From ac03fed3324a1885cbfb5bf54cac6c6dae40441d Mon Sep 17 00:00:00 2001
From: Jason Song <i@wolfogre.com>
Date: Mon, 3 Apr 2023 12:25:29 +0800
Subject: [PATCH 1/2] fix: IsForkPullRequest for agit
---
models/actions/run.go | 2 +-
services/actions/notifier_helper.go | 17 ++++++++++++++++-
2 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/models/actions/run.go b/models/actions/run.go
index 22041b65a9b1a..e1e1d22dccc2d 100644
--- a/models/actions/run.go
+++ b/models/actions/run.go
@@ -36,7 +36,7 @@ type ActionRun struct {
TriggerUser *user_model.User `xorm:"-"`
Ref string
CommitSHA string
- IsForkPullRequest bool
+ IsForkPullRequest bool // is this a PR from a forked repository or an untrusted user, if so, we need to check if it's approved and limit the permissions when running the workflow
NeedApproval bool // may need approval if it's a fork pull request
ApprovedBy int64 `xorm:"index"` // who approved
Event webhook_module.HookEventType
diff --git a/services/actions/notifier_helper.go b/services/actions/notifier_helper.go
index b0e199fc6bd4e..1c1b986a419b0 100644
--- a/services/actions/notifier_helper.go
+++ b/services/actions/notifier_helper.go
@@ -152,6 +152,21 @@ func notify(ctx context.Context, input *notifyInput) error {
return fmt.Errorf("json.Marshal: %w", err)
}
+ isForkPullRequest := false
+ if pr := input.PullRequest; pr != nil {
+ switch pr.Flow {
+ case issues_model.PullRequestFlowGithub:
+ isForkPullRequest = pr.IsFromFork()
+ case issues_model.PullRequestFlowAGit:
+ // There is no fork concept in agit flow, anyone with read permission can push refs/for/<target-branch>/<topic-branch> to the repo.
+ // So we can treat it as a fork pull request because it may be from an untrusted user
+ isForkPullRequest = true
+ default:
+ // unknown flow, assume it's a fork pull request to be safe
+ isForkPullRequest = true
+ }
+ }
+
for id, content := range workflows {
run := &actions_model.ActionRun{
Title: strings.SplitN(commit.CommitMessage, "\n", 2)[0],
@@ -161,7 +176,7 @@ func notify(ctx context.Context, input *notifyInput) error {
TriggerUserID: input.Doer.ID,
Ref: ref,
CommitSHA: commit.ID.String(),
- IsForkPullRequest: input.PullRequest != nil && input.PullRequest.IsFromFork(),
+ IsForkPullRequest: isForkPullRequest,
Event: input.Event,
EventPayload: string(p),
Status: actions_model.StatusWaiting,
From d2879456567f4bca1206a40dd63e399f2a0b0702 Mon Sep 17 00:00:00 2001
From: Jason Song <i@wolfogre.com>
Date: Mon, 3 Apr 2023 12:30:40 +0800
Subject: [PATCH 2/2] fix: typo
---
models/actions/run.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/models/actions/run.go b/models/actions/run.go
index e1e1d22dccc2d..b58683dd36b35 100644
--- a/models/actions/run.go
+++ b/models/actions/run.go
@@ -36,7 +36,7 @@ type ActionRun struct {
TriggerUser *user_model.User `xorm:"-"`
Ref string
CommitSHA string
- IsForkPullRequest bool // is this a PR from a forked repository or an untrusted user, if so, we need to check if it's approved and limit the permissions when running the workflow
+ IsForkPullRequest bool // If this is triggered by a PR from a forked repository or an untrusted user, we need to check if it is approved and limit permissions when running the workflow.
NeedApproval bool // may need approval if it's a fork pull request
ApprovedBy int64 `xorm:"index"` // who approved
Event webhook_module.HookEventType