database/doris
2
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
17,397 Commits 1 Branch 0 Tags
e91d16854b6a6c61d61a354c2de6bad5578c94de
Commit Graph

22 Commits

Author SHA1 Message Date
Calvin Kirs
8deeaef61b [Chore](workflow)delete auto-reply workflow (#30626) 
auto-reply not working due to permission issue
Comments on the fork repository failed due to permission issues
We will instead use Github App to listen for events and then comment.
 2024-01-31 23:53:39 +08:00
Mingyu Chen
e7a2b7b862 [comm](github) add submodule create-or-update-comment (#27301) 2023-11-22 10:24:38 +08:00
Adonis Ling
f4cbbe6429 [chore](workflow) Fix security issues with pull_request_target (#26525) 
In the workflow Code Checks, we use the event pull_request_target which has write permission to enable the actions to comment on our PRs. We should be careful with the write permission and must forbid from running any user code. The previous PR #24761 tried its best to achieve this goal.
However, there is a scenario lacking of consideration (See #26494). #26494 attacks the workflow by git submodule way. This PR fixes this scenario by checkouting the external action explicitly in the workflow.
 2023-11-08 11:23:13 +08:00
Adonis Ling
e9ef6c7da7 [chore](workflow) Fix security issues in Code Checks (#24761) 
The workflow `Code Checks` needs write permissions granted by the event `pull_request_target` to comment on pull requests. However, if the workflow ran users' code, the malicious code would do some dangerous actions on our repository.

The following changes are made in this PR:
1. Instead of applying patches, we use `sed` to modify the `entrypoint.sh` in action-sh-checker explicitly in the workflow.
2. Revoke the write permissions when generating `compile_commands.json` which is produced by executing the build script `build.sh`.
 2023-09-22 10:39:39 +08:00
Pxl
5ba2a19cd2 [Chore](check) change sonarcloud github action to c/cpp action (#24433) 
change sonarcloud github action to c/cpp action
 2023-09-15 14:55:36 +08:00
Pxl
a68ed24d20 [Chore](workflow) add sonar cloud on cpp workflow (#24189) 
add sonar cloud on cpp workflow
 2023-09-14 15:14:05 +08:00
Mingyu Chen
fc3728c6ab [fix](dynamic-partition) create HOUR unit partition with DATEV2 throw exception (#19213) 
Need to forbid create HOUR unit partition with partition column type DATEV2
```
Unexpected exception: String index out of range: 10
```
 2023-04-29 08:23:06 +08:00
Pxl
ec517a53a8 [Chore](build) upgrade clang-format version to 16 && move thrift to fe-common (#19155) 
upgrade clang-format version to 16
move thrift to fe-common
fix core dump on pipeline engine when operator canceled and not prepared
 2023-04-28 14:14:51 +08:00
Pxl
c804024e5d [Chore](workflow) add clang-tidy workflow (#14737) 
add clang-tidy workflow
 2022-12-02 14:10:29 +08:00
lsy3993
4c60186e87 [test](jdbc)add new case for pg jdbc table (#14582) 2022-11-26 13:02:05 +08:00
Adonis Ling
f6de03eb6c [chore](github) Add a workflow to check the build for third-party libraries (#14533) 
Currently, we build the third-party libraries and release them automatically (See https://github.com/apache/doris-thirdparty/pull/13). We must make sure that the changes for third-party libraries are valid.
 2022-11-24 10:07:39 +08:00
Adonis Ling
72b909b5e8 [enhancement](workflow) Enable the shellcheck workflow to comment the PRs (#12633) 
> Due to the dangers inherent to automatic processing of PRs, GitHub’s standard pull_request workflow trigger by 
default prevents write permissions and secrets access to the target repository. However, in some scenarios such 
access is needed to properly process the PR. To this end the pull_request_target workflow trigger was introduced.

According to the article [Keeping your GitHub Actions and workflows secure](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) , the trigger condition in 
`shellcheck.yml` which is `pull_request` can't comment the PR due to the lack of write permissions of the workflow.

