From d3db5ee7662d6d56c73f33b52dedd975e0323555 Mon Sep 17 00:00:00 2001 From: Tomas Grosup Date: Fri, 11 Jul 2025 10:43:26 +0200 Subject: [PATCH 1/2] Further split commenting command - give parsing step reaction permission MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Changes: Split parsing into separate job with proper permissions to fix reaction failures Rename detect-and-run → run-parsed-command for clarity Improve failure handling - only apply patches when command execution succeeds Remove redundant conditions and output duplication Fixes: The workflow now properly handles the comment-pipeline action's permission requirements and has better error resilience. --- .github/workflows/commands.yml | 36 +++++++++++++++++++++------------- 1 file changed, 22 insertions(+), 14 deletions(-) diff --git a/.github/workflows/commands.yml b/.github/workflows/commands.yml index 96e75cefc7b..b775f37fd57 100644 --- a/.github/workflows/commands.yml +++ b/.github/workflows/commands.yml @@ -5,12 +5,11 @@ on: types: [created] jobs: - # This first job by definiton runs user-supplied code - you must NOT elevate its permissions to `write` - # Malicious code could change nuget source URL, build targets or even compiler itself to pass a GH token - # And use it to create branches, spam issues etc. Any write-actions happen in the second job, which does not allow - # user extension points (i.e. plain scripts, must NOT run scripts from within checked-out code) - detect-and-run: + parsing_job: runs-on: ubuntu-latest + permissions: + issues: write # Allow adding a reaction via the comment-pipeline + pull-requests: write outputs: command: ${{ steps.parse.outputs.command }} arg: ${{ steps.parse.outputs.arguments }} @@ -28,11 +27,20 @@ jobs: /run test-baseline github-token: ${{ secrets.GITHUB_TOKEN }} + # This first job by definiton runs user-supplied code - you must NOT elevate its permissions to `write` + # Malicious code could change nuget source URL, build targets or even compiler itself to pass a GH token + # And use it to create branches, spam issues etc. Any write-actions happen in the second job, which does not allow + # user extension points (i.e. plain scripts, must NOT run scripts from within checked-out code) + run-parsed-command: + needs: parsing_job + runs-on: ubuntu-latest + if: needs.parsing_job.outputs.command != '' + steps: + - name: Checkout the repository uses: actions/checkout@v4 - name: Checkout PR branch - if: ${{ steps.parse.outputs.command }} run: gh auth setup-git && gh pr checkout ${{ github.event.issue.number }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -46,7 +54,7 @@ jobs: run: dotnet tool restore - name: Setup .NET 9.0.0 Runtime for test execution - if: ${{ steps.parse.outputs.command == '/run test-baseline' }} + if: ${{ needs.parsing_job.outputs.command == '/run test-baseline' }} uses: actions/setup-dotnet@v4 with: dotnet-version: '9.0.x' @@ -57,17 +65,17 @@ jobs: TEST_UPDATE_BSL: 1 continue-on-error: true run: | - case "${{ steps.parse.outputs.command }}" in + case "${{ needs.parsing_job.outputs.command }}" in "/run fantomas") dotnet fantomas . ;; "/run xlf") dotnet build src/Compiler /t:UpdateXlf ;; "/run ilverify") pwsh tests/ILVerify/ilverify.ps1 ;; - "/run test-baseline") dotnet test ./FSharp.Compiler.Service.sln --filter "${{ steps.parse.outputs.arguments }}" -c Release || true ;; + "/run test-baseline") dotnet test ./FSharp.Compiler.Service.sln --filter "${{ needs.parsing_job.outputs.arg }}" -c Release || true ;; *) echo "Unknown command" && exit 1 ;; esac - name: Create patch & metadata id: meta - if: steps.parse.outputs.command + if: needs.parsing_job.outputs.command run: | echo "run_step_outcome=${{ steps.run-cmd.outcome }}" > result if [[ "${{ steps.run-cmd.outcome }}" == "success" ]]; then @@ -87,12 +95,12 @@ jobs: result apply-and-report: - needs: detect-and-run + needs: [parsing_job, run-parsed-command] runs-on: ubuntu-latest permissions: contents: write pull-requests: write - if: needs.detect-and-run.outputs.command != '' + if: needs.parsing_job.outputs.command != '' && needs.run-parsed-command.result == 'success' steps: - name: Checkout the repository uses: actions/checkout@v4 @@ -121,7 +129,7 @@ jobs: git config user.name "GH Actions" git config user.email "actions@github.com" git add -u - git commit -m "Apply patch from ${{ needs.detect-and-run.outputs.command }}" + git commit -m "Apply patch from ${{ needs.parsing_job.outputs.command }}" upstream=$(git rev-parse --abbrev-ref --symbolic-full-name @{u}) remote=${upstream%%/*} branch=${upstream#*/} @@ -140,7 +148,7 @@ jobs: - name: Generate and publish report if: always() env: - COMMAND: ${{ needs.detect-and-run.outputs.command }} + COMMAND: ${{ needs.parsing_job.outputs.command }} OUTCOME: ${{ steps.read-meta.outputs.run_step_outcome }} PATCH: ${{ steps.read-meta.outputs.hasPatch }} run: | From 73b29062d81d91bb9788febbcd7df08a666f81c1 Mon Sep 17 00:00:00 2001 From: Tomas Grosup Date: Fri, 11 Jul 2025 10:44:56 +0200 Subject: [PATCH 2/2] Update .github/workflows/commands.yml --- .github/workflows/commands.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/commands.yml b/.github/workflows/commands.yml index b775f37fd57..c6a96649402 100644 --- a/.github/workflows/commands.yml +++ b/.github/workflows/commands.yml @@ -27,7 +27,7 @@ jobs: /run test-baseline github-token: ${{ secrets.GITHUB_TOKEN }} - # This first job by definiton runs user-supplied code - you must NOT elevate its permissions to `write` + # This second job by definiton runs user-supplied code - you must NOT elevate its permissions to `write` # Malicious code could change nuget source URL, build targets or even compiler itself to pass a GH token # And use it to create branches, spam issues etc. Any write-actions happen in the second job, which does not allow # user extension points (i.e. plain scripts, must NOT run scripts from within checked-out code)