From 54b7b5ad5b3160a03a1072ac73dec7eee1f552a9 Mon Sep 17 00:00:00 2001 From: Ben Hale Date: Wed, 14 Oct 2020 07:00:18 -0700 Subject: [PATCH] Pull Request Target Previously, the actions tied to pull requests executed on the pull_request event, which resulted in them not having access to the secrets required for them to execute. At the beginning of August, GitHub added the pull_request_target event which operates in a similar way except only actions in the base commit would execute ensuring that it was safe to expose secrets. This change updates the pull request actions to use pull_request_target, ensuring that they are always functional. Signed-off-by: Ben Hale --- .github/workflows/update-draft-release.yml | 52 +++++++++++++++------- 1 file changed, 35 insertions(+), 17 deletions(-) diff --git a/.github/workflows/update-draft-release.yml b/.github/workflows/update-draft-release.yml index f48bc48..5a09950 100644 --- a/.github/workflows/update-draft-release.yml +++ b/.github/workflows/update-draft-release.yml @@ -13,12 +13,6 @@ jobs: uses: release-drafter/release-drafter@v5 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Docker login gcr.io - uses: docker/login-action@v1 - with: - password: ${{ secrets.JAVA_GCLOUD_SERVICE_ACCOUNT_KEY }} - registry: gcr.io - username: _json_key - uses: actions/checkout@v2 - name: Install yj run: | @@ -45,23 +39,47 @@ jobs: set -euo pipefail - PAYLOAD=$(yj -tj < buildpack.toml | jq '{ primary: . }') + PAYLOAD="{}" + + if [[ -e buildpack.toml ]]; then + PAYLOAD=$(jq -n -r \ + --argjson PAYLOAD "${PAYLOAD}" \ + --argjson BUILDPACK "$(yj -tj < buildpack.toml)" \ + '$PAYLOAD | .primary = $BUILDPACK') + fi + + if [[ -e builder.toml ]]; then + PAYLOAD=$(jq -n -r \ + --argjson PAYLOAD "${PAYLOAD}" \ + --argjson BUILDER "$(yj -tj < builder.toml)" \ + '$PAYLOAD | .primary = $BUILDER') + + for BUILDPACK in $( + jq -n -r \ + --argjson PAYLOAD "${PAYLOAD}" \ + '$PAYLOAD.primary.buildpacks[].image' + ); do + crane export "${BUILDPACK}" - | tar xf - --absolute-names --strip-components 1 --wildcards "/cnb/buildpacks/*/*/buildpack.toml" + done + fi if [[ -e package.toml ]]; then for PACKAGE in $(yj -t < package.toml | jq -r '.dependencies[].image'); do - PAYLOAD=$(jq -n -r \ - --argjson PAYLOAD "${PAYLOAD}" \ - --argjson BUILDPACK "$(crane export "${PACKAGE}" - \ - | tar xOf - --absolute-names --wildcards "/cnb/buildpacks/*/*/buildpack.toml" \ - | yj -tj)" \ - '$PAYLOAD | .buildpacks += [ $BUILDPACK ]') + crane export "${PACKAGE}" - | tar xf - --absolute-names --strip-components 1 --wildcards "/cnb/buildpacks/*/*/buildpack.toml" done fi + while IFS= read -r -d '' FILE; do + PAYLOAD=$(jq -n -r \ + --argjson PAYLOAD "${PAYLOAD}" \ + --argjson BUILDPACK "$(yj -tj < "${FILE}")" \ + '$PAYLOAD | .buildpacks += [ $BUILDPACK ]') + done < <(find buildpacks -name buildpack.toml -print0) + jq -n -r \ --argjson PAYLOAD "${PAYLOAD}" \ --arg RELEASE_NAME "${RELEASE_NAME}" \ - '"\($PAYLOAD.primary.buildpack.name) \($RELEASE_NAME)"' \ + '( select($PAYLOAD.primary.buildpack.name) | "\($PAYLOAD.primary.buildpack.name) \($RELEASE_NAME)" ) // "\($RELEASE_NAME)"' \ > "${HOME}"/name jq -n -r \ @@ -69,7 +87,7 @@ jobs: --arg RELEASE_BODY "${RELEASE_BODY}" \ ' def id(b): - "**ID**: `\(b.buildpack.id)`" + select(b.buildpack.id) | "**ID**: `\(b.buildpack.id)`" ; def included_buildpackages(b): [ @@ -98,7 +116,7 @@ jobs: "#### Dependencies:", "Name | Version | SHA256", ":--- | :------ | :-----", - ( d | sort_by(.name | ascii_downcase) | map("\(.name) | `\(.version)` | `\(.sha256)`")), + ( d | sort_by(.name // .id | ascii_downcase) | map("\(.name // .id) | `\(.version)` | `\(.sha256)`")), "" ]; @@ -109,7 +127,7 @@ jobs: ( o | map([ "ID | Version | Optional", ":- | :------ | :-------", - ( .group | map([ "`\(.id)` | `\(.version)`", ( select(.optional) | "| `\(.optional)`" ) ] | join(" ")) ), + ( .group | map([ "`\(.id)` | ", (select(.version) | "`\(.version)`"), ( select(.optional) | "| `\(.optional)`" ) ] | join(" ")) ), "" ])), "",