Skip to content

Commit

Permalink
Pull Request Target
Browse files Browse the repository at this point in the history 
Previously, the actions tied to pull requests executed on the pull_request
event, which resulted in them not having access to the secrets required for
them to execute.  At the beginning of August, GitHub added the
pull_request_target event which operates in a similar way except only actions
in the base commit would execute ensuring that it was safe to expose secrets.
This change updates the pull request actions to use pull_request_target,
ensuring that they are always functional.

Signed-off-by: Ben Hale <[email protected]>
  • Loading branch information
@nebhale
nebhale committed Oct 14, 2020
1 parent 1765c4c commit 54b7b5a
Showing 1 changed file with 35 additions and 17 deletions.
52 changes: 35 additions & 17 deletions .github/workflows/update-draft-release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,6 @@ jobs:
uses: release-drafter/release-drafter@v5
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Docker login gcr.io
uses: docker/login-action@v1
with:
password: ${{ secrets.JAVA_GCLOUD_SERVICE_ACCOUNT_KEY }}
registry: gcr.io
username: _json_key
- uses: actions/checkout@v2
- name: Install yj
run: |
Expand All @@ -45,31 +39,55 @@ jobs:
set -euo pipefail
PAYLOAD=$(yj -tj < buildpack.toml | jq '{ primary: . }')
PAYLOAD="{}"
if [[ -e buildpack.toml ]]; then
PAYLOAD=$(jq -n -r \
--argjson PAYLOAD "${PAYLOAD}" \
--argjson BUILDPACK "$(yj -tj < buildpack.toml)" \
'$PAYLOAD | .primary = $BUILDPACK')
fi
if [[ -e builder.toml ]]; then
PAYLOAD=$(jq -n -r \
--argjson PAYLOAD "${PAYLOAD}" \
--argjson BUILDER "$(yj -tj < builder.toml)" \
'$PAYLOAD | .primary = $BUILDER')
for BUILDPACK in $(
jq -n -r \
--argjson PAYLOAD "${PAYLOAD}" \
'$PAYLOAD.primary.buildpacks[].image'
); do
crane export "${BUILDPACK}" - | tar xf - --absolute-names --strip-components 1 --wildcards "/cnb/buildpacks/*/*/buildpack.toml"
done
fi
if [[ -e package.toml ]]; then
for PACKAGE in $(yj -t < package.toml | jq -r '.dependencies[].image'); do
PAYLOAD=$(jq -n -r \
--argjson PAYLOAD "${PAYLOAD}" \
--argjson BUILDPACK "$(crane export "${PACKAGE}" - \
| tar xOf - --absolute-names --wildcards "/cnb/buildpacks/*/*/buildpack.toml" \
| yj -tj)" \
'$PAYLOAD | .buildpacks += [ $BUILDPACK ]')
crane export "${PACKAGE}" - | tar xf - --absolute-names --strip-components 1 --wildcards "/cnb/buildpacks/*/*/buildpack.toml"
done
fi
while IFS= read -r -d '' FILE; do
PAYLOAD=$(jq -n -r \
--argjson PAYLOAD "${PAYLOAD}" \
--argjson BUILDPACK "$(yj -tj < "${FILE}")" \
'$PAYLOAD | .buildpacks += [ $BUILDPACK ]')
done < <(find buildpacks -name buildpack.toml -print0)
jq -n -r \
--argjson PAYLOAD "${PAYLOAD}" \
--arg RELEASE_NAME "${RELEASE_NAME}" \
'"\($PAYLOAD.primary.buildpack.name) \($RELEASE_NAME)"' \
'( select($PAYLOAD.primary.buildpack.name) | "\($PAYLOAD.primary.buildpack.name) \($RELEASE_NAME)" ) // "\($RELEASE_NAME)"' \
> "${HOME}"/name
jq -n -r \
--argjson PAYLOAD "${PAYLOAD}" \
--arg RELEASE_BODY "${RELEASE_BODY}" \
'
def id(b):
"**ID**: `\(b.buildpack.id)`"
select(b.buildpack.id) | "**ID**: `\(b.buildpack.id)`"
;
def included_buildpackages(b): [
Expand Down Expand Up @@ -98,7 +116,7 @@ jobs:
"#### Dependencies:",
"Name | Version | SHA256",
":--- | :------ | :-----",
( d | sort_by(.name | ascii_downcase) | map("\(.name) | `\(.version)` | `\(.sha256)`")),
( d | sort_by(.name // .id | ascii_downcase) | map("\(.name // .id) | `\(.version)` | `\(.sha256)`")),
""
];
Expand All @@ -109,7 +127,7 @@ jobs:
( o | map([
"ID | Version | Optional",
":- | :------ | :-------",
( .group | map([ "`\(.id)` | `\(.version)`", ( select(.optional) | "| `\(.optional)`" ) ] | join(" ")) ),
( .group | map([ "`\(.id)` | ", (select(.version) | "`\(.version)`"), ( select(.optional) | "| `\(.optional)`" ) ] | join(" ")) ),
""
])),
"</details>",
Expand Down

0 comments on commit 54b7b5a

Please sign in to comment.