Git-Mirrors/qusal
1
0
Fork 0
mirror of https://github.com/ben-grande/qusal.git synced 2025-09-20 04:24:34 -04:00
Code Issues Projects Releases Packages Wiki Activity

ci: harden workflow against script injection

Browse source
This commit is contained in:
Ben Grande 2025-07-12 06:10:28 +02:00
parent c0e80aaed3
commit 13c0720761
No known key found for this signature in database
GPG key ID: 00C64E14F51F9E56
2 changed files with 33 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

26
.github/workflows/main.yaml vendored
View file

@ -56,14 +56,20 @@ jobs:
editorconfig-checker
editorconfig-checker salt/dotfiles
- name: Lint commit messages
env:
EVENT: ${{ github.event_name }}
BASE: ${{ github.event.before }}
HEAD: ${{ github.event.after }}
PR_BASE: ${{ github.event.pull_request.base.sha }}
PR_HEAD: ${{ github.event.pull_request.head.sha }}
run: |
if test "${{ github.event_name}}" = "pull_request"
if test "${EVENT}" = "pull_request"
then
base="${{ github.event.pull_request.base.sha }}"
head="${{ github.event.pull_request.head.sha }}"
base="${PR_BASE}"
head="${PR_HEAD}"
else
base="${{ github.event.before }}"
head="${{ github.event.after }}"
base="${BASE}"
head="${HEAD}"
fi
if test "${base}" = "${head}" || test -z "${base}"
then
@ -72,13 +78,17 @@ jobs:
gitlint --debug --commits "${base}..${head}"
fi
- name: Verify that commits have associated signatures
env:
EVENT: ${{ github.event_name }}
BASE: ${{ github.event.before }}
HEAD: ${{ github.event.after }}
run: |
if test "${{ github.event_name}}" = "pull_request"
if test "${EVENT}" = "pull_request"
then
exit 0
fi
base="${{ github.event.before }}"
head="${{ github.event.after }}"
base="${BASE}"
head="${HEAD}"
if test "${base}" = "${head}" || test -z "${base}"
then
scripts/commit-verify.sh "${head}"

24
.github/workflows/reject-pr.yaml vendored
View file

@ -1,5 +1,5 @@
# yamllint disable-line rule:line-length
# SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
# SPDX-FileCopyrightText: 2024 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: GPL-3.0-or-later
@ -28,14 +28,20 @@ jobs:
fetch-depth: 0
- name: Block commits made using the GitHub WebUI
id: check_committer
env:
EVENT: ${{ github.event_name }}
BASE: ${{ github.event.before }}
HEAD: ${{ github.event.after }}
PR_BASE: ${{ github.event.pull_request.base.sha }}
PR_HEAD: ${{ github.event.pull_request.head.sha }}
run: |
if test "${{ github.event_name}}" = "pull_request"
if test "${EVENT}" = "pull_request"
then
base="${{ github.event.pull_request.base.sha }}"
head="${{ github.event.pull_request.head.sha }}"
base="${PR_BASE}"
head="${PR_HEAD}"
else
base="${{ github.event.before }}"
head="${{ github.event.after }}"
base="${BASE}"
head="${HEAD}"
fi
if test "${base}" = "${head}" || test -z "${base}"
then
@ -43,9 +49,9 @@ jobs:
else
committer="$(git show -s --format=%cn ${base}..${head})"
fi
if echo "${committer}" | grep -q "^GitHub$"; then
echo "committer_gitweb=true" >> $GITHUB_OUTPUT
echo "Commit was made using the GitHub WebUI" >&2
if printf '%s' "${committer}" | grep -q "^GitHub$"; then
printf '%s\n' "committer_gitweb=true" >> $GITHUB_OUTPUT
printf '%s\n' "Commit was made using the GitHub WebUI" >&2
fi
- name: Block commits made using the GitHub WebUI
if: steps.check_committer.outputs.committer_gitweb == 'true'