Despite the `ShellCheck` workflow checkouts the source, but it doesn't build and test the source code. I think it is safe 
to change the trigger condition from `pull_request` to `pull_request_target` which can make the workflow have write 
permissions to comment the PR.
 2022-09-27 09:08:12 +08:00
Adonis Ling
4fa53b4cdb [chore](workflow) Add shellcheck to check shell scripts (#11744) 2022-08-18 16:07:28 +08:00
Adonis Ling
5215d95064 [enhancement](workflow) Use ccache to speed the BE UT (Clang) up (#11339) 2022-07-29 21:19:26 +08:00
jakevin
14bb6088da [community](actions): add action to check PR title (#11304) 2022-07-29 14:49:44 +08:00
Adonis Ling
9013d5cc09 [enhancement](workflow) Optimize workflows (#11145) 
1. Fine tune the trigger conditions for workflows.
2. Introduce concurrency group to cancel previous workflow trigged by the same pr.
 2022-07-28 08:32:33 +08:00
morrySnow
c62c2e308f [chore]replace checkstyle action with mvn checkstyle:check (#10474) 2022-06-30 11:20:50 +08:00
morrySnow
784681f106 [FE Code Style][step 0]add github action to check incremental code in pr (#9328) 
1. add rules to checkstyle
2. add github action to check incremental code in pr
 2022-05-01 17:30:29 +08:00
jakevin
ebc27a40d7 [docs] Split the FAQ And Revert auto-label action (#7770) 2022-01-17 10:34:56 +08:00
jakevin
3da4425af5 [fix](github-action) fix the action of set-label-based-on-pr-title (#7757) 2022-01-13 23:35:00 +08:00
kezhenxu94
270bebe196 [chore](github) Add third-party GitHub Action as submodule to allow it to run (#7280) 
Add the 3rd-party GHA as submodule so that it can be run without asking to add it into allow list.
 2021-12-04 19:43:30 +08:00
Tobiasz Kędzierski
8d1c1ef1e6 [Community] Fix PR labeling github action workflow (#6279) 
My change is the fix and improvement for github action which labels approved PRs (introduced in this [PR](https://github.com/apache/incubator-doris/pull/6239)).

It is inspired by solution introduced and tested in [Apache Airflow](https://github.com/apache/airflow) (thanks @potiuk @ashb 🚀 )

Corresponding Apache Airflow workflows on which I based this PR:
 - https://github.com/apache/airflow/blob/main/.github/workflows/label_when_reviewed.yml
 - https://github.com/apache/airflow/blob/main/.github/workflows/label_when_reviewed_workflow_run.yml

Problems which were solved in this PR:

 - **Permissions**.
  @morningman opened a related bug: [[Help] Error: Resource not accessible by integration](https://github.com/TobKed/label-when-approved-action/issues/7). It is related to limited permissions of workflows being triggered by `pull_request_review` (`GITHUB_TOKEN` has read-only permissions). More information about it you can find in the article:  [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
   TL;DR:  On pull request review event (`on: pull_request_review` ) "dummy" workflow `Label when reviewed` triggers another workflow `Label when approved workflow run` which has sufficient permissions (`on:  workflow_run:  workflows: ["Label when reviewed"]`).

 - **Safe use of 3rd-party Github Actions by using submodules pattern.**  It is decribed in:    
 https://cwiki.apache.org/confluence/display/BUILDS/GitHub+Actions+status

    >  NEVER use 3rd-party actions directly in your workflows - use the "submodule" pattern.
    
    This pattern is successfully used by projects like:
     - [Apache Airflow](https://github.com/apache/airflow) ([PR](https://github.com/apache/airflow/pull/13514#))
     - [Apache Beam](https://github.com/apache/beam) ([PR](https://github.com/apache/beam/pull/13736))
     - [Apache Superset](https://github.com/apache/superset) ([PR](https://github.com/apache/superset/pull/12709))
 2021-07-25 22:22:09 +08:00