Replace pull_request_target workflow with two workflows that upload/download an artifact. #251
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: dblock <dblock@amazon.com>
dblock
requested review from
harshavamsi,
pgtgrly,
sachetalva,
nhtruong,
Xtansia and
VachaShah
as code owners
|
API specs implemented for 247/649 (38%) APIs. |
dblock
changed the title
Xtansia
requested changes
Apr 18, 2024
Comment on lines
16
to
38
| - name: Download Coverage Report | ||
| uses: actions/github-script@v3.1.0 | ||
| with: | ||
| script: | | ||
| var artifacts = await github.actions.listWorkflowRunArtifacts({ | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| run_id: ${{github.event.workflow_run.id }}, | ||
| }); | ||
| var matchArtifact = artifacts.data.artifacts.filter((artifact) => { | ||
| return artifact.name == "coverage" | ||
| })[0]; | ||
| var download = await github.actions.downloadArtifact({ | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| artifact_id: matchArtifact.id, | ||
| archive_format: 'zip', | ||
| }); | ||
| var fs = require('fs'); | ||
| fs.writeFileSync('${{github.workspace}}/coverage.zip', Buffer.from(download.data)); | ||
| - run: | | ||
| unzip coverage.zip | ||
| cat coverage.json |
There was a problem hiding this comment.
actions/download-artifact@v4 now supports downloading artifacts from other workflow runs: https://github.com/actions/download-artifact?tab=readme-ov-file#download-artifacts-from-other-workflow-runs-or-repositories
There was a problem hiding this comment.
Updated. This is much nicer.
Successful comment run: https://github.com/dblock/opensearch-api-specification/actions/runs/8752961841
Comment on: dblock#5
|
API specs implemented for 247/649 (38%) APIs. |
Signed-off-by: dblock <dblock@amazon.com>
dblock
force-pushed
the
use-hunter-gather-workflow
branch
from
7ef04a1 to
f0a50bf
Compare
|
API specs implemented for 247/649 (38%) APIs. |
nhtruong
reviewed
Apr 20, 2024
| github-token: ${{ secrets.GITHUB_TOKEN }} | ||
| script: | | ||
| const fs = require('fs'); | ||
| var data = JSON.parse(fs.readFileSync('./coverage.json')); |
There was a problem hiding this comment.
nit: avoid declaring a variable with var, as you MIGHT overwrite var data declared else where. Use const in this case instead.
Xtansia
approved these changes
Apr 21, 2024
Merged
djmadeira
added a commit
to djmadeira/opensearch-api-specification
that referenced
this pull request
May 7, 2024
additional paths Fixed spec (opensearch-project#246) Signed-off-by: saimedhi <saimedhi@amazon.com> Fixed search_pipeline spec (opensearch-project#253) Signed-off-by: saimedhi <saimedhi@amazon.com> Updated API name: search_pipeline.create to search_pipeline.put (opensearch-project#254) Signed-off-by: saimedhi <saimedhi@amazon.com> Fixed search_pipeline.get spec (opensearch-project#255) Signed-off-by: saimedhi <saimedhi@amazon.com> Filled in Missing Defaults (opensearch-project#249) * Filled in Missing Defaults Signed-off-by: Theo Truong <theotr@amazon.com> * # Wordings Signed-off-by: Theo Truong <theotr@amazon.com> --------- Signed-off-by: Theo Truong <theotr@amazon.com> Replace pull_request_target workflow with two workflows that upload/download an artifact. (opensearch-project#251) * Fix: replace pull_request_target with a download/upload artifact. Signed-off-by: dblock <dblock@amazon.com> * Use upload/download-artifact@v4. Signed-off-by: dblock <dblock@amazon.com> --------- Signed-off-by: dblock <dblock@amazon.com> Fix: var -> const. (opensearch-project#258) Signed-off-by: dblock <dblock@amazon.com> Adds tools linter. (opensearch-project#260) Signed-off-by: dblock <dblock@amazon.com> Fix: '@typescript-eslint/indent': 'warn'. (opensearch-project#262) Signed-off-by: dblock <dblock@amazon.com> Removed default values from param description (opensearch-project#264) Signed-off-by: