflowRun.head_sha;
if (!headSha || !/^[a-f0-9]{40}$/i.test(headSha)) {
core.setFailed('Invalid head SHA format');
return;
}
// Validate branch is allowed
const allowedBranches = ['main', 'develop'];
if (!allowedBranches.includes(workflowRun.head_branch)) {
core.setFailed(`Security: workflow_run from branch '${workflowRun.head_branch}' is not allowed. Allowed branches: ${allowedBranches.join(', ')}`);
return;
}
// Check if lint workflow passed
const { data: runs } = await github.rest.actions.listWorkflowRuns({
owner: context.repo.owner,
repo: context.repo.repo,
workflow_id: 'lint.yaml',
head_sha: headSha,
per_page: 1
});
if (runs.workflow_runs.length > 0 && runs.workflow_runs[0].conclusion !== 'success') {
core.setFailed('Lint workflow did not pass');
}
- name: Checkout code
uses: actions/checkout@v5
with:
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
- name: Build binary for ${{ matrix.os }}/${{ matrix.arch }}
env:
GOOS: ${{ matrix.os }}
GOARCH: ${{ matrix.arch }}
CGO_ENABLED: 0
VERSION: ${{ github.event_name == 'workflow_dispatch' && github.ref_name || github.event.workflow_run.head_branch || 'unknown' }}
COMMIT_HASH: ${{ github.event_name == 'workflow_dispatch' && github.sha || github.event.workflow_run.head_sha || github.sha }}
OUTPUT_NAME: ${{ matrix.output }}
run: |
go build -ldflags="-s -w -X 'main.Version=${VERSION}' -X 'main.GitCommitHash=${COMMIT_HASH}' -X 'main.BuiltAt=$(date -u +%Y-%m-%dT%H:%M:%SZ)'" -o "${OUTPUT_NAME}"
- name: Upload binary artifact
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.output }}
path: ${{ matrix.output }}
retention-days: 30