Git-Mirrors/qusal
1
0
Fork 0
mirror of https://github.com/ben-grande/qusal.git synced 2025-09-22 21:44:55 -04:00
Code Issues Projects Releases Packages Wiki Activity

ci: harden workflow against script injection

Browse source
This commit is contained in:
Ben Grande 2025-07-12 06:10:28 +02:00
parent c0e80aaed3
commit 13c0720761
No known key found for this signature in database
GPG key ID: 00C64E14F51F9E56
2 changed files with 33 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

26
.github/workflows/main.yaml vendored
View file

@ -56,14 +56,20 @@ jobs:
editorconfig-checker editorconfig-checker
editorconfig-checker salt/dotfiles editorconfig-checker salt/dotfiles
- name: Lint commit messages - name: Lint commit messages
env:
EVENT: ${{ github.event_name }}
BASE: ${{ github.event.before }}
HEAD: ${{ github.event.after }}
PR_BASE: ${{ github.event.pull_request.base.sha }}
PR_HEAD: ${{ github.event.pull_request.head.sha }}
run: | run: |
if test "${{ github.event_name}}" = "pull_request" if test "${EVENT}" = "pull_request"
then then
base="${{ github.event.pull_request.base.sha }}" base="${PR_BASE}"
head="${{ github.event.pull_request.head.sha }}" head="${PR_HEAD}"
else else
base="${{ github.event.before }}" base="${BASE}"
head="${{ github.event.after }}" head="${HEAD}"
fi fi
if test "${base}" = "${head}" || test -z "${base}" if test "${base}" = "${head}" || test -z "${base}"
then then
@ -72,13 +78,17 @@ jobs:
gitlint --debug --commits "${base}..${head}" gitlint --debug --commits "${base}..${head}"
fi fi
- name: Verify that commits have associated signatures - name: Verify that commits have associated signatures
env:
EVENT: ${{ github.event_name }}
BASE: ${{ github.event.before }}
HEAD: ${{ github.event.after }}
run: | run: |
if test "${{ github.event_name}}" = "pull_request" if test "${EVENT}" = "pull_request"
then then
exit 0 exit 0
fi fi
base="${{ github.event.before }}" base="${BASE}"
head="${{ github.event.after }}" head="${HEAD}"
if test "${base}" = "${head}" || test -z "${base}" if test "${base}" = "${head}" || test -z "${base}"
then then
scripts/commit-verify.sh "${head}" scripts/commit-verify.sh "${head}"

24
.github/workflows/reject-pr.yaml vendored
View file

@ -1,5 +1,5 @@
# yamllint disable-line rule:line-length # yamllint disable-line rule:line-length
# SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com> # SPDX-FileCopyrightText: 2024 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
# #
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-3.0-or-later
@ -28,14 +28,20 @@ jobs:
fetch-depth: 0 fetch-depth: 0
- name: Block commits made using the GitHub WebUI - name: Block commits made using the GitHub WebUI
id: check_committer id: check_committer
env:
EVENT: ${{ github.event_name }}
BASE: ${{ github.event.before }}
HEAD: ${{ github.event.after }}
PR_BASE: ${{ github.event.pull_request.base.sha }}
PR_HEAD: ${{ github.event.pull_request.head.sha }}
run: | run: |
if test "${{ github.event_name}}" = "pull_request" if test "${EVENT}" = "pull_request"
then then
base="${{ github.event.pull_request.base.sha }}" base="${PR_BASE}"
head="${{ github.event.pull_request.head.sha }}" head="${PR_HEAD}"
else else
base="${{ github.event.before }}" base="${BASE}"
head="${{ github.event.after }}" head="${HEAD}"
fi fi
if test "${base}" = "${head}" || test -z "${base}" if test "${base}" = "${head}" || test -z "${base}"
then then
@ -43,9 +49,9 @@ jobs:
else else
committer="$(git show -s --format=%cn ${base}..${head})" committer="$(git show -s --format=%cn ${base}..${head})"
fi fi
if echo "${committer}" | grep -q "^GitHub$"; then if printf '%s' "${committer}" | grep -q "^GitHub$"; then
echo "committer_gitweb=true" >> $GITHUB_OUTPUT printf '%s\n' "committer_gitweb=true" >> $GITHUB_OUTPUT
echo "Commit was made using the GitHub WebUI" >&2 printf '%s\n' "Commit was made using the GitHub WebUI" >&2
fi fi
- name: Block commits made using the GitHub WebUI - name: Block commits made using the GitHub WebUI
if: steps.check_committer.outputs.committer_gitweb == 'true' if: steps.check_committer.outputs.committer_gitweb == 'true'