diff --git a/.github/workflows/commands.yml b/.github/workflows/commands.yml index 96e75cefc7b..c6a96649402 100644 --- a/.github/workflows/commands.yml +++ b/.github/workflows/commands.yml @@ -5,12 +5,11 @@ on: types: [created] jobs: - # This first job by definiton runs user-supplied code - you must NOT elevate its permissions to `write` - # Malicious code could change nuget source URL, build targets or even compiler itself to pass a GH token - # And use it to create branches, spam issues etc. Any write-actions happen in the second job, which does not allow - # user extension points (i.e. plain scripts, must NOT run scripts from within checked-out code) - detect-and-run: + parsing_job: runs-on: ubuntu-latest + permissions: + issues: write # Allow adding a reaction via the comment-pipeline + pull-requests: write outputs: command: ${{ steps.parse.outputs.command }} arg: ${{ steps.parse.outputs.arguments }} @@ -28,11 +27,20 @@ jobs: /run test-baseline github-token: ${{ secrets.GITHUB_TOKEN }} + # This second job by definiton runs user-supplied code - you must NOT elevate its permissions to `write` + # Malicious code could change nuget source URL, build targets or even compiler itself to pass a GH token + # And use it to create branches, spam issues etc. Any write-actions happen in the second job, which does not allow + # user extension points (i.e. plain scripts, must NOT run scripts from within checked-out code) + run-parsed-command: + needs: parsing_job + runs-on: ubuntu-latest + if: needs.parsing_job.outputs.command != '' + steps: + - name: Checkout the repository uses: actions/checkout@v4 - name: Checkout PR branch - if: ${{ steps.parse.outputs.command }} run: gh auth setup-git && gh pr checkout ${{ github.event.issue.number }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -46,7 +54,7 @@ jobs: run: dotnet tool restore - name: Setup .NET 9.0.0 Runtime for test execution - if: ${{ steps.parse.outputs.command == '/run test-baseline' }} + if: ${{ needs.parsing_job.outputs.command == '/run test-baseline' }} uses: actions/setup-dotnet@v4 with: dotnet-version: '9.0.x' @@ -57,17 +65,17 @@ jobs: TEST_UPDATE_BSL: 1 continue-on-error: true run: | - case "${{ steps.parse.outputs.command }}" in + case "${{ needs.parsing_job.outputs.command }}" in "/run fantomas") dotnet fantomas . ;; "/run xlf") dotnet build src/Compiler /t:UpdateXlf ;; "/run ilverify") pwsh tests/ILVerify/ilverify.ps1 ;; - "/run test-baseline") dotnet test ./FSharp.Compiler.Service.sln --filter "${{ steps.parse.outputs.arguments }}" -c Release || true ;; + "/run test-baseline") dotnet test ./FSharp.Compiler.Service.sln --filter "${{ needs.parsing_job.outputs.arg }}" -c Release || true ;; *) echo "Unknown command" && exit 1 ;; esac - name: Create patch & metadata id: meta - if: steps.parse.outputs.command + if: needs.parsing_job.outputs.command run: | echo "run_step_outcome=${{ steps.run-cmd.outcome }}" > result if [[ "${{ steps.run-cmd.outcome }}" == "success" ]]; then @@ -87,12 +95,12 @@ jobs: result apply-and-report: - needs: detect-and-run + needs: [parsing_job, run-parsed-command] runs-on: ubuntu-latest permissions: contents: write pull-requests: write - if: needs.detect-and-run.outputs.command != '' + if: needs.parsing_job.outputs.command != '' && needs.run-parsed-command.result == 'success' steps: - name: Checkout the repository uses: actions/checkout@v4 @@ -121,7 +129,7 @@ jobs: git config user.name "GH Actions" git config user.email "actions@github.com" git add -u - git commit -m "Apply patch from ${{ needs.detect-and-run.outputs.command }}" + git commit -m "Apply patch from ${{ needs.parsing_job.outputs.command }}" upstream=$(git rev-parse --abbrev-ref --symbolic-full-name @{u}) remote=${upstream%%/*} branch=${upstream#*/} @@ -140,7 +148,7 @@ jobs: - name: Generate and publish report if: always() env: - COMMAND: ${{ needs.detect-and-run.outputs.command }} + COMMAND: ${{ needs.parsing_job.outputs.command }} OUTCOME: ${{ steps.read-meta.outputs.run_step_outcome }} PATCH: ${{ steps.read-meta.outputs.hasPatch }} run: |