From 9f2f7780a4755ade45fc6769b59aee4e9ec2974d Mon Sep 17 00:00:00 2001 From: krzys-h Date: Mon, 22 Feb 2021 11:12:21 +0100 Subject: [PATCH] Safely upload linter results from forks to GitHub This makes lint results from pull requests appear as GitHub checks similarly to how pull requests from branches are able to work Based on https://securitylab.github.com/research/github-actions-preventing-pwn-requests --- .github/workflows/lint.yml | 72 ++++++++--------------- .github/workflows/lint_upload_results.yml | 67 +++++++++++++++++++++ 2 files changed, 92 insertions(+), 47 deletions(-) create mode 100644 .github/workflows/lint_upload_results.yml diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 08dd8d45..967b4c91 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -79,16 +79,12 @@ jobs: with: name: HTML results path: build/html_report - - run: pip install requests - - name: Send linter results to GitHub + - name: Generate GitHub annotations JSON and process check result shell: python - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - ACTUALLY_SEND: ${{ github.event.type != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }} run: | import os import sys - import requests + import json import xml.etree.ElementTree as ET OVERALL_STABLE_RULES=[ @@ -141,18 +137,6 @@ jobs: "whitespace", ] - # None of the available actions seem to do what I want, they all do stupid things like adding another check... let's just do it manually - # GitHub also doesn't seem to provide you with the check suite or check run ID, so we have to get it from the action ID via the API - s = requests.Session() - s.headers.update({ - 'Authorization': 'token ' + os.environ['GITHUB_TOKEN'], - 'Accept': 'application/vnd.github.antiope-preview+json' # Annotations are still technically a preview feature of the API - }) - action_run = s.get(os.environ['GITHUB_API_URL'] + "/repos/" + os.environ['GITHUB_REPOSITORY'] + "/actions/runs/" + os.environ['GITHUB_RUN_ID']).json() - check_suite = s.get(action_run['check_suite_url']).json() - check_suite_runs = s.get(check_suite['check_runs_url']).json() - check_run = check_suite_runs['check_runs'][0] # NOTE: This assumes that the 'lint' job is the first one in the workflow. You could find it by name if you really wanted. - def we_care_about(file_name, type): if 'CBot' in file_name: return type in OVERALL_STABLE_RULES @@ -161,6 +145,7 @@ jobs: results = ET.parse('build/colobot_lint_report.xml') annotations = [] + stable_annotations = [] for error in results.find('errors').findall('error'): location = error.find('location') file_name = os.path.relpath(location.get('file'), os.environ['GITHUB_WORKSPACE']) @@ -175,42 +160,35 @@ jobs: elif severity == 'information': gh_severity = 'notice' - if not we_care_about(file_name, type): - # don't send the unstable rules to github at all as there are way too many of them and it would overload the API rate limit - continue - - print('{}:{}: [{}] {}'.format(file_name, line_num, type, msg)) - - annotations.append({ + annotation = { 'path': file_name, 'start_line': line_num, 'end_line': line_num, 'annotation_level': gh_severity, 'title': type, 'message': msg - }) + } + annotations.append(annotation) - summary = 'colobot-lint found {} issues'.format(len(annotations)) - all_ok = len(annotations) == 0 + if we_care_about(file_name, type): + # don't send the unstable rules to github at all as there are way too many of them and it would overload the API rate limit + stable_annotations.append(annotation) + print('{}:{}: [{}] {}'.format(file_name, line_num, type, msg)) + + summary = 'colobot-lint found {} issues'.format(len(stable_annotations)) + all_ok = len(stable_annotations) == 0 print('Conclusion: {}'.format(summary)) - if os.environ['ACTUALLY_SEND'] != "true": - print('Skip uploading the results as annotations because tokens from forks are readonly and there seems to be no way to do it. Blame GitHub Actions devs.') - else: - # Annotations have to be sent in batches of 50 - first = True - while first or len(annotations) > 0: - first = False - to_send = annotations[:50] - annotations = annotations[50:] - data = { - 'output': { - 'title': summary, - 'summary': summary, - 'annotations': to_send - } - } - r = s.patch(check_run['url'], json=data) - r.raise_for_status() - + with open("build/annotations.json", "w") as f: + json.dump(annotations, f, indent=4) + with open("build/stable_annotations.json", "w") as f: + json.dump(stable_annotations, f, indent=4) sys.exit(0 if all_ok else 1) + - name: Upload results (JSON) + uses: actions/upload-artifact@v2 + with: + name: JSON results + path: | + build/annotations.json + build/stable_annotations.json + if: ${{ always() }} diff --git a/.github/workflows/lint_upload_results.yml b/.github/workflows/lint_upload_results.yml new file mode 100644 index 00000000..3adb3c54 --- /dev/null +++ b/.github/workflows/lint_upload_results.yml @@ -0,0 +1,67 @@ +name: Linter upload results + +# Upload linter results after succesful linter run +# This is done in a separate workflow to safely use the read-write GitHub token +# See https://securitylab.github.com/research/github-actions-preventing-pwn-requests + +on: + workflow_run: + workflows: ["Linter"] + types: + - completed + +jobs: + lint_upload: + runs-on: ubuntu-16.04 + steps: + - run: pip install requests + - name: Download linter results + uses: dawidd6/action-download-artifact@v2 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + workflow: lint.yml + run_id: ${{ github.event.workflow_run.id }} + name: JSON results + path: results + - name: Send linter results to GitHub + shell: python + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + RUN_ID: ${{ github.event.workflow_run.id }} + run: | + import os + import json + import requests + + # Load the results from the lint job artifact + with open("results/stable_annotations.json", "r") as f: + annotations = json.load(f) + summary = 'colobot-lint found {} issues'.format(len(annotations)) + + # None of the available actions seem to do what I want, they all do stupid things like adding another check... let's just do it manually + # GitHub also doesn't seem to provide you with the check suite or check run ID, so we have to get it from the action ID via the API + s = requests.Session() + s.headers.update({ + 'Authorization': 'token ' + os.environ['GITHUB_TOKEN'], + 'Accept': 'application/vnd.github.antiope-preview+json' # Annotations are still technically a preview feature of the API + }) + action_run = s.get(os.environ['GITHUB_API_URL'] + "/repos/" + os.environ['GITHUB_REPOSITORY'] + "/actions/runs/" + os.environ['RUN_ID']).json() + check_suite = s.get(action_run['check_suite_url']).json() + check_suite_runs = s.get(check_suite['check_runs_url']).json() + check_run = check_suite_runs['check_runs'][0] # NOTE: This assumes that the 'lint' job is the first one in the workflow. You could find it by name if you really wanted. + + # Annotations have to be sent in batches of 50 + first = True + while first or len(annotations) > 0: + first = False + to_send = annotations[:50] + annotations = annotations[50:] + data = { + 'output': { + 'title': summary, + 'summary': summary, + 'annotations': to_send + } + } + r = s.patch(check_run['url'], json=data) + r.raise_for_status()