From 3a1060acc8e2164cb7f36b70b46ff4df999420c0 Mon Sep 17 00:00:00 2001
From: Pierre Dumont <pierre.dumont@kudelskisecurity.com>
Date: Sat, 21 Oct 2023 00:34:35 +0200
Subject: [PATCH] add new job with all checks

---
 .github/workflows/test_custom_executor.yml    | 39 ++++++++++++++++++-
 .../github_custom_executor/before_script.sh   | 13 ++++++-
 2 files changed, 50 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/test_custom_executor.yml b/.github/workflows/test_custom_executor.yml
index 1ab0321..d1c81e6 100644
--- a/.github/workflows/test_custom_executor.yml
+++ b/.github/workflows/test_custom_executor.yml
@@ -24,4 +24,41 @@ jobs:
     steps:
       - name: Check out Repository
         uses: actions/checkout@v4
-      - run: echo "Job is run after YSNP verification using only user check!"
\ No newline at end of file
+      - run: echo "Job is run after YSNP verification using only user check!"
+
+  Test-job-all-checks-YSNP:
+    runs-on: self-hosted
+    container:
+      image: alpine:3.18.4@sha256:eece025e432126ce23f223450a0326fbebde39cdf496a85d8c016293fc851978
+    steps:
+      - name: Check out Repository
+        uses: actions/checkout@v4
+      - run: echo "Job is run after YSNP verification using image + script + hash check!"
+
+# this is the youshallnotpass_config on Vault
+# echo -n '{
+#   "jobs": [
+#     {
+#       "jobName": "Test-job-only-ask-mfa-YSNP",
+#       "checks": [
+#         {
+#           "name": "mfaRequired"
+#         }
+#       ]
+#     },
+#     {
+#       "jobName": "Test-job-all-checks-YSNP",
+#       "checks": [
+#         {
+#           "name": "mfaRequired"
+#         },
+#         {
+#           "name": "imageHash"
+#         },
+#         {
+#           "name": "scriptHash"
+#         }
+#       ]
+#     }
+#   ]
+# }' | vault kv put your_mount_root/your_github_username_or_organization/project_name/youshallnotpass_config -
\ No newline at end of file
diff --git a/custom_executors/github_custom_executor/before_script.sh b/custom_executors/github_custom_executor/before_script.sh
index 377bf58..200f409 100755
--- a/custom_executors/github_custom_executor/before_script.sh
+++ b/custom_executors/github_custom_executor/before_script.sh
@@ -66,13 +66,24 @@ export CI_JOB_NAME="$GITHUB_JOB"
 export CI_USER_EMAIL="$GITHUB_ACTOR"
 
 # Clone the workflow's repo
-if [[ ! -d "${GITHUB_WORKSPACE}" || -z "${GITHUB_WORKSPACE}" ]]; then
+# For some reason, the repo is not yet cloned at this stage and GITHUB_TOKEN is not available
+# TODO: improve me
+if [[ ! -d "${GITHUB_WORKSPACE}" || -z "$(ls -A ${GITHUB_WORKSPACE})" ]]; then
     # set those variables in profile.sh to git clone a private repo
     if [ -n "${GITHUB_USER}" ] && [ -n "${GITHUB_TOKEN}" ]; then
         git clone "https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}" "${GITHUB_WORKSPACE}"
     else
         git clone "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}" "${GITHUB_WORKSPACE}"
     fi
+else
+    # repo already exists, force update it
+    cd "${GITHUB_WORKSPACE}"
+    if [ -n "${GITHUB_USER}" ] && [ -n "${GITHUB_TOKEN}" ]; then
+        git remote set-url origin "https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}"
+    fi
+    git fetch --all
+    # fails sometimes...
+    # git reset --hard "${GITHUB_REF}"
 fi
 
 # Checkout the current sha