[doris] branch master updated: [chore](workflow) Fix security issues in Code Checks (#24761)

Thu, 21 Sep 2023 19:39:50 -0700 

This is an automated email from the ASF dual-hosted git repository.

adonisling pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git


The following commit(s) were added to refs/heads/master by this push:
     new e9ef6c7da7 [chore](workflow) Fix security issues in Code Checks 
(#24761)
e9ef6c7da7 is described below

commit e9ef6c7da71af7a73ca45e60cc9587d774629254
Author: Adonis Ling <adonis0...@gmail.com>
AuthorDate: Fri Sep 22 10:39:39 2023 +0800

    [chore](workflow) Fix security issues in Code Checks (#24761)
    
    The workflow `Code Checks` needs write permissions granted by the event 
`pull_request_target` to comment on pull requests. However, if the workflow ran 
users' code, the malicious code would do some dangerous actions on our 
repository.
    
    The following changes are made in this PR:
    1. Instead of applying patches, we use `sed` to modify the `entrypoint.sh` 
in action-sh-checker explicitly in the workflow.
    2. Revoke the write permissions when generating `compile_commands.json` 
which is produced by executing the build script `build.sh`.
---
 .github/actions/patches/action-sh-checker.patch    | 13 ----
 .github/workflows/code-checks.yml                  | 69 ++++++++++++++++------
 ...-project.properties => sonar-project.properties |  0
 3 files changed, 50 insertions(+), 32 deletions(-)

diff --git a/.github/actions/patches/action-sh-checker.patch 
b/.github/actions/patches/action-sh-checker.patch
deleted file mode 100644
index ba6c8d1b90..0000000000
--- a/.github/actions/patches/action-sh-checker.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/entrypoint.sh b/entrypoint.sh
-index d3399e3..5c8ee7b 100755
---- a/entrypoint.sh
-+++ b/entrypoint.sh
-@@ -202,7 +202,7 @@ if ((CHECKBASHISMS_ENABLE == 1)); then
- fi
- 
- if ((shellcheck_code != 0 || shfmt_code != 0)); then
--      if [ "$GITHUB_EVENT_NAME" == "pull_request" ] && ((SH_CHECKER_COMMENT 
== 1)); then
-+      if [[ "$GITHUB_EVENT_NAME" == "pull_request" || "$GITHUB_EVENT_NAME" == 
"pull_request_target" ]] && ((SH_CHECKER_COMMENT == 1)); then
-               _comment_on_github "$shellcheck_error" "$shfmt_error"
-       fi
- fi
diff --git a/.github/workflows/code-checks.yml 
b/.github/workflows/code-checks.yml
index 85dee3e63f..652aa7f81e 100644
--- a/.github/workflows/code-checks.yml
+++ b/.github/workflows/code-checks.yml
@@ -40,7 +40,7 @@ jobs:
       - name: Patch
         run: |
           pushd .github/actions/action-sh-checker >/dev/null
-          git apply ../patches/action-sh-checker.patch
+          sed -i 's/\[ "$GITHUB_EVENT_NAME" == "pull_request" \]/\[\[ 
"$GITHUB_EVENT_NAME" == "pull_request" || "$GITHUB_EVENT_NAME" == 
"pull_request_target" \]\]/' entrypoint.sh
           popd >/dev/null
 
       - name: Run ShellCheck
@@ -51,10 +51,13 @@ jobs:
           sh_checker_comment: true
           sh_checker_exclude: .git .github ^docker ^thirdparty/src 
^thirdparty/installed ^ui ^docs/node_modules ^tools/clickbench-tools ^extension 
^output ^fs_brokers/apache_hdfs_broker/output (^|.*/)Dockerfile$ 
^be/src/apache-orc ^be/src/clucene ^pytest
 
-  clang-tidy:
-    name: "Clang Tidy"
+  preparation:
+    name: "Clang Tidy Preparation"
     if: ${{ github.event_name == 'pull_request_target' }}
     runs-on: ubuntu-22.04
+    permissions: read-all
+    outputs:
+      should_check: ${{ steps.generate.outputs.should_check }}
     steps:
       - name: Checkout ${{ github.ref }} ( ${{ 
github.event.pull_request.head.sha }} )
         uses: actions/checkout@v3
@@ -73,28 +76,56 @@ jobs:
               - 'gensrc/thrift/**'
 
       - name: Generate compile_commands.json
-        if: ${{ steps.filter.outputs.be_changes == 'true' }}
+        id: generate
         run: |
-          export DEFAULT_DIR='/opt/doris'
+          if [[ "${{ steps.filter.outputs.be_changes }}" == 'true' ]]; then
+            export DEFAULT_DIR='/opt/doris'
 
-          mkdir "${DEFAULT_DIR}"
-          wget 
https://github.com/amosbird/ldb_toolchain_gen/releases/download/v0.18/ldb_toolchain_gen.sh
 \
-            -q -O /tmp/ldb_toolchain_gen.sh
-          bash /tmp/ldb_toolchain_gen.sh "${DEFAULT_DIR}/ldb-toolchain"
+            mkdir "${DEFAULT_DIR}"
+            wget 
https://github.com/amosbird/ldb_toolchain_gen/releases/download/v0.18/ldb_toolchain_gen.sh
 \
+              -q -O /tmp/ldb_toolchain_gen.sh
+            bash /tmp/ldb_toolchain_gen.sh "${DEFAULT_DIR}/ldb-toolchain"
 
-          sudo DEBIAN_FRONTEND=noninteractive apt install --yes tzdata byacc
+            sudo DEBIAN_FRONTEND=noninteractive apt install --yes tzdata byacc
 
-          pushd thirdparty
-          curl -L 
https://github.com/apache/doris-thirdparty/releases/download/automation/doris-thirdparty-prebuilt-linux-x86_64.tar.xz
 \
-            -o doris-thirdparty-prebuilt-linux-x86_64.tar.xz
-          tar -xvf doris-thirdparty-prebuilt-linux-x86_64.tar.xz
-          popd
+            pushd thirdparty
+            curl -L 
https://github.com/apache/doris-thirdparty/releases/download/automation/doris-thirdparty-prebuilt-linux-x86_64.tar.xz
 \
+              -o doris-thirdparty-prebuilt-linux-x86_64.tar.xz
+            tar -xvf doris-thirdparty-prebuilt-linux-x86_64.tar.xz
+            popd
 
-          export 
PATH="${DEFAULT_DIR}/ldb-toolchain/bin/:$(pwd)/thirdparty/installed/bin/:${PATH}"
-          DISABLE_JAVA_UDF=ON DORIS_TOOLCHAIN=clang OUTPUT_BE_BINARY=0 
./build.sh --be
+            export 
PATH="${DEFAULT_DIR}/ldb-toolchain/bin/:$(pwd)/thirdparty/installed/bin/:${PATH}"
+            DISABLE_JAVA_UDF=ON DORIS_TOOLCHAIN=clang ENABLE_PCH=OFF 
OUTPUT_BE_BINARY=0 ./build.sh --be
+          fi
 
-      - name: Run clang-tidy review
+          echo "should_check=${{ steps.filter.outputs.be_changes }}" 
>>${GITHUB_OUTPUT}
+
+      - name: Upload
+        uses: actions/upload-artifact@v3
         if: ${{ steps.filter.outputs.be_changes == 'true' }}
+        with:
+          name: compile_commands
+          path: ./be/build_Release/compile_commands.json
+
+  clang-tidy:
+    name: "Clang Tidy"
+    needs: preparation
+    if: ${{ needs.preparation.outputs.should_check == 'true' }}
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout ${{ github.ref }} ( ${{ 
github.event.pull_request.head.sha }} )
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          submodules: recursive
+
+      - name: Download
+        uses: actions/download-artifact@v3
+        with:
+          name: compile_commands
+          path: ./be/build_Release
+
+      - name: Run clang-tidy review
         uses: ./.github/actions/clang-tidy-review
         id: review
         with:
@@ -103,4 +134,4 @@ jobs:
 
       # clang-tidy review not required now
       # - if: steps.review.outputs.total_comments > 0
-      #   run: exit 1
\ No newline at end of file
+      #   run: exit 1
diff --git a/be/sonar-project.properties b/sonar-project.properties
similarity index 100%
rename from be/sonar-project.properties
rename to sonar-project.properties


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org

Reply via email to