Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security fix for self-comment-ci.yml #35548

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Security fix for self-comment-ci.yml #35548

wants to merge 6 commits into from
+289 −0

Conversation

ydshieh
Copy link
Collaborator

@ydshieh ydshieh commented Jan 7, 2025

No description provided.

@HuggingFaceDocBuilderDev
Copy link

The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update.

@ydshieh ydshieh marked this pull request as ready for review January 7, 2025 17:04
ydshieh
ydshieh commented Jan 7, 2025
View reviewed changes
.github/workflows/self-comment-ci.yml
id: get_sha
env:
PR_NUMBER: ${{ needs.get-pr-number.outputs.PR_NUMBER }}
COMMENT_DATE: ${{ github.event.comment.created_at }}
Copy link
Collaborator Author

@ydshieh ydshieh Jan 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

COMMENT_DATE: ${{ github.event.comment.created_at }}

new for security

ydshieh
ydshieh commented Jan 7, 2025
View reviewed changes
.github/workflows/self-comment-ci.yml
Comment on lines +62 to +72
git fetch origin refs/pull/$PR_NUMBER/merge:refs/remotes/pull/$PR_NUMBER/merge
git checkout refs/remotes/pull/$PR_NUMBER/merge
PR_MERGE_COMMIT_TIMESTAMP=$(git log -1 --date=unix --format=%cd)
echo "PR_MERGE_COMMIT_TIMESTAMP: $PR_MERGE_COMMIT_TIMESTAMP"
COMMENT_TIMESTAMP=$(date -d "${COMMENT_DATE}" +"%s")
echo "PR_HEAD_SHA: $COMMENT_DATE"
echo "COMMENT_TIMESTAMP: $COMMENT_TIMESTAMP"
if [ $COMMENT_TIMESTAMP -le $PR_MERGE_COMMIT_TIMESTAMP ]; then
echo "Last commit on the pull request is newer than the issue comment triggering this run! Abort!";
exit -1;
fi
Copy link
Collaborator Author

@ydshieh ydshieh Jan 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

new for security

from the line git fetch origin refs/pull/$PR_NUMBER/merge:refs/remotes/pull/$PR_NUMBER/merge to here

Copy link
Collaborator Author

@ydshieh ydshieh Jan 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently I am using the merge commit.

(merge commit = PR head commit merged with main )

Merge commit might change if there is a push or merge to the main branch. So it would be better to use the head commit of the PR instead.

@ydshieh ydshieh requested a review from ArthurZucker January 7, 2025 17:09
@ydshieh
Copy link
Collaborator Author

ydshieh commented Jan 7, 2025

a failing run looks like this

glegendre01
glegendre01 approved these changes Jan 8, 2025
View reviewed changes
Copy link
Contributor

@glegendre01 glegendre01 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@glegendre01 glegendre01 glegendre01 approved these changes

@ArthurZucker ArthurZucker Awaiting requested review from ArthurZucker ArthurZucker is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ydshieh @HuggingFaceDocBuilderDev @glegendre01