livebook-dev/livebook
1
1
Fork 0
mirror of https://github.com/livebook-dev/livebook.git synced 2025-09-30 16:54:29 +08:00
Code Issues Projects Releases Packages Wiki Activity

Sanitize input from contributor fork workflows (#2409)

Browse source 
Signed-off-by: Adam Vollrath <adam.d.vollrath@gmail.com>
This commit is contained in:
Adam Vollrath 2023-12-20 23:36:22 -06:00 committed by GitHub
parent 3430e9a261
commit e6ae3449d1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 20 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/uffizzi-build.yml vendored
View file

@ -58,7 +58,7 @@ jobs:
uses: docker/setup-buildx-action@v2
- name: Generate UUID image name
id: uuid
run: echo "UUID_TAG_APP=$(uuidgen)" >> $GITHUB_ENV
run: echo "UUID_TAG_APP=livebook-$(uuidgen --time)" >> $GITHUB_ENV
- name: Docker metadata
id: meta
uses: docker/metadata-action@v3

35
.github/workflows/uffizzi-preview.yml vendored
View file

@ -13,8 +13,10 @@ jobs:
runs-on: ubuntu-latest
if: ${{ github.event.workflow_run.conclusion == 'success' }}
outputs:
compose-file-cache-key: ${{ env.COMPOSE_FILE_HASH }}
pr-number: ${{ env.PR_NUMBER }}
compose-file-cache-key: ${{ steps.hash.outputs.COMPOSE_FILE_HASH }}
git-ref: ${{ steps.event.outputs.GIT_REF }}
pr-number: ${{ steps.event.outputs.PR_NUMBER }}
action: ${{ steps.event.outputs.ACTION }}
steps:
- name: "Download artifacts"
# Fetch output (zip archive) from the workflow run that triggered this workflow.
@ -41,33 +43,34 @@ jobs:
let fs = require('fs');
fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/preview-spec.zip`, Buffer.from(download.data));
- name: "Unzip artifact"
run: unzip preview-spec.zip
run: unzip preview-spec.zip event.json
- name: Read Event into ENV
id: event
run: |
echo 'EVENT_JSON<<EOF' >> $GITHUB_ENV
cat event.json >> $GITHUB_ENV
echo 'EOF' >> $GITHUB_ENV
echo PR_NUMBER=$(jq '.number | tonumber' < event.json) >> $GITHUB_OUTPUT
echo ACTION=$(jq --raw-output '.action | tostring | [scan("\\w+")][0]' < event.json) >> $GITHUB_OUTPUT
echo GIT_REF=$(jq --raw-output '.pull_request.head.sha | tostring | [scan("\\w+")][0]' < event.json) >> $GITHUB_OUTPUT
- name: Hash Rendered Compose File
id: hash
# If the previous workflow was triggered by a PR close event, we will not have a compose file artifact.
if: ${{ fromJSON(env.EVENT_JSON).action != 'closed' }}
run: echo "COMPOSE_FILE_HASH=$(md5sum docker-compose.rendered.yml | awk '{ print $1 }')" >> $GITHUB_ENV
if: ${{ steps.event.outputs.ACTION != 'closed' }}
run: |
unzip preview-spec.zip docker-compose.rendered.yml
echo "COMPOSE_FILE_HASH=$(md5sum docker-compose.rendered.yml | awk '{ print $1 }')" >> $GITHUB_OUTPUT
- name: Cache Rendered Compose File
if: ${{ fromJSON(env.EVENT_JSON).action != 'closed' }}
if: ${{ steps.event.outputs.ACTION != 'closed' }}
uses: actions/cache@v3
with:
path: docker-compose.rendered.yml
key: ${{ env.COMPOSE_FILE_HASH }}
- name: Read PR Number From Event Object
id: pr
run: echo "PR_NUMBER=${{ fromJSON(env.EVENT_JSON).number }}" >> $GITHUB_ENV
key: ${{ steps.hash.outputs.COMPOSE_FILE_HASH }}
- name: DEBUG - Print Job Outputs
if: ${{ runner.debug }}
run: |
echo "PR number: ${{ env.PR_NUMBER }}"
echo "Compose file hash: ${{ env.COMPOSE_FILE_HASH }}"
echo "PR number: ${{ steps.event.outputs.PR_NUMBER }}"
echo "Git Ref: ${{ steps.event.outputs.GIT_REF }}"
echo "Action: ${{ steps.event.outputs.ACTION }}"
echo "Compose file hash: ${{ steps.hash.outputs.COMPOSE_FILE_HASH }}"
cat event.json
deploy-uffizzi-preview: