GitVita
New repositoryImport repositoryNew issue
Your repositories Your dashboard Sign in

microsoft/openvmm

Public

mirrored fromhttps://github.com/microsoft/openvmmAvailable

Watch0Fork0Star0
CodeCommitsIssuesPull requestsActionsInsightsSecurity
a547ac0f636a4447937a9b2cd8244e15075f83ca

Branches

Tags

  • No tags available.
0Branches0Tags
Go to file
Add file
Code

Clone

HTTPS

Download ZIP

openvmm/.github/workflows

.github/workflows/unsafe-reviewers.yml

52lines · modecode

RawDownload
Latest commit unavailable.
1name: Unsafe Reviewers Check
2on:
3 workflow_dispatch:
4 pull_request_target:
5 types: [opened, reopened, synchronize]
6
7# https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
8permissions:
9 id-token: write
10 contents: read
11 pull-requests: write
12
13concurrency:
14 group: ${{ github.workflow }}-${{ github.head_ref }}
15 cancel-in-progress: true
16
17
18jobs:
19 UnsafeReview:
20 runs-on: ubuntu-latest
21 if: github.event.pull_request.merged != true && github.event.action != 'closed'
22 steps:
23 # NOTE: We're checking out both repos to avoid a security vulnerability
24 # Any code that runs in this workflow should be using the checked out base repo to avoid
25 # running code from a potentially malicious PR
26 # https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
27 # https://nathandavison.com/blog/github-actions-and-the-threat-of-malicious-pull-requests
28 - name: Checkout base repo
29 uses: actions/checkout@v4
30 with:
31 path: base
32 fetch-depth: 0
33 - name: Checkout head repo
34 uses: actions/checkout@v4
35 with:
36 repository: ${{ github.event.pull_request.head.repo.full_name }}
37 ref: ${{ github.event.pull_request.head.ref }}
38 token: ${{ secrets.GITHUB_TOKEN }}
39 fetch-depth: 0
40 path: head-repo
41
42 - name: Get merge base commit
43 id: merge-base
44 run: |
45 git fetch origin ${{ github.base_ref }}
46 git merge-base HEAD origin/${{ github.base_ref }} > merge-base.txt
47 echo "MERGE_BASE=$(cat merge-base.txt)" >> $GITHUB_ENV
48 working-directory: head-repo
49
50 - name: Run unsafe code review script
51 run: pip3 install -r ./base/.github/scripts/add_unsafe_reviewers/requirements.txt && python3 ./base/.github/scripts/add_unsafe_reviewers/add-unsafe-reviewers.py ./head-repo "${{ env.MERGE_BASE }}" --token "${{ secrets.GITHUB_TOKEN }}" --pull-request "${{ github.event.number }}"
52 shell: bash
53