Add option to verify SSL/TLS connection

EnricoMi · Nov 6, 2024 · 405f101 · 405f101
1 parent ab75628
commit 405f101
Show file tree

Hide file tree

Showing 13 changed files with 55 additions and 1 deletion.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -109,6 +109,7 @@ jobs:
             -e "INPUT_GITHUB_TOKEN" \
             -e "INPUT_GITHUB_TOKEN_ACTOR" \
             -e "INPUT_GITHUB_RETRIES" \
+            -e "INPUT_SSL_VERIFY" \
             -e "INPUT_COMMIT" \
             -e "INPUT_COMMENT_TITLE" \
             -e "INPUT_COMMENT_MODE" \

diff --git a/README.md b/README.md
@@ -311,6 +311,7 @@ The list of most notable options:
 |`github_token`|`${{github.token}}`|An alternative GitHub token, other than the default provided by GitHub Actions runner.|
 |`github_token_actor`|`github-actions`|The name of the GitHub app that owns the GitHub API Access Token (see github_token). Used to identify pull request comments created by this action during earlier runs. Has to be set when `github_token` is set to a GitHub app installation token (other than GitHub actions). Otherwise, existing comments will not be updated, but new comments created. Note: this does not change the bot name of the pull request comments.|
 |`github_retries`|`10`|Requests to the GitHub API are retried this number of times. The value must be a positive integer or zero.|
+|`ssl_verify`|`true`|Either `true` or `false`, in which case it controls whether to verify the Github server’s TLS certificate, or a string, in which case it must be a path to a CA bundle to use. Default is `true`.|
 |`seconds_between_github_reads`|`0.25`|Sets the number of seconds the action waits between concurrent read requests to the GitHub API.|
 |`seconds_between_github_writes`|`2.0`|Sets the number of seconds the action waits between concurrent write requests to the GitHub API.|
 |`secondary_rate_limit_wait_seconds`|`60.0`|Sets the number of seconds to wait before retrying secondary rate limit errors. If not set, the default defined in the PyGithub library is used (currently 60 seconds).|

diff --git a/action.yml b/action.yml
@@ -15,6 +15,10 @@ inputs:
     description: 'Requests to the GitHub API are retried this number of times. The value must be a positive integer or zero.'
     default: '10'
     required: false
+  ssl_verify:
+    description: 'Either "true" or "false", in which case it controls whether to verify the Github server’s TLS certificate, or a string, in which case it must be a path to a CA bundle to use. Default is "true".'
+    default: true
+    required: false
   commit:
     description: 'Commit SHA to which test results are published. Only needed if the value of GITHUB_SHA does not work for you.'
     required: false

diff --git a/composite/action.yml b/composite/action.yml
@@ -15,6 +15,10 @@ inputs:
     description: 'Requests to the GitHub API are retried this number of times. The value must be a positive integer or zero.'
     default: '10'
     required: false
+  ssl_verify:
+    description: 'Either "true" or "false", in which case it controls whether to verify the Github server’s TLS certificate, or a string, in which case it must be a path to a CA bundle to use. Default is "true".'
+    default: true
+    required: false
   commit:
     description: 'Commit SHA to which test results are published. Only needed if the value of GITHUB_SHA does not work for you.'
     required: false
@@ -286,6 +290,7 @@ runs:
         GITHUB_TOKEN: ${{ inputs.github_token }}
         GITHUB_TOKEN_ACTOR: ${{ inputs.github_token_actor }}
         GITHUB_RETRIES: ${{ inputs.github_retries }}
+        SSL_VERIFY: ${{ inputs.ssl_verify }}
         COMMIT: ${{ inputs.commit }}
         CHECK_NAME: ${{ inputs.check_name }}
         COMMENT_TITLE: ${{ inputs.comment_title }}

diff --git a/linux/action.yml b/linux/action.yml
@@ -15,6 +15,10 @@ inputs:
     description: 'Requests to the GitHub API are retried this number of times. The value must be a positive integer or zero.'
     default: '10'
     required: false
+  ssl_verify:
+    description: 'Either "true" or "false", in which case it controls whether to verify the Github server’s TLS certificate, or a string, in which case it must be a path to a CA bundle to use. Default is "true".'
+    default: true
+    required: false
   commit:
     description: 'Commit SHA to which test results are published. Only needed if the value of GITHUB_SHA does not work for you.'
     required: false
@@ -251,6 +255,7 @@ runs:
         GITHUB_TOKEN: ${{ inputs.github_token }}
         GITHUB_TOKEN_ACTOR: ${{ inputs.github_token_actor }}
         GITHUB_RETRIES: ${{ inputs.github_retries }}
+        SSL_VERIFY: ${{ inputs.ssl_verify }}
         COMMIT: ${{ inputs.commit }}
         CHECK_NAME: ${{ inputs.check_name }}
         COMMENT_TITLE: ${{ inputs.comment_title }}