saimedhi <saimedhi@amazon.com> Generate _opendistro endpoints through merger tool (opensearch-project#257) * Generate _opendistro endpoints through merger tool Signed-off-by: Theo Truong <theotr@amazon.com> * # Renamed `replaced` with `superseded` Signed-off-by: Theo Truong <theotr@amazon.com> * # Rebased DEVELOPER_GUIDE.md Signed-off-by: Theo Truong <theotr@amazon.com> * # Set Tabsize from 4 to 2 Signed-off-by: Theo Truong <theotr@amazon.com> --------- Signed-off-by: Theo Truong <theotr@amazon.com> Add _plugins/_notifications/channels API spec (opensearch-project#256) * Add _plugins/_notifications/channels API Signed-off-by: Sokratis Papadopoulos <sokratis.papadopoulos@cern.ch> Fix obvious lints. (opensearch-project#265) * Fix cosmetic autoformat lints. * Fixed @typescript-eslint/no-unused-vars. * Fixed eqeqeq. * Fixed @typescript-eslint/consistent-type-imports. * Fixed no-useless-return. * Fixed @typescript-eslint/array-type. * Rebased with changes on main. Signed-off-by: dblock <dblock@amazon.com> Update list notification channels url for externalDocs (opensearch-project#267) Signed-off-by: Sokratis Papadopoulos <sokratis.papadopoulos@cern.ch> Co-authored-by: Sokratis Papadopoulos <sokratis.papadopoulos@cern.ch> Updated/Corrected Docs (opensearch-project#270) * Updated/Corrected Docs - README.md - CLIENT_GENERATOR_GUIDE.md - DEVELOPER_GUIDE.md - ./tools/README.md Signed-off-by: Theo Truong <theotr@amazon.com> * # minor corrections Signed-off-by: Theo Truong <theotr@amazon.com> * # minor corrections Signed-off-by: Theo Truong <theotr@amazon.com> --------- Signed-off-by: Theo Truong <theotr@amazon.com> Add lychee github action for links checking (opensearch-project#269) Corrected content type for bulk operations (opensearch-project#275) * Corrected content type for bulk operations Signed-off-by: Theo Truong <theotr@amazon.com> * # linting Signed-off-by: Theo Truong <theotr@amazon.com> --------- Signed-off-by: Theo Truong <theotr@amazon.com> Validate _superseded_operations.yaml against its JSON schema (opensearch-project#276) * Validate _superseded_operations.yaml against its JSON schema Signed-off-by: Theo Truong <theotr@amazon.com> * # lint Signed-off-by: Theo Truong <theotr@amazon.com> * # lint Signed-off-by: Theo Truong <theotr@amazon.com> --------- Signed-off-by: Theo Truong <theotr@amazon.com> Fixed Linting for Tools (opensearch-project#278) Signed-off-by: Theo Truong <theotr@amazon.com> Removed Root file since it's not needed anymore (opensearch-project#279) Signed-off-by: Theo Truong <theotr@amazon.com> Fixed missing global params (opensearch-project#280) Signed-off-by: Theo Truong <theotr@amazon.com> Added validation for _info.yaml (opensearch-project#281) DRY'ed JSON schema validation logic Signed-off-by: Theo Truong <theotr@amazon.com> Implement inline object schema validator (opensearch-project#282) * Implement inline object schema validator and underlying visitor pattern Signed-off-by: Thomas Farr <tsfarr@amazon.com> * Fix spec lint error Signed-off-by: Thomas Farr <tsfarr@amazon.com> --------- Signed-off-by: Thomas Farr <tsfarr@amazon.com> oops fix lint
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
When we use
pull_request_targetwe check out code that has potentially been modified by the requester, which isn't safe. This PR replaces the workflow with something inspired by https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ - a gather step and a comment step that use an artifact to pass information between them.Here's a a gather workflow that produces the artifact: https://github.com/dblock/opensearch-api-specification/actions/runs/8740901986
Here's a comment workflow that uses it: https://github.com/dblock/opensearch-api-specification/actions/runs/8740884453
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.