From 83c424c347892b84c562c502312d947ba9bdd66d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Ga=C5=82da?= Date: Thu, 3 Oct 2024 14:57:01 +0200 Subject: [PATCH] Remove not needed and not secure features All features, which require secrets, are considered as unsafe. Depending on how script-diff action is used, secrets can be compromised with prepared script to call. --- README.md | 44 +++-------------------- action.yml | 101 ++++++++++++----------------------------------------- 2 files changed, 26 insertions(+), 119 deletions(-) diff --git a/README.md b/README.md index 8e410e3..463196e 100644 --- a/README.md +++ b/README.md @@ -2,52 +2,16 @@ * Execute given script * Generates a diff over a given file -* Posts a comment to the PR with custom message if there is a diff -* Posts a different comment if there is no diff -* If there is diff and the PR author reacted with a defineable emote, an auto commit is added +* Verify if content of generated and commited files equals ## Usage ``` yaml -- uses: nrfconnect/action-script-diff@v0.2 +- uses: nrfconnect/action-script-diff@v0.3 with: - # Token needed to post comments and add commits - github-token: '' - - # Comment message to post when a diff was detected - message_diff: '' - - # Comment message to post when no diff was detected - message_success: '' + # Path to file which should be inspected - relative to GitHub workspace + diff_file: '' # Relative path and script name to be executed script_call: '' - - # File to check for diff - diff_file: '' - - # Path within the repo where the file to watch is present - diff_path: '' - - # The root folder for the git diff - git_diff_root: '' - - # User name to be used in the auto commit (Needs to be 'Firstname' 'Lastname') - git_user_name: ' ' - - # E-Mail to be used in the auto commit (Needs to be the verified e-mail of the account to be used) - git_user_email: '' - - # Github comment remote to check if present - # See https://docs.github.com/en/rest/reactions/reactions - # Available emotes: - # 👍 -1 - # 👎 -1 - # 😄 laugh - # 😕 confused - # ❤️ heart - # 🎉 hooray - # 🚀 rocket - # 👀 eyes - reaction_emote: '' ``` diff --git a/action.yml b/action.yml index 3cb0c88..46128eb 100644 --- a/action.yml +++ b/action.yml @@ -1,51 +1,37 @@ -name: 'script diff push' -description: 'Run a script, show git diff and push changes if allowed' +name: 'Git diff after script call' +description: | + Check if content of given file changed after calling a script. + Action can be used to check if content of commited autogenerated file is valid. + Expected content of file can be found in check action's summary and artifacts sections. inputs: - github-token: - description: 'The token to authenticate with' - message_diff: - description: 'Message if there is a diff' - required: true - message_success: - description: 'Message if no more diff' - required: true script_call: - description: 'Script call' + description: 'Script which should be called' required: true diff_file: - description: 'File to run diff on, full path within the git repo' - required: true - diff_path: - description: 'Diff file path within the repo' - required: true - git_diff_root: - description: 'Root path of the git diff' - required: true - git_user_name: - description: 'User name used for git push' - required: true - git_user_email: - description: 'User email used for git push' - required: true - reaction_emote: - description: 'Reaction to check by the PR author' + description: 'Path to file which should be inspected - relative to GitHub workspace' required: true runs: using: "composite" steps: + - name: 'Set env variables' + run: | + echo "DIFF_FILE_ABS='${{ github.workspace }}/${{ inputs.diff_file }}'" >> $GITHUB_ENV + echo "DIFF_FILE_DIR=$(dirname '${{ github.workspace }}/${{ inputs.diff_file }}')" >> $GITHUB_ENV + echo "DIFF_FILE_NAME=$(basename '${{ github.workspace }}/${{ inputs.diff_file }}')" >> $GITHUB_ENV + shell: bash + - name: Execute ${{ inputs.script_call }} - working-directory: ${{ inputs.git_diff_root }} run: ${{ inputs.script_call }} shell: bash - name: 'Upload Artifact: ${{ inputs.diff_file }}' - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: - name: ${{ inputs.diff_file }} - path: ${{ inputs.git_diff_root }}/${{ inputs.diff_path }}/${{ inputs.diff_file }} + name: ${{ env.DIFF_FILE_NAME }} + path: ${{ inputs.diff_file }} - name: Check for changes in ${{ inputs.diff_file }} - working-directory: ${{ inputs.git_diff_root }} + working-directory: ${{ env.DIFF_FILE_DIR }} id: diff shell: bash run: | @@ -65,49 +51,6 @@ runs: echo EOF } >> $GITHUB_ENV - - name: Post diff comment - uses: nrfconnect/action-comment@v0.1 - id: comment - if: ${{ steps.diff.outputs.diff_result == 1 }} - env: - REACT_EMOTE: ${{ inputs.reaction_emote }} - with: - github-token: ${{ inputs.github-token }} - reaction: "${{ env.REACT_EMOTE }}" - message: "${{ inputs.message_diff }}" - - - name: Post success comment - uses: nrfconnect/action-comment@v0.1 - env: - REACT_EMOTE: ${{ inputs.reaction_emote }} - if: ${{ steps.diff.outputs.diff_result == 0 }} - with: - github-token: ${{ inputs.github-token }} - reaction: "${{ env.REACT_EMOTE }}" - message: "${{ inputs.message_success }}" - - - name: Add changed file - working-directory: ${{ inputs.git_diff_root }} - if: ${{ steps.comment.outputs.found_reaction == 'True' && steps.diff.outputs.diff_result == 1 }} - shell: bash - env: - GH_TOKEN: ${{ inputs.github-token }} - run: | - gh pr checkout ${{ github.event.pull_request.number }} - git config user.email "\"${{ inputs.git_user_email }}\"" - git config user.name "\"${{ inputs.git_user_name }}\"" - git add ${{ inputs.diff_path }}/${{ inputs.diff_file }} - - echo -e '`${{ inputs.diff_file }}` has changed. Pushing to PR branch.' >> $GITHUB_STEP_SUMMARY - git config credential.helper store - echo "https://x-access-token:${{ inputs.github-token }}@github.com" >> ~/.git-credentials - - git commit -s -m "ci: Updating ${{ inputs.diff_file }}" \ - -m 'This is an automated commit from github workflow by NordicBuilder' - git push - rm ~/.git-credentials - unset GH_TOKEN - - name: Post summary if: ${{ !cancelled() }} shell: bash @@ -115,23 +58,23 @@ runs: if [[ 1 == ${{ steps.diff.outputs.diff_result }} ]]; then echo -e 'New ${{ inputs.diff_file }} file differs from the current file.' >> $GITHUB_STEP_SUMMARY fi - if [[ -e ${{ inputs.git_diff_root }}/${{ inputs.diff_path }}/${{ inputs.diff_file }} ]]; then + if [[ -e ${{ env.DIFF_FILE_ABS }} ]]; then echo -e '
${{ inputs.diff_file }} ```' >> $GITHUB_STEP_SUMMARY - cat ${{ inputs.git_diff_root }}/${{ inputs.diff_path }}/${{ inputs.diff_file }} >> $GITHUB_STEP_SUMMARY + cat ${{ env.DIFF_FILE_ABS }} >> $GITHUB_STEP_SUMMARY echo -e '```
' >> $GITHUB_STEP_SUMMARY else - echo -e 'Error during workflow, ${{ inputs.diff_file }} file was not created' >> GITHUB_STEP_SUMMARY + echo -e 'Error during workflow, ${{ inputs.diff_file }} file was not created' >> $GITHUB_STEP_SUMMARY fi if [[ -n $GITDIFF ]] && [[ 1 == ${{ steps.diff.outputs.diff_result}} ]]; then echo -e '
- ${{ inputs.diff_file }} diff + ${{ env.DIFF_FILE_NAME }} diff ``` diff' >> $GITHUB_STEP_SUMMARY echo "$GITDIFF" >> $GITHUB_STEP_SUMMARY