From 9b01a3419101d2fd03eaa10f7495f7d03c6adf95 Mon Sep 17 00:00:00 2001 From: Tom Hu <88201630+thomasrockhu-codecov@users.noreply.github.com> Date: Tue, 17 Dec 2024 11:37:41 -0300 Subject: [PATCH] fix: prevent oidc on tokenless due to permissioning (#1724) --- CHANGELOG.md | 2 +- Makefile | 2 +- action.yml | 24 +++++++++++++++++++++--- changelog.py | 3 +-- src/version | 2 +- 5 files changed, 25 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5e4ffa2e5..48845849a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -993,4 +993,4 @@ for the full list. ### Dependencies and Misc - #166 Bump requestretry from 4.1.1 to 4.1.2 - #169 Bump typescript from 4.0.5 to 4.1.2 -- #178 Bump @types/jest from 26.0.15 to 26.0.19 \ No newline at end of file +- #178 Bump @types/jest from 26.0.15 to 26.0.19 diff --git a/Makefile b/Makefile index 990840789..f335ab324 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ deploy: - $(eval VERSION := $(shell cat src/version | grep 'CODECOV_ACTION_VERSION=' | cut -d\" -f2)) + $(eval VERSION := $(shell cat src/version)) git tag -d v5 git push origin :v5 git tag v5 diff --git a/action.yml b/action.yml index f3575da4b..9071979f6 100644 --- a/action.yml +++ b/action.yml @@ -157,7 +157,7 @@ runs: - name: Action version shell: bash run: | - CC_ACTION_VERSION=$(cat ${GITHUB_ACTION_PATH}/src/version | grep 'CODECOV_ACTION_VERSION=' | cut -d\" -f2) + CC_ACTION_VERSION=$(cat ${GITHUB_ACTION_PATH}/src/version) echo -e "\033[0;32m==>\033[0m Running Action version $CC_ACTION_VERSION" - name: Set safe directory if: ${{ inputs.disable_safe_directory != 'true' }} @@ -165,20 +165,38 @@ runs: run: | git config --global --add safe.directory ${{ github.workspace }} + - name: Set fork + shell: bash + run: | + if [ -n "$GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME" ] && [ "${GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME}" != "$GITHUB_REPOSITORY" ]; + then + echo -e "\033[0;32m==>\033[0m Fork detected" + CC_FORK="true" + echo "CC_FORK=$CC_FORK" >> "$GITHUB_ENV" + fi + env: + GITHUB_EVENT_PULL_REQUEST_HEAD_LABEL: ${{ github.event.pull_request.head.label }} + GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }} + GITHUB_REPOSITORY: ${{ github.repository }} + + - name: Get and set token shell: bash run: | - if [ "${{ inputs.use_oidc }}" == 'true' ]; + if [ "${{ inputs.use_oidc }}" == 'true' && "$CC_FORK" != 'true']; then # {"count":1984,"value":"***"} + echo -e "\033[0;32m==>\033[0m Requesting OIDC token from ${ACTION_ID_TOKEN_REQUEST_URL}" CC_TOKEN=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=https://codecov.io" | cut -d\" -f6) echo "CC_TOKEN=$CC_TOKEN" >> "$GITHUB_ENV" elif [ -n "${{ env.CODECOV_TOKEN }}" ]; then + echo -e "\033[0;32m==>\033[0m Token from from env" echo "CC_TOKEN=${{ env.CODECOV_TOKEN }}" >> "$GITHUB_ENV" else if [ -n "${{ inputs.token }}" ]; then + echo -e "\033[0;32m==>\033[0m Token set from input" CC_TOKEN=$(echo "${{ inputs.token }}" | tr -d '\n') echo "CC_TOKEN=$CC_TOKEN" >> "$GITHUB_ENV" fi @@ -187,7 +205,7 @@ runs: - name: Override branch for forks shell: bash run: | - if [ -z "$CC_BRANCH" ] && [ -z "$CC_TOKEN" ] && [ -n "$GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME" ] && [ "${GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME}" != "$GITHUB_REPOSITORY" ]; + if [ -z "$CC_BRANCH" ] && [ -z "$CC_TOKEN" ] && [ "$CC_FORK" == 'true' ] then echo -e "\033[0;32m==>\033[0m Fork detected, tokenless uploading used" TOKENLESS="$GITHUB_EVENT_PULL_REQUEST_HEAD_LABEL" diff --git a/changelog.py b/changelog.py index 059d91f29..da28b7c8e 100644 --- a/changelog.py +++ b/changelog.py @@ -4,8 +4,7 @@ def update_changelog(): with open('src/version', 'r') as f: - raw_version = f.read() - version = re.search('\"(.*)\"', raw_version).groups()[0] + version = f.read() changelog = [f"## v{version}"] changelog.append("### What\'s Changed") diff --git a/src/version b/src/version index be682e9dc..ac14c3dfa 100644 --- a/src/version +++ b/src/version @@ -1 +1 @@ -CODECOV_ACTION_VERSION="5.1.1" +5.1.1