database/doris
2
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
3cb0deae9ceef92c71c35444c495bc5b94de6c7c
doris/.github/workflows/clang-format.yml
Adonis Ling f4cbbe6429 [chore](workflow) Fix security issues with pull_request_target (#26525) 
In the workflow Code Checks, we use the event pull_request_target which has write permission to enable the actions to comment on our PRs. We should be careful with the write permission and must forbid from running any user code. The previous PR #24761 tried its best to achieve this goal.
However, there is a scenario lacking of consideration (See #26494). #26494 attacks the workflow by git submodule way. This PR fixes this scenario by checkouting the external action explicitly in the workflow.
2023-11-08 11:23:13 +08:00

80 lines
2.7 KiB
YAML
Raw Blame History

# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
---
name: BE Code Formatter
on: [push, pull_request_target]
jobs:
clang-format:
name: "Clang Formatter"
runs-on: ubuntu-latest
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
if: ${{ github.event_name != 'pull_request_target' }}
uses: actions/checkout@v3
with:
persist-credentials: false
- name: Checkout ${{ github.ref }} ( ${{ github.event.pull_request.head.sha }} )
if: ${{ github.event_name == 'pull_request_target' }}
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Checkout paths-filter
run: |
rm -rf ./.github/actions/paths-filter
git clone https://github.com/dorny/paths-filter .github/actions/paths-filter
pushd .github/actions/paths-filter &>/dev/null
git checkout 4512585405083f25c027a35db413c2b3b9006d50
popd &>/dev/null
- name: Paths filter
uses: ./.github/actions/paths-filter
id: filter
with:
filters: |
be_changes:
- 'be/src/**'
- 'be/test/**'
- name: Checkout clang-format-lint-action
run: |
rm -rf ./.github/actions/clang-format-lint-action
git clone https://github.com/DoozyX/clang-format-lint-action .github/actions/clang-format-lint-action
pushd .github/actions/clang-format-lint-action &>/dev/null
git checkout 6adbe14579e5b8e19eb3e31e5ff2479f3bd302c7
popd &>/dev/null
- name: "Format it!"
if: ${{ steps.filter.outputs.be_changes == 'true' }}
uses: ./.github/actions/clang-format-lint-action
id: be_clang_format
with:
source: "be/src be/test"
clangFormatVersion: 16
inplace: False
- name: Ignore it!
if: ${{ steps.filter.outputs.be_changes == 'false' }}
run: echo 'No need to check.'
Reference in New Issue View Git Blame Copy Permalink