mirror of
https://github.com/block/goose.git
synced 2026-05-21 02:10:14 +00:00
146 lines
5.9 KiB
YAML
146 lines
5.9 KiB
YAML
# This workflow is triggered by a comment on PR with the text ".build-cli"
|
|
#
|
|
# SECURITY: This workflow checks out and builds code from PRs. To prevent
|
|
# malicious code execution (GHSA-4h72-4h3w-4587, GHSA-mqm8-hhf6-wvjq),
|
|
# we verify the commenter has write access before proceeding.
|
|
on:
|
|
issue_comment:
|
|
types: [created]
|
|
workflow_dispatch:
|
|
inputs:
|
|
pr_number:
|
|
description: 'PR number to comment on'
|
|
required: true
|
|
type: string
|
|
|
|
# permissions needed for reacting to IssueOps commands on PRs
|
|
permissions:
|
|
pull-requests: write
|
|
checks: read
|
|
|
|
name: Build CLI
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ (github.event.issue && github.event.issue.number) || github.event.inputs.pr_number }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
trigger-on-command:
|
|
if: >
|
|
github.event_name == 'workflow_dispatch' ||
|
|
(github.event.issue.pull_request && contains(github.event.comment.body, '.build-cli'))
|
|
name: Trigger on ".build-cli" PR comment
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
continue: ${{ steps.security_check.outputs.authorized }}
|
|
pr_number: ${{ steps.command.outputs.issue_number || github.event.inputs.pr_number }}
|
|
head_sha: ${{ steps.set_head_sha.outputs.head_sha || github.sha }}
|
|
steps:
|
|
# SECURITY: Verify commenter has write access BEFORE any checkout
|
|
# This prevents attackers from triggering builds on their own malicious PRs
|
|
- name: Verify commenter permissions
|
|
id: security_check
|
|
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
|
|
with:
|
|
script: |
|
|
// workflow_dispatch requires repo write access, so it's inherently safe
|
|
if (context.eventName === 'workflow_dispatch') {
|
|
core.setOutput('authorized', 'true');
|
|
console.log('✅ workflow_dispatch - authorized');
|
|
return;
|
|
}
|
|
|
|
const commenter = context.payload.comment.user.login;
|
|
console.log(`Checking permissions for: ${commenter}`);
|
|
|
|
try {
|
|
const { data: permission } = await github.rest.repos.getCollaboratorPermissionLevel({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
username: commenter
|
|
});
|
|
|
|
const allowed = ['admin', 'maintain', 'write'].includes(permission.permission);
|
|
console.log(`Permission level: ${permission.permission}, Authorized: ${allowed}`);
|
|
|
|
if (!allowed) {
|
|
// Post a comment explaining the rejection
|
|
await github.rest.issues.createComment({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
issue_number: context.payload.issue.number,
|
|
body: `⚠️ @${commenter} Only repository collaborators with write access can trigger builds.`
|
|
});
|
|
core.setOutput('authorized', 'false');
|
|
} else {
|
|
core.setOutput('authorized', 'true');
|
|
}
|
|
} catch (error) {
|
|
console.log(`Permission check failed: ${error.message}`);
|
|
core.setOutput('authorized', 'false');
|
|
}
|
|
|
|
- name: Run command action
|
|
if: steps.security_check.outputs.authorized == 'true'
|
|
uses: github/command@v2.0.3
|
|
id: command
|
|
with:
|
|
command: ".build-cli"
|
|
skip_reviews: true
|
|
reaction: "eyes"
|
|
allowed_contexts: pull_request
|
|
|
|
- name: Checkout code
|
|
if: steps.security_check.outputs.authorized == 'true'
|
|
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
|
|
|
- name: Get PR head SHA with gh
|
|
id: set_head_sha
|
|
if: steps.security_check.outputs.authorized == 'true'
|
|
run: |
|
|
echo "Get PR head SHA with gh"
|
|
HEAD_SHA=$(gh pr view "$ISSUE_NUMBER" --json headRefOid -q .headRefOid)
|
|
echo "head_sha=$HEAD_SHA" >> $GITHUB_OUTPUT
|
|
echo "head_sha=$HEAD_SHA"
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
ISSUE_NUMBER: ${{ steps.command.outputs.issue_number }}
|
|
|
|
build-cli:
|
|
needs: [trigger-on-command]
|
|
if: ${{ needs.trigger-on-command.outputs.continue == 'true' }}
|
|
uses: ./.github/workflows/build-cli.yml
|
|
with:
|
|
ref: ${{ needs.trigger-on-command.outputs.head_sha }}
|
|
|
|
pr-comment-cli:
|
|
name: PR Comment with CLI builds
|
|
runs-on: ubuntu-latest
|
|
needs: [trigger-on-command, build-cli]
|
|
permissions:
|
|
pull-requests: write
|
|
|
|
steps:
|
|
- name: Download CLI artifacts
|
|
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
|
|
with:
|
|
pattern: goose-*
|
|
path: cli-dist
|
|
merge-multiple: true
|
|
|
|
- name: Comment on PR with CLI download links
|
|
uses: peter-evans/create-or-update-comment@v5
|
|
with:
|
|
issue-number: ${{ needs.trigger-on-command.outputs.pr_number }}
|
|
body: |
|
|
### CLI Builds
|
|
|
|
Download CLI builds for different platforms:
|
|
- [📦 Linux (x86_64)](https://nightly.link/${{ github.repository }}/actions/runs/${{ github.run_id }}/goose-x86_64-unknown-linux-gnu.zip)
|
|
- [📦 Linux (aarch64)](https://nightly.link/${{ github.repository }}/actions/runs/${{ github.run_id }}/goose-aarch64-unknown-linux-gnu.zip)
|
|
- [📦 macOS (x86_64)](https://nightly.link/${{ github.repository }}/actions/runs/${{ github.run_id }}/goose-x86_64-apple-darwin.zip)
|
|
- [📦 macOS (aarch64)](https://nightly.link/${{ github.repository }}/actions/runs/${{ github.run_id }}/goose-aarch64-apple-darwin.zip)
|
|
- [📦 Windows (x86_64)](https://nightly.link/${{ github.repository }}/actions/runs/${{ github.run_id }}/goose-x86_64-pc-windows-gnu.zip)
|
|
|
|
These links are provided by nightly.link and will work even if you're not logged into GitHub.
|
|
|