diff --git a/macos/action.yml b/macos/action.yml
@@ -15,6 +15,10 @@ inputs:
     description: 'Requests to the GitHub API are retried this number of times. The value must be a positive integer or zero.'
     default: '10'
     required: false
+  ssl_verify:
+    description: 'Either "true" or "false", in which case it controls whether to verify the Github server’s TLS certificate, or a string, in which case it must be a path to a CA bundle to use. Default is "true".'
+    default: true
+    required: false
   commit:
     description: 'Commit SHA to which test results are published. Only needed if the value of GITHUB_SHA does not work for you.'
     required: false
@@ -251,6 +255,7 @@ runs:
         GITHUB_TOKEN: ${{ inputs.github_token }}
         GITHUB_TOKEN_ACTOR: ${{ inputs.github_token_actor }}
         GITHUB_RETRIES: ${{ inputs.github_retries }}
+        SSL_VERIFY: ${{ inputs.ssl_verify }}
         COMMIT: ${{ inputs.commit }}
         CHECK_NAME: ${{ inputs.check_name }}
         COMMENT_TITLE: ${{ inputs.comment_title }}

diff --git a/python/publish/publisher.py b/python/publish/publisher.py
@@ -34,6 +34,7 @@ class Settings:
     api_url: str
     graphql_url: str
     api_retries: int
+    ssl_verify: bool | str
     event: dict
     event_file: Optional[str]
     event_name: str

diff --git a/python/publish_test_results.py b/python/publish_test_results.py
@@ -40,6 +40,7 @@ def get_conclusion(parsed: ParsedUnitTestResults, fail_on_failures, fail_on_erro
 
 def get_github(auth: github.Auth,
                url: str,
+               verify: bool | str,
                retries: int,
                backoff_factor: float,
                seconds_between_requests: Optional[float],
@@ -51,6 +52,7 @@ def get_github(auth: github.Auth,
     return github.Github(auth=auth,
                          base_url=url,
                          per_page=100,
+                         verify=verify,
                          retry=retry,
                          seconds_between_requests=seconds_between_requests,
                          seconds_between_writes=seconds_between_writes)
@@ -262,6 +264,7 @@ def main(settings: Settings, gha: GithubAction) -> None:
     gh = get_github(auth=github.Auth.Token(settings.token),
                     url=settings.api_url,
                     retries=settings.api_retries,
+                    verify=settings.ssl_verify,
                     backoff_factor=backoff_factor,
                     seconds_between_requests=settings.seconds_between_github_reads,
                     seconds_between_writes=settings.seconds_between_github_writes,
@@ -409,6 +412,11 @@ def get_settings(options: dict, gha: GithubAction) -> Settings:
 
     api_url = options.get('GITHUB_API_URL') or github.Consts.DEFAULT_BASE_URL
     graphql_url = options.get('GITHUB_GRAPHQL_URL') or f'{github.Consts.DEFAULT_BASE_URL}/graphql'
+    ssl_verify_str = get_var('SSL_VERIFY', options) or 'True'
+    if ssl_verify_str.lower() in ['true', 'false']:
+        ssl_verify = ssl_verify_str.lower() == 'true'
+    else:
+        ssl_verify = ssl_verify_str
     test_changes_limit = get_var('TEST_CHANGES_LIMIT', options) or '10'
     check_var_condition(test_changes_limit.isnumeric(), f'TEST_CHANGES_LIMIT must be a positive integer or 0: {test_changes_limit}')
 
@@ -451,6 +459,7 @@ def get_settings(options: dict, gha: GithubAction) -> Settings:
         actor=get_var('GITHUB_TOKEN_ACTOR', options) or 'github-actions',
         api_url=api_url,
         graphql_url=graphql_url,
+        ssl_verify=ssl_verify,
         api_retries=int(retries),
         event=event,
         event_file=event_file,

diff --git a/python/test/test_action_script.py b/python/test/test_action_script.py
@@ -164,6 +164,7 @@ def get_settings(token='token',
                      api_url='http://github.api.url/',
                      graphql_url='http://github.graphql.url/',
                      retries=2,
+                     ssl_verify: bool | str=True,
                      event={},
                      event_file=None,
                      event_name='event name',
@@ -210,6 +211,7 @@ def get_settings(token='token',
             api_url=api_url,
             graphql_url=graphql_url,
             api_retries=retries,
+            ssl_verify=ssl_verify,
             event=event.copy(),
             event_file=event_file,
             event_name=event_name,
@@ -302,6 +304,16 @@ def test_get_settings_github_retries(self):
                     self.do_test_get_settings(GITHUB_RETRIES=retries, expected=None)
                 self.assertIn(f'GITHUB_RETRIES must be a positive integer or 0: {retries}', re.exception.args)
 
+    def test_get_settings_github_ssl_verify(self):
+        self.do_test_get_settings(SSL_VERIFY='true', expected=self.get_settings(ssl_verify=True))
+        self.do_test_get_settings(SSL_VERIFY='True', expected=self.get_settings(ssl_verify=True))
+        self.do_test_get_settings(SSL_VERIFY='TrUe', expected=self.get_settings(ssl_verify=True))
+        self.do_test_get_settings(SSL_VERIFY='false', expected=self.get_settings(ssl_verify=False))
+        self.do_test_get_settings(SSL_VERIFY='False', expected=self.get_settings(ssl_verify=False))
+        self.do_test_get_settings(SSL_VERIFY='FaLsE', expected=self.get_settings(ssl_verify=False))
+        self.do_test_get_settings(SSL_VERIFY='/path/to/cert', expected=self.get_settings(ssl_verify='/path/to/cert'))
+        self.do_test_get_settings(SSL_VERIFY=None, expected=self.get_settings(ssl_verify=True))
+
     def test_get_settings_any_files(self):
         for files in [None, 'file']:
             for junit in [None, 'junit-file']:

diff --git a/python/test/test_github.py b/python/test/test_github.py
@@ -21,7 +21,7 @@ class TestGitHub(unittest.TestCase):
 
     base_url = f'http://localhost:12380/api'
     auth = github.Auth.Token('login or token')
-    gh = get_github(auth, base_url, retries=1, backoff_factor=0.1, seconds_between_requests=None, seconds_between_writes=None, secondary_rate_wait=3)
+    gh = get_github(auth, base_url, verify=True, retries=1, backoff_factor=0.1, seconds_between_requests=None, seconds_between_writes=None, secondary_rate_wait=3)
 
     @classmethod
     def start_api(cls, app: Flask) -> Process:

diff --git a/python/test/test_publisher.py b/python/test/test_publisher.py
@@ -102,6 +102,7 @@ def create_settings(actor='actor',
             api_url='https://the-github-api-url',
             graphql_url='https://the-github-graphql-url',
             api_retries=1,
+            ssl_verify=True,
             event=event,
             event_file=None,
             event_name=event_name,

diff --git a/windows/action.yml b/windows/action.yml
@@ -15,6 +15,10 @@ inputs:
     description: 'Requests to the GitHub API are retried this number of times. The value must be a positive integer or zero.'
     default: '10'
     required: false
+  ssl_verify:
+    description: 'Either "true" or "false", in which case it controls whether to verify the Github server’s TLS certificate, or a string, in which case it must be a path to a CA bundle to use. Default is "true".'
+    default: true
+    required: false
   commit:
     description: 'Commit SHA to which test results are published. Only needed if the value of GITHUB_SHA does not work for you.'
     required: false
@@ -257,6 +261,7 @@ runs:
         GITHUB_TOKEN: ${{ inputs.github_token }}
         GITHUB_TOKEN_ACTOR: ${{ inputs.github_token_actor }}
         GITHUB_RETRIES: ${{ inputs.github_retries }}
+        SSL_VERIFY: ${{ inputs.ssl_verify }}
         COMMIT: ${{ inputs.commit }}
         CHECK_NAME: ${{ inputs.check_name }}
         COMMENT_TITLE: ${{ inputs.comment_title }}

diff --git a/windows/bash/action.yml b/windows/bash/action.yml
@@ -15,6 +15,10 @@ inputs:
     description: 'Requests to the GitHub API are retried this number of times. The value must be a positive integer or zero.'
     default: '10'
     required: false
+  ssl_verify:
+    description: 'Either "true" or "false", in which case it controls whether to verify the Github server’s TLS certificate, or a string, in which case it must be a path to a CA bundle to use. Default is "true".'
+    default: true
+    required: false
   commit:
     description: 'Commit SHA to which test results are published. Only needed if the value of GITHUB_SHA does not work for you.'
     required: false
@@ -255,6 +259,7 @@ runs:
         GITHUB_TOKEN: ${{ inputs.github_token }}
         GITHUB_TOKEN_ACTOR: ${{ inputs.github_token_actor }}
         GITHUB_RETRIES: ${{ inputs.github_retries }}
+        SSL_VERIFY: ${{ inputs.ssl_verify }}
         COMMIT: ${{ inputs.commit }}
         CHECK_NAME: ${{ inputs.check_name }}
         COMMENT_TITLE: ${{ inputs.comment_title }}