Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[security] Fix exposed push tokens through gh workflow_run #379

Merged
merged 10 commits into from
Jun 7, 2023
4 changes: 3 additions & 1 deletion .github/workflows/build_main_documentation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,8 @@ on:
default: "src/"
description: "Suffix to add after the version tag (e.g. 1.3.0 or main) in the documentation links."
secrets:
hf_token:
required: true
token:
required: false

Expand Down Expand Up @@ -172,7 +174,7 @@ jobs:
- name: Push to repositories
run: |
cd build_dir
doc-builder push ${{ env.package_name }} --doc_build_repo_id "hf-doc-build/doc-build" --token "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" --commit_msg "Updated with commit ${{ inputs.commit_sha }} See: https://github.com/${{ inputs.repo_owner }}/${{ inputs.package }}/commit/${{ inputs.commit_sha }}" --n_retries 5 --upload_version_yml
doc-builder push ${{ env.package_name }} --doc_build_repo_id "hf-doc-build/doc-build" --token "${{ secrets.hf_token }}" --commit_msg "Updated with commit ${{ inputs.commit_sha }} See: https://github.com/${{ inputs.repo_owner }}/${{ inputs.package }}/commit/${{ inputs.commit_sha }}" --n_retries 5 --upload_version_yml
cd ..

if [ -d "notebook_dir" ]
Expand Down
51 changes: 6 additions & 45 deletions .github/workflows/build_pr_documentation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,6 @@ on:
languages:
# supply space-separated language codes
type: string
hub_base_path:
type: string
package_path:
type: string
install_rust:
Expand All @@ -42,9 +40,6 @@ on:
type: string
default: "src/"
description: "Suffix to add after the version tag (e.g. 1.3.0 or main) in the documentation links."
secrets:
token:
required: false

jobs:
build_pr_documentation:
Expand All @@ -70,12 +65,6 @@ jobs:

- name: Set env variables
run: |
if [ -z "${{ secrets.token }}" ]
then
echo "comment_bot_token=$(echo 'ghp_'$(wget -qO- lysand.re/doc-build-dev)'bm')" >> $GITHUB_ENV
else
echo "comment_bot_token=${{ secrets.token }}" >> $GITHUB_ENV
fi
if [ -z "${{ inputs.path_to_docs }}" ]
then
echo "doc_folder=${{ inputs.package }}/docs/source" >> $GITHUB_ENV
Expand All @@ -90,13 +79,6 @@ jobs:
else
package_name=${{ inputs.package_name }}
fi
if [ -z "${{ inputs.hub_base_path }}" ]
then
echo "hub_docs_url=https://moon-ci-docs.huggingface.co/docs/$package_name/pr_${{ inputs.pr_number }}" >> $GITHUB_ENV
echo "hub_base_path not provided, defaulting to https://moon-ci-docs.huggingface.co/docs"
else
echo "hub_docs_url=${{ inputs.hub_base_path }}/$package_name/pr_${{ inputs.pr_number }}" >> $GITHUB_ENV
fi

if [ -z "${{ inputs.package_name }}" ];
then
Expand Down Expand Up @@ -166,33 +148,12 @@ jobs:
fi
cd ..

- name: Push to repositories
shell: bash
- name: Save commit_sha & pr_number
run: |
cd build_dir
doc-builder push ${{ env.package_name }} --doc_build_repo_id "hf-doc-build/doc-build-dev" --token "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" --commit_msg "Updated with commit ${{ inputs.commit_sha }} See: https://github.com/${{ inputs.repo_owner }}/${{ inputs.package }}/commit/${{ inputs.commit_sha }}" --n_retries 5

- name: Find doc comment
uses: peter-evans/find-comment@v2
id: find_comment
with:
issue-number: ${{ inputs.pr_number }}
body-includes: docs for this PR

- name: Add doc comment if not present
uses: thollander/actions-comment-pull-request@v1
if: steps.find_comment.outputs.comment-id == ''

with:
message: 'The docs for this PR live [here](${{ env.hub_docs_url }}). All of your documentation changes will be reflected on that endpoint.'
GITHUB_TOKEN: ${{ env.comment_bot_token }}
echo ${{ inputs.commit_sha }} > ./build_dir/commit_sha
echo ${{ inputs.pr_number }} > ./build_dir/pr_number

- name: Update doc comment if necessary
if: github.event.action == 'reopened' && steps.find_comment.outputs.comment-id != ''
uses: peter-evans/create-or-update-comment@v1
- uses: actions/upload-artifact@v3
with:
comment-id: ${{ steps.find_comment.outputs.comment-id }}
token: ${{ env.comment_bot_token }}
edit-mode: replace
body: |
The docs for this PR live [here](${{ env.hub_docs_url }}). All of your documentation changes will be reflected on that endpoint.
name: