Allow privileged testing of PRs (#5307)

Author: retorquere

.github/workflows/sheldon.yaml

@@ -2,15 +2,34 @@ name: Pull request feedback
 
 on:
   pull_request_target:
-    types: [ opened, synchronize ]
+    types: [ opened, synchronize, labeled ]
 
 jobs:
   test:
     runs-on: ubuntu-latest
     env:
       GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
     steps:
-    - uses: actions/checkout@v2
+    # owner-test just checks out the PR -- this has an exfiltration risk, make SURE that
+    # this can only be triggered by people with repo write access -- such as people that can add
+    # labels to a PR
+    # https://securitylab.github.com/research/github-actions-preventing-pwn-requests
+    - name: Checkout repo for OWNER TEST
+      uses: actions/checkout@v2
+      if: contains(github.event.pull_request.labels.*.name, 'safe to test')
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
+
+    # otherwise, checkout the current master, and the pr to the subdirectory 'pr'
+    - name: Checkout base repo for pull-request test
+      uses: actions/checkout@v2
+      if: "! contains(github.event.pull_request.labels.*.name, 'safe to test')"
+    - name: Checkout pull-request
+      uses: actions/checkout@v2
+      if: "! contains(github.event.pull_request.labels.*.name, 'safe to test')"
+      with:
+        path: pull-request
+        ref: ${{ github.event.pull_request.head.sha }}
 
     - name: Check for relevant changes
       uses: dorny/paths-filter@v2
@@ -29,34 +48,26 @@ jobs:
         echo changed: ${{ steps.changed.outputs.style_files }} ${{ steps.changed.outputs.locale_files }}
 
     - name: Set up Ruby
-      if: steps.changed.outputs.style == 'true' || steps.changed.outputs.locale == 'true'
       uses: ruby/setup-ruby@v1
       with:
         ruby-version: 2.7.1
     - name: but use cache to speed that up
-      if: steps.changed.outputs.style == 'true' || steps.changed.outputs.locale == 'true'
       uses: actions/cache@v2
       with:
         path: vendor/bundle
         key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}
         restore-keys: |
           ${{ runner.os }}-gems-
     - name: Bundle install
-      if: steps.changed.outputs.style == 'true' || steps.changed.outputs.locale == 'true'
       run: |
         bundle config path vendor/bundle
         bundle update sheldon --jobs 4 --retry 3
 
-    - name: Apply the PR
-      if: steps.changed.outputs.style == 'true' || steps.changed.outputs.locale == 'true'
-      run: bundle exec sheldon --token=$GITHUB_TOKEN --apply
-
     - name: Welcome to a new PR
       if: github.event.action == 'opened' && steps.changed.outputs.style == 'true'
       run: bundle exec sheldon --token=$GITHUB_TOKEN --welcome
 
     - name: See if the styles/locales work
-      if: steps.changed.outputs.style == 'true' || steps.changed.outputs.locale == 'true'
       run: bundle exec rake
 
     - name: report

spec/spec_helper.rb

@@ -3,6 +3,8 @@
 require 'yaml'
 
 STYLE_ROOT = File.expand_path('../..', __FILE__)
+PULL_REQUEST = File.join(STYLE_ROOT, 'pull-request')
+STYLE_ROOT = PULL_REQUEST if File.directory?(PULL_REQUEST)
 
 ISSN = Hash.new { |h,k| h[k] = [] }
 TITLES = Hash.new { |h,k| h[k] = [] }