From 5fda567294dd913cc7bc9613d73d833d61e5b45d Mon Sep 17 00:00:00 2001 From: Andrea Brancaleoni Date: Fri, 19 Jan 2024 13:59:06 +0100 Subject: [PATCH] *: move unverified-commits out --- action.yml | 3 + actions/reviewdog/action.yml | 82 +------------------------ actions/unverified-commits/action.yml | 87 +++++++++++++++++++++++++++ 3 files changed, 93 insertions(+), 79 deletions(-) create mode 100644 actions/unverified-commits/action.yml diff --git a/action.yml b/action.yml index adb60a3e..7e9b7f8e 100644 --- a/action.yml +++ b/action.yml @@ -73,6 +73,9 @@ runs: pip_audit_pypi_index_url: ${{ inputs.pip_audit_pypi_index_url }} pip_audit_pypi_insecure_hosts: ${{ inputs.pip_audit_pypi_insecure_hosts }} gh_to_slack_user_map: ${{ inputs.gh_to_slack_user_map }} + - uses: ${{ github.action_path }}/actions/unverified-commits + with: + github_token: ${{ inputs.github_token } - uses: ${{ github.action_path }}/actions/codeql with: debug: ${{ inputs.debug }} diff --git a/actions/reviewdog/action.yml b/actions/reviewdog/action.yml index 6ab919e3..4c09de5e 100644 --- a/actions/reviewdog/action.yml +++ b/actions/reviewdog/action.yml @@ -37,12 +37,11 @@ inputs: description: enables debug output for this action required: false enabled: - type: boolean description: may disable the whole action, big red button for emergency cases - default: true + default: "true" baseline_scan_only: description: compare changed files with the base ref, do not scan the entire repo with reviewdog - default: true + default: "true" pip_audit_pypi_index_url: description: Pypi index for pip-audit to use in case you have a private index required: false @@ -180,77 +179,7 @@ runs: ).length; console.log("Comments: %d", commentsNumber); return commentsNumber; - - id: unverified-commits - if: ${{ github.event_name == 'pull_request' }} - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - with: - script: | - const commits = await github.rest.pulls.listCommits({ - pull_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - }); - const previousCommentsQuery = `query ($owner: String!, $name: String!, $prnumber: Int!) { - repository(owner: $owner, name: $name) { - pullRequest(number: $prnumber) { - comments(last: 50) { - nodes { - id - author { - login - } - body - } - } - } - } - }`; - const deleteMutation = `mutation($comment:ID!) { - deleteIssueComment(input: {id:$comment}) { - clientMutationId - } - }`; - const previousComments = await github.graphql(previousCommentsQuery, { - owner: context.repo.owner, - name: context.repo.repo, - prnumber: context.issue.number - }); - const commentPrefix = "The following commits were not [verified](https://github.com/brave/handbook/blob/master/development/commit-and-tag-signing.md):\n"; - const actionPreviousComments = previousComments.repository.pullRequest.comments.nodes.filter( - c => c.author.login === "github-actions" && c.body.startsWith(commentPrefix) - ); - const unverifiedCommits = commits.data.filter(c => c.commit.verification.verified !== true); - if (unverifiedCommits.length) { - const commitList = unverifiedCommits.map(c => `${c.sha} (${c.commit.verification.reason})`).join("\n"); - const body = commentPrefix + commitList; - var commentExists = false; - for (const comment of actionPreviousComments) { - if (comment.body == body) { - console.log("Good comment found:", comment); - commentExists = true; - } else { - console.log("Deleting", comment); - await github.graphql(deleteMutation, {comment: comment.id}); - } - } - if (!commentExists) { - console.log("Creating new comment"); - github.rest.issues.createComment({ - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: context.issue.number, - body: body, - }); - return "UNVERIFIED-CHANGED"; // A new comment was created - } - return "UNVERIFIED"; - } else { - console.log("Commits verified"); - for (const comment of actionPreviousComments) { - console.log("Deleting", comment); - await github.graphql(deleteMutation, {comment: comment.id}); - } - } + - if: ${{ steps.reviewdog-enabled.outputs.result == 'true' }} name: Cache pip cache id: cache-pip @@ -522,11 +451,6 @@ runs: run: | set -x echo "result=true" >> $GITHUB_OUTPUT - - uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3 - if: ${{ steps.unverified-commits.outputs.result == '"UNVERIFIED-CHANGED"' }} - with: - github_token: ${{ inputs.github_token }} - labels: unverified-commits - uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3 if: ${{ (steps.reviewdog-enabled-pr.outputs.result == 'true' && steps.should-trigger.outputs.result == 'true') }} with: diff --git a/actions/unverified-commits/action.yml b/actions/unverified-commits/action.yml new file mode 100644 index 00000000..c87fd99a --- /dev/null +++ b/actions/unverified-commits/action.yml @@ -0,0 +1,87 @@ +name: "Security Action (unverified commits)" +description: "Check if there are unverified commits in the PR" +inputs: + github_token: + description: | + Secret token to push review comments, and + interact with the repository systematically + required: true +runs: + using: "composite" + steps: + - id: unverified-commits + if: ${{ github.event_name == 'pull_request' }} + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: | + const commits = await github.rest.pulls.listCommits({ + pull_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + }); + const previousCommentsQuery = `query ($owner: String!, $name: String!, $prnumber: Int!) { + repository(owner: $owner, name: $name) { + pullRequest(number: $prnumber) { + comments(last: 50) { + nodes { + id + author { + login + } + body + } + } + } + } + }`; + const deleteMutation = `mutation($comment:ID!) { + deleteIssueComment(input: {id:$comment}) { + clientMutationId + } + }`; + const previousComments = await github.graphql(previousCommentsQuery, { + owner: context.repo.owner, + name: context.repo.repo, + prnumber: context.issue.number + }); + const commentPrefix = "The following commits were not [verified](https://github.com/brave/handbook/blob/master/development/commit-and-tag-signing.md):\n"; + const actionPreviousComments = previousComments.repository.pullRequest.comments.nodes.filter( + c => c.author.login === "github-actions" && c.body.startsWith(commentPrefix) + ); + const unverifiedCommits = commits.data.filter(c => c.commit.verification.verified !== true); + if (unverifiedCommits.length) { + const commitList = unverifiedCommits.map(c => `${c.sha} (${c.commit.verification.reason})`).join("\n"); + const body = commentPrefix + commitList; + var commentExists = false; + for (const comment of actionPreviousComments) { + if (comment.body == body) { + console.log("Good comment found:", comment); + commentExists = true; + } else { + console.log("Deleting", comment); + await github.graphql(deleteMutation, {comment: comment.id}); + } + } + if (!commentExists) { + console.log("Creating new comment"); + github.rest.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.issue.number, + body: body, + }); + return "UNVERIFIED-CHANGED"; // A new comment was created + } + return "UNVERIFIED"; + } else { + console.log("Commits verified"); + for (const comment of actionPreviousComments) { + console.log("Deleting", comment); + await github.graphql(deleteMutation, {comment: comment.id}); + } + } + - uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3 + if: ${{ steps.unverified-commits.outputs.result == '"UNVERIFIED-CHANGED"' }} + with: + github_token: ${{ inputs.github_token }} + labels: unverified-commits \ No newline at end of file