database/doris
2
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
501a79a45cdfb08dd8c0101405a7352fad39cf40
doris/.github/workflows/code-checks.yml
Adonis Ling f4cbbe6429 [chore](workflow) Fix security issues with pull_request_target (#26525) 
In the workflow Code Checks, we use the event pull_request_target which has write permission to enable the actions to comment on our PRs. We should be careful with the write permission and must forbid from running any user code. The previous PR #24761 tried its best to achieve this goal.
However, there is a scenario lacking of consideration (See #26494). #26494 attacks the workflow by git submodule way. This PR fixes this scenario by checkouting the external action explicitly in the workflow.
2023-11-08 11:23:13 +08:00

155 lines
5.8 KiB
YAML
Raw Blame History

# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
name: Code Checks
on: [push, pull_request_target]
jobs:
shellcheck:
name: ShellCheck
runs-on: ubuntu-latest
steps:
- name: Checkout ${{ github.ref }} ( ${{ github.sha }} )
if: ${{ github.event_name != 'pull_request_target' }}
uses: actions/checkout@v3
- name: Checkout ${{ github.ref }} ( ${{ github.event.pull_request.head.sha }} )
if: ${{ github.event_name == 'pull_request_target' }}
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Checkout action-sh-checker
run: |
rm -rf ./.github/actions/action-sh-checker
git clone https://github.com/luizm/action-sh-checker .github/actions/action-sh-checker
pushd .github/actions/action-sh-checker &>/dev/null
git checkout 76ab0b22e1f194e4a582edc7969df6485c4e9246
sed -i 's/\[ "$GITHUB_EVENT_NAME" == "pull_request" \]/\[\[ "$GITHUB_EVENT_NAME" == "pull_request" || "$GITHUB_EVENT_NAME" == "pull_request_target" \]\]/' entrypoint.sh
popd &>/dev/null
- name: Run ShellCheck
uses: ./.github/actions/action-sh-checker
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
sh_checker_comment: true
sh_checker_exclude: .git .github ^docker ^thirdparty/src ^thirdparty/installed ^ui ^docs/node_modules ^tools/clickbench-tools ^extension ^output ^fs_brokers/apache_hdfs_broker/output (^|.*/)Dockerfile$ ^be/src/apache-orc ^be/src/clucene ^pytest
preparation:
name: "Clang Tidy Preparation"
if: ${{ github.event_name == 'pull_request_target' }}
runs-on: ubuntu-22.04
permissions: read-all
outputs:
should_check: ${{ steps.generate.outputs.should_check }}
steps:
- name: Checkout ${{ github.ref }} ( ${{ github.event.pull_request.head.sha }} )
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Checkout paths-filter
run: |
rm -rf ./.github/actions/paths-filter
git clone https://github.com/dorny/paths-filter .github/actions/paths-filter
pushd .github/actions/paths-filter &>/dev/null
git checkout 4512585405083f25c027a35db413c2b3b9006d50
popd &>/dev/null
- name: Paths Filter
uses: ./.github/actions/paths-filter
id: filter
with:
filters: |
be_changes:
- 'be/**'
- 'gensrc/proto/**'
- 'gensrc/thrift/**'
- name: Generate compile_commands.json
id: generate
run: |
if [[ "${{ steps.filter.outputs.be_changes }}" == 'true' ]]; then
export DEFAULT_DIR='/opt/doris'
mkdir "${DEFAULT_DIR}"
wget https://github.com/amosbird/ldb_toolchain_gen/releases/download/v0.18/ldb_toolchain_gen.sh \
-q -O /tmp/ldb_toolchain_gen.sh
bash /tmp/ldb_toolchain_gen.sh "${DEFAULT_DIR}/ldb-toolchain"
sudo DEBIAN_FRONTEND=noninteractive apt install --yes tzdata byacc
pushd thirdparty
curl -L https://github.com/apache/doris-thirdparty/releases/download/automation/doris-thirdparty-prebuilt-linux-x86_64.tar.xz \
-o doris-thirdparty-prebuilt-linux-x86_64.tar.xz
tar -xvf doris-thirdparty-prebuilt-linux-x86_64.tar.xz
popd
export PATH="${DEFAULT_DIR}/ldb-toolchain/bin/:$(pwd)/thirdparty/installed/bin/:${PATH}"
DISABLE_JAVA_UDF=ON DORIS_TOOLCHAIN=clang ENABLE_PCH=OFF OUTPUT_BE_BINARY=0 ./build.sh --be
fi
echo "should_check=${{ steps.filter.outputs.be_changes }}" >>${GITHUB_OUTPUT}
- name: Upload
uses: actions/upload-artifact@v3
if: ${{ steps.filter.outputs.be_changes == 'true' }}
with:
name: compile_commands
path: ./be/build_Release/compile_commands.json
clang-tidy:
name: "Clang Tidy"
needs: preparation
if: ${{ needs.preparation.outputs.should_check == 'true' }}
runs-on: ubuntu-22.04
steps:
- name: Checkout ${{ github.ref }} ( ${{ github.event.pull_request.head.sha }} )
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Download
uses: actions/download-artifact@v3
with:
name: compile_commands
path: ./be/build_Release
- name: Checkout clang-tidy review
run: |
rm -rf ./.github/actions/clang-tidy-review
git clone https://github.com/ZedThree/clang-tidy-review .github/actions/clang-tidy-review
pushd .github/actions/clang-tidy-review &>/dev/null
git checkout 2c55ef8cfc9acb3715d433e58aea086dcec9b206
popd &>/dev/null
- name: Run clang-tidy review
uses: ./.github/actions/clang-tidy-review
id: review
with:
build_dir: ./be/build_Release
config_file: "./.clang-tidy"
# clang-tidy review not required now
# - if: steps.review.outputs.total_comments > 0
# run: exit 1
Reference in New Issue View Git Blame Copy Permalink