Comment on the pull request #1759
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # NOTE: This has read-write repo token and access to secrets, so this must | |
| # not run any untrusted code. | |
| # see: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ | |
| name: Comment on the pull request | |
| on: | |
| workflow_run: | |
| workflows: ["Build Plugins PR"] | |
| types: | |
| - completed | |
| jobs: | |
| upload: | |
| runs-on: ubuntu-latest | |
| if: github.event.workflow_run.event == 'pull_request' | |
| steps: | |
| - name: 'Download artifact' | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| with: | |
| script: | | |
| var artifacts = await github.rest.actions.listWorkflowRunArtifacts({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| run_id: ${{github.event.workflow_run.id }}, | |
| }); | |
| var matchArtifact = artifacts.data.artifacts.filter((artifact) => { | |
| return artifact.name == "pr" | |
| })[0]; | |
| var download = await github.rest.actions.downloadArtifact({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| artifact_id: matchArtifact.id, | |
| archive_format: 'zip', | |
| }); | |
| var fs = require('fs'); | |
| fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data)); | |
| - name: 'Unpack artifact' | |
| run: unzip pr.zip | |
| - name: 'Comment on PR' | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| script: | | |
| var fs = require('fs'); | |
| var issue_number = Number(fs.readFileSync('./NR')); | |
| // Validate artifact PR number against the workflow_run context | |
| // to prevent artifact poisoning (cross-issue comment injection). | |
| const head_sha = context.payload.workflow_run.head_sha; | |
| const {data: associated_prs} = await github.rest.repos.listPullRequestsAssociatedWithCommit({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| commit_sha: head_sha, | |
| }); | |
| const valid_pr_numbers = associated_prs.map(pr => pr.number); | |
| if (!valid_pr_numbers.includes(issue_number)) { | |
| core.setFailed(`Artifact PR number ${issue_number} does not match any PR for commit ${head_sha}. Aborting to prevent artifact poisoning.`); | |
| return; | |
| } | |
| var comment_body = fs.readFileSync('./COMMENT'); | |
| await github.rest.issues.createComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: issue_number, | |
| body: comment_body.toString('utf8') | |
| }); |