Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security improvements means this action doesn't work if triggered by push from dependabot #137

Closed
electrofelix opened this issue Apr 9, 2021 · 1 comment
Closed

Security improvements means this action doesn't work if triggered by push from dependabot #137

electrofelix opened this issue Apr 9, 2021 · 1 comment

Comments

@electrofelix
Copy link
Contributor

Github has changed the github token provided for push & pull_request events if triggered by dependabot to have read-only access. It would be useful if this could also work with the workflow_run as that is the default recommended way of having an untrusted workflow trigger a trusted workflow.

I'm not familiar enough with typescript/javascript to know exactly how to put together a suitable test so it might be a while before I'd be able to provide anything useful. At a rudimentary level I'm thinking something like the following would allow this to support the workflow_run event, though maybe it could be improved to reuse handlePush after setting up the correct eventData instead of duplicating it?:

  async handleWorkflowRun(): Promise<number> {
    const { workflow_run, repository } = this.eventData;
    const ref = workflow_run.head_branch;

    ghCore.info(`Handling workflow-run event triggered by '${workflow_run.workflow}'`);

    if (!ref.startsWith('refs/heads/')) {
      ghCore.warning('Workflow_run event was not triggered by an event on a branch, skipping.');
      return 0;
    }

    const baseBranch = ref.replace('refs/heads/', '');

    let updated = 0;
    const paginatorOpts = this.octokit.pulls.list.endpoint.merge({
      owner: repository.owner.name,
      repo: repository.name,
      base: baseBranch,
      state: 'open',
      sort: 'updated',
      direction: 'desc',
    });

    let pullsPage: octokit.OctokitResponse<any>;
    for await (pullsPage of this.octokit.paginate.iterator(paginatorOpts)) {
      let pull: octokit.PullsUpdateResponseData;
      for (pull of pullsPage.data) {
        ghCore.startGroup(`PR-${pull.number}`);
        const isUpdated = await this.update(pull);
        ghCore.endGroup();

        if (isUpdated) {
          updated++;
        }
      }
    }

    ghCore.info(
      `Auto update complete, ${updated} pull request(s) that point to base branch '${baseBranch}' were updated.`,
    );

    return updated;
  }
@electrofelix electrofelix mentioned this issue Apr 9, 2021
Closed
@chinthakagodawita
Copy link
Owner

Fixed by #138 & #147

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support workflow_run triggered by push event workflows electrofelix/autoupdate
2 participants
@electrofelix @chinthakagodawita