-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
109 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| name: Resyntax Analysis | ||
|
|
||
| # The Resyntax integration is split into two phases: a workflow that analyzes the code and uploads | ||
| # the analysis as an artifact, and a workflow that downloads the analysis artifact and creates a | ||
| # review of the pull request. This split is for permissions reasons; the analysis workflow checks out | ||
| # the pull request branch and compiles it, executing arbitrary code as it does so. For that reason, | ||
| # the first workflow has read-only permissions in the github repository. The second workflow only | ||
| # downloads the pull request review artifact and submits it, and it executes with read-write permissions | ||
| # without executing any code in the repository. This division of responsibilities allows Resyntax to | ||
| # safely analyze pull requests from forks. This strategy is outlined in the following article: | ||
| # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ | ||
|
|
||
| on: | ||
| pull_request: | ||
| types: | ||
| - opened | ||
| - reopened | ||
| - synchronize | ||
| - ready_for_review | ||
|
|
||
| jobs: | ||
| analyze: | ||
| runs-on: ubuntu-latest | ||
| if: ${{ github.triggering_actor != 'resyntax-ci[bot]' }} | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v3.3.0 | ||
| # See https://github.com/actions/checkout/issues/118. | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Install Racket | ||
| uses: Bogdanp/setup-racket@v1.9.1 | ||
| with: | ||
| architecture: 'x64' | ||
| distribution: 'full' | ||
| variant: 'CS' | ||
| version: 'current' | ||
| sudo: never | ||
| dest: '"${HOME}/racket"' | ||
| local_catalogs: $GITHUB_WORKSPACE | ||
| packages: resyntax | ||
| - name: Install local packages | ||
| run: raco pkg install --auto disposable disposable-test | ||
| - name: Analyze changed files | ||
| run: racket -l- resyntax/cli analyze --local-git-repository . "origin/${GITHUB_BASE_REF}" --output-as-github-review --output-to-file ./resyntax-review.json | ||
| - name: Upload analysis artifact | ||
| uses: actions/upload-artifact@v3.1.2 | ||
| with: | ||
| name: resyntax-review | ||
| path: resyntax-review.json |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| name: Resyntax Review Submission | ||
|
|
||
| # The Resyntax integration is split into two workflows. See ./resyntax-analyze.yml for details about | ||
| # why it works this way. | ||
|
|
||
| on: | ||
| workflow_run: | ||
| workflows: ["Resyntax Analysis"] | ||
| types: | ||
| - completed | ||
|
|
||
| jobs: | ||
| review: | ||
| runs-on: ubuntu-latest | ||
| if: > | ||
| ${{ github.event.workflow_run.event == 'pull_request' && | ||
| github.event.workflow_run.conclusion == 'success' }} | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| permissions: | ||
| pull-requests: write | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v3.3.0 | ||
| - name: Download Resyntax analysis | ||
| # This uses a github script instead of the download-artifact action because | ||
| # that action doesn't work for artifacts uploaded by other workflows. See | ||
| # https://github.com/actions/download-artifact/issues/130 for more info. | ||
| uses: actions/github-script@v6.4.0 | ||
| with: | ||
| script: | | ||
| var artifacts = await github.rest.actions.listWorkflowRunArtifacts({ | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| run_id: ${{github.event.workflow_run.id}}, | ||
| }); | ||
| var matchArtifact = artifacts.data.artifacts.filter((artifact) => { | ||
| return artifact.name == "resyntax-review" | ||
| })[0]; | ||
| var download = await github.rest.actions.downloadArtifact({ | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| artifact_id: matchArtifact.id, | ||
| archive_format: 'zip', | ||
| }); | ||
| var fs = require('fs'); | ||
| fs.writeFileSync('${{github.workspace}}/resyntax-review.zip', Buffer.from(download.data)); | ||
| - run: unzip resyntax-review.zip | ||
| - name: Create pull request review | ||
| uses: actions/github-script@v6.4.0 | ||
| with: | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} | ||
| script: | | ||
| var create_review_request = require('./resyntax-review.json'); | ||
| await github.rest.pulls.createReview(create_review_request); |