Skip to content

Commit

Permalink
Remove Report Workflows (#4830)
Browse files Browse the repository at this point in the history 
There is a chance that these workflows allow an attacker to write to the
repo without going through a proper review workflows. The chance is slim
since to run malicious code a review is required in the first place.

Nevertheless we remove the problematic workflows in this PR.
  • Loading branch information
@beckerhe
beckerhe authored May 22, 2023
1 parent 2b0354a commit 6cd71a3
Show file tree
Hide file tree
Showing 3 changed files with 2 additions and 328 deletions.
180 changes: 0 additions & 180 deletions .github/workflows/iwyu.yml
View file

This file was deleted.

55 changes: 1 addition & 54 deletions .github/workflows/report-build-and-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,57 +24,4 @@ jobs:
artifact: /test-results-(.*)-(.*)/
name: '$2 $1 Test Results'
path: '**/*.xml'
reporter: java-junit

report-clang-tidy-diff:
permissions:
pull-requests: write
runs-on: ubuntu-latest
steps:
- name: Download PR metadata
uses: dawidd6/action-download-artifact@e6e25ac3a2b93187502a8be1ef9e9603afc34925 # v2.24.2
with:
workflow: ${{ github.event.workflow_run.workflow_id }}
workflow_conclusion: ''
name: pr_metadata
if_no_artifact_found: 'ignore'
- name: Download clang_tidy_fixes
uses: dawidd6/action-download-artifact@e6e25ac3a2b93187502a8be1ef9e9603afc34925 # v2.24.2
with:
workflow: ${{ github.event.workflow_run.workflow_id }}
workflow_conclusion: ''
name: clang_tidy_fixes
if_no_artifact_found: 'ignore'
- name: Set found_files
id: set_found_files
run: |
if [ -f clang-tidy-fixes.yml ] && [ -f pr_number.txt ] && [ -f pr_head_repo.txt ] && [ -f pr_head_ref.txt ]; then
echo "found_files=true" >> $GITHUB_OUTPUT
else
echo "found_files=false" >> $GITHUB_OUTPUT
fi
- run: |
echo "PR_NUMBER=$(cat pr_number.txt | jq -r .)" >> $GITHUB_ENV
echo "PR_HEAD_REPO=$(cat pr_head_repo.txt | jq -Rr .)" >> $GITHUB_ENV
echo "PR_HEAD_REF=$(cat pr_head_ref.txt | jq -Rr .)" >> $GITHUB_ENV
if: steps.set_found_files.outputs.found_files == 'true'
- uses: actions/checkout@v3
if: steps.set_found_files.outputs.found_files == 'true'
with:
repository: ${{ env.PR_HEAD_REPO }}
ref: ${{ env.PR_HEAD_REF }}
persist-credentials: false
- name: Redownload clang_tidy_fixes
if: steps.set_found_files.outputs.found_files == 'true'
uses: dawidd6/action-download-artifact@e6e25ac3a2b93187502a8be1ef9e9603afc34925 # v2.24.2
with:
workflow: ${{ github.event.workflow_run.workflow_id }}
workflow_conclusion: ''
name: clang_tidy_fixes
if_no_artifact_found: 'ignore'
- uses: platisd/clang-tidy-pr-comments@89ea1b828cdac1a6ec993d225972adea3b8841b6
if: steps.set_found_files.outputs.found_files == 'true'
with:
github_token: ${{ secrets.ORBITPROFILER_BOT_PAT }}
clang_tidy_fixes: clang-tidy-fixes.yml
pull_request_id: ${{ env.PR_NUMBER }}
reporter: java-junit
95 changes: 1 addition & 94 deletions .github/workflows/report-checks.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,97 +33,4 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COMMIT_SHA: ${{ github.event.workflow_run.head_commit.id }}
shell: bash

report-clang-format-diff:
permissions:
pull-requests: write
runs-on: ubuntu-latest
steps:
- name: Download artifact
uses: dawidd6/action-download-artifact@e6e25ac3a2b93187502a8be1ef9e9603afc34925 # v2.24.2
with:
workflow: ${{ github.event.workflow_run.workflow_id }}
workflow_conclusion: ''
- run: echo "PR_NUMBER=$(cat pr_number/pr_number.txt | jq -r .)" >> $GITHUB_ENV
- run: npm install gitdiff-parser escape-json-node
if: ${{ github.event.workflow_run.conclusion == 'failure' }}
- name: Report clang-format suggestions
if: ${{ github.event.workflow_run.conclusion == 'failure' }}
uses: actions/github-script@v6
env:
COMMIT_SHA: ${{ github.event.workflow_run.head_commit.id }}
with:
github-token: ${{ secrets.ORBITPROFILER_BOT_PAT }}
script: |
const {repo, owner} = context.repo;
function* createComments() {
const gitDiffParser = require('gitdiff-parser');
const escapeJSON = require('escape-json-node');
const gitDiffText = require("fs").readFileSync(
"clang_format_diff/clang_format.diff").toString();
const diffFiles = gitDiffParser.parse(gitDiffText);
for (const diffFile of diffFiles) {
for (const hunk of diffFile.hunks) {
let comment = {};
comment.path = diffFile.oldPath;
if (hunk.oldLines > 1) {
comment.start_line = hunk.oldStart;
comment.line = hunk.oldStart + hunk.oldLines - 1;
} else {
comment.line = hunk.oldStart;
}
comment.start_side = 'RIGHT';
comment.side = 'RIGHT';
const suggestion = hunk.changes.filter(change => !change.isDelete).map(
change => escapeJSON(change.content)).join("\n");
comment.body = `clang-format:\n\`\`\`suggestion\n${suggestion}\n\`\`\``;
yield comment;
}
}
}
async function deleteOldBotComments(pr_number) {
const comments = await github.paginate(
'GET /repos/{owner}/{repo}/pulls/{pull_number}/comments{?sort,direction,since,per_page,page}',
{
owner: owner,
repo: repo,
pull_number: pr_number
});
const comment_ids = comments.filter(
comment => comment.user.login === 'orbitprofiler-bot'
&& comment.body.startsWith('clang-format:')).map(
comment => comment.id);
await Promise.all(comment_ids.map(async (comment_id) => {
console.log(`deleting comment: ${comment_id}`);
await github.request(
'DELETE /repos/{owner}/{repo}/pulls/comments/{comment_id}', {
owner: owner,
repo: repo,
comment_id: comment_id
});
}));
}
deleteOldBotComments(process.env.PR_NUMBER);
const comments = [...createComments()];
const request = {
owner: owner,
repo: repo,
pull_number: process.env.PR_NUMBER,
commit_id: process.env.COMMIT_SHA,
body: 'Thanks for your change. Please address the suggested formatting changes.',
event: 'COMMENT',
comments: comments
}
console.log(`Sending request:\n${request}\n\n`);
const result = await github.request(`POST /repos/${owner}/${repo}/pulls/${process.env.PR_NUMBER}/reviews`, request);
console.log(`Received:\n${result}`);
shell: bash

0 comments on commit 6cd71a3

Please sign in to comment.