From 58ca333f8a9d316727bf334593772cf9f41310c9 Mon Sep 17 00:00:00 2001 From: Karan Batavia <118820668+karan-batavia@users.noreply.github.com> Date: Thu, 5 Sep 2024 11:09:37 +0530 Subject: [PATCH] Use env key to avoid action injection (#513) * use env key to avoid action injection * fix gaps * fix * use unified slack actions --- .github/workflows/comparison-result.yml | 77 +++++++++++++++---------- 1 file changed, 45 insertions(+), 32 deletions(-) diff --git a/.github/workflows/comparison-result.yml b/.github/workflows/comparison-result.yml index c0705fdd..339d5db3 100644 --- a/.github/workflows/comparison-result.yml +++ b/.github/workflows/comparison-result.yml @@ -1,4 +1,4 @@ -name: Monitoring Stability and Comparing Results for privado +name: Monitoring Stability and Comparing Results # Triggers when a pull_request is created on: @@ -6,35 +6,46 @@ on: branches: - "**" +env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + CORE_AT: ${{ secrets.CORE_AT }} + BASE_REF: ${{ github.BASE_REF }} + HEAD_REF: ${{ github.HEAD_REF }} + BASE_RULE_URL: ${{ github.event.pull_request.base.repo.html_url }} + HEAD_RULE_URL: ${{ github.event.pull_request.head.repo.html_url }} + PR_NUMBER: ${{ github.event.number }} + REPOSITORY_NAME: ${{github.event.repository.name}} + PR_URL: ${{ github.event.pull_request.html_url }} + SLACK_BOT_TOKEN: ${{ secrets.SLACK_TOKEN }} + SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} + jobs: start_workflow: runs-on: ubuntu-latest + env: + PR_URL: ${{ github.event.pull_request.html_url }} steps: - name: Send message to slack id: initial-message - uses: archive/github-actions-slack@master + uses: slackapi/slack-github-action@v1.27.0 with: - slack-optional-parse: full - slack-bot-user-oauth-access-token: ${{ secrets.SLACK_TOKEN }} - slack-channel: ${{ secrets.SLACK_CHANNEL_ID }} - slack-text: "Comparison workflow started for ${{github.event.pull_request.html_url}}" + channel-id: ${{ secrets.SLACK_CHANNEL_ID }} + slack-message : "Comparison workflow started for ${{env.PR_URL}}" - name: Save output to env id: save-output - run: echo "INIT_MSG_TS=${{ fromJson(steps.initial-message.outputs.slack-result).response.message.ts }}" >> $GITHUB_OUTPUT + run: echo "INIT_MSG_TS=${{ steps.initial-message.outputs.ts }}" >> $GITHUB_OUTPUT outputs: init_message_ts: ${{steps.save-output.outputs.INIT_MSG_TS}} - setup_and_scan: needs: start_workflow strategy: matrix: - language: ['java-1', 'java-2' , 'python', 'js', 'ruby-1', 'ruby-2', 'go', 'kotlin'] + language: ['java-1', 'java-2' ,'python', 'js', 'ruby-1', 'ruby-2', 'go', 'kotlin'] continue-on-error: true runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - name: Install JDK-18 uses: actions/setup-java@v3 with: @@ -51,44 +62,44 @@ jobs: with: python-version: '3.10' - - name: Clone standalone-monitoring-stability/main + - name: Clone standalone-monitoring-stability/private-fork uses: actions/checkout@v3 with: repository: Privado-Inc/standalone-monitoring-stability path: ./temp/standalone-monitoring-stability ref: private-fork - - name: Run the script for ${{github.head_ref}} and ${{github.base_ref}} - # It is important to sanitize the branch name from forks, otherwise it can be used to inject code. - env: - HEAD_REF: ${{ github.head_ref }} - run: export GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} && export PAT=${{ secrets.PAT }} && cd ./temp/standalone-monitoring-stability && pip install -r requirements.txt && python3 ./run.py -r ./repos/${{matrix.language}}.txt -rbb ${{github.base_ref}} -rbh $HEAD_REF -brr ${{ github.event.pull_request.base.repo.html_url }} -hrr ${{ github.event.pull_request.head.repo.html_url }} -guf -urc - + # langauge specific repository file + - name: Run the script for ${{ env.HEAD_REF }} and ${{ env.BASE_REF }} + run: cd ./temp/standalone-monitoring-stability && pip install -r requirements.txt && python3 ./run.py -r ./repos/${{matrix.language}}.txt -rbb ${{ env.BASE_REF }}} -rbh ${{ env.HEAD_REF }} -brr ${{ env.BASE_RULE_URL }} -hrr ${{ env.HEAD_RULE_URL }} -guf -urc + - name: Run aws-export - run: cd ./temp/standalone-monitoring-stability/ && python3 aws-export.py ${{matrix.language}}-${{github.event.number}} + run: cd ./temp/standalone-monitoring-stability/ && python3 aws-export.py ${{matrix.language}}-${{ env.PR_NUMBER }} - name: Move results to a folder - run: cd ./temp/standalone-monitoring-stability/ && mkdir results && mv output-${{matrix.language}}-${{github.event.number}}.xlsx ./results/output-${{matrix.language}}-${{github.event.number}}.xlsx && mv ./temp/result-${{matrix.language}}-${{github.event.number}}.zip ./results/result-${{matrix.language}}-${{github.event.number}}.zip && mv slack_summary.txt ./results/slack_summary.txt + run: cd ./temp/standalone-monitoring-stability/ && mkdir results && mv output-${{matrix.language}}-${{ env.PR_NUMBER }}.xlsx ./results/output-${{matrix.language}}-$${{ env.PR_NUMBERĀ }}.xlsx && mv ./temp/result-${{matrix.language}}-${{ env.PR_NUMBER }}.zip ./results/result-${{matrix.language}}-${{ env.PR_NUMBER }}.zip && mv slack_summary.txt ./results/slack_summary.txt + # Zip the results by name - name: Zip the results - run: cd /home/runner/work/privado/privado/temp/standalone-monitoring-stability && zip result-${{matrix.language}}-${{github.event.number}}.zip -r ./results + run: cd /home/runner/work/privado/privado/temp/standalone-monitoring-stability && zip result-${{matrix.language}}-${{ env.PR_NUMBER }}.zip -r ./results - name: Set summary variable run: | echo "MESSAGE<> $GITHUB_ENV echo "$(cat /home/runner/work/privado/privado/temp/standalone-monitoring-stability/results/slack_summary.txt)" >> $GITHUB_ENV echo "EOF" >> $GITHUB_ENV - - - name: Post results to slack - uses: adrey/slack-file-upload-action@master - with: - thread_ts: ${{needs.start_workflow.outputs.init_message_ts}} - channel: ${{ secrets.SLACK_CHANNEL_ID }} # check - path: "/home/runner/work/privado/privado/temp/standalone-monitoring-stability/result-${{matrix.language}}-${{github.event.number}}.zip" - initial_comment: "Comparison Results generated on ${{github.event.repository.name}} by PR ${{github.event.number}} from branch ${{github.head_ref}} to ${{github.base_ref}} \nPR link https://github.com/Privado-Inc/privado/pull/${{github.event.number}}\n Language: ${{matrix.language}} \nSummary Report:\n ${{ env.MESSAGE }}" - filetype: "zip" - token: ${{ secrets.SLACK_TOKEN }} + - name: Post results to slack + run: curl -o- https://raw.githubusercontent.com/Privado-Inc/standalone-monitoring-stability/private-fork/slack_upload.sh | bash + env: + SLACK_TOKEN: ${{ secrets.SLACK_TOKEN }} + SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} + FILE_NAME: "result-${{matrix.language}}-${{ env.PR_NUMBER }}.zip" + INIT_TS: ${{ needs.start_workflow.outputs.init_message_ts }} + FILE_PATH: "/home/runner/work/joern/joern/temp/standalone-monitoring-stability/result-${{matrix.language}}-${{ env.PR_NUMBER }}.zip" + PR_MESSAGE: "Comparison Results generated on ${{ env.REPOSITORY_NAME }} by PR ${{ env.PR_NUMBER }} from branch ${{ env.HEAD_REF }} to ${{ env.BASE_REF }} \nPR link ${{ env.PR_URL }}\n Language: ${{matrix.language}} \nSummary Report:\n ${{ env.MESSAGE }}" + + - name: Export workflow output run: cd ./temp/standalone-monitoring-stability && python3 ./workflow_check.py /home/runner/work/privado/privado/temp/standalone-monitoring-stability/results/slack_summary.txt @@ -98,6 +109,9 @@ jobs: echo "$(cat ./temp/standalone-monitoring-stability/action_result.txt)" >> $GITHUB_ENV echo "EOF" >> $GITHUB_ENV + - name: Print action result + run: cat ./temp/standalone-monitoring-stability/action_result.txt + - name: Upload summary file uses: actions/upload-artifact@master with: @@ -129,7 +143,6 @@ jobs: path: ./temp/standalone-monitoring-stability ref: main - - name: Collate summary run: cd ./temp/standalone-monitoring-stability && pip install -r requirements.txt && python3 ./collate_summary.py -s /home/runner/work/privado/privado/language_summary @@ -144,6 +157,6 @@ jobs: with: update-ts: ${{needs.start_workflow.outputs.init_message_ts}} channel-id: ${{ secrets.SLACK_CHANNEL_ID }} - slack-message: "\nComparison Results generated on ${{github.event.repository.name}} by PR ${{github.event.number}} from branch ${{github.head_ref}} to ${{github.base_ref}} \nPR link https://github.com/Privado-Inc/privado/pull/${{github.event.number}}\nLanguage: All \nSummary Report:\n ${{ env.MESSAGE }}" + slack-message: "\nComparison Results generated on ${{ env.REPOSITORY_NAME }} by PR ${{ env.PR_NUMBER }} from branch ${{ env.HEAD_REF }} to ${{ env.BASE_REF }} \nPR link https://github.com/Privado-Inc/privado/pull/${{ env.PR_NUMBER }}\nLanguage: All \nSummary Report:\n ${{ env.MESSAGE }}" env: SLACK_BOT_TOKEN: ${{ secrets.SLACK_TOKEN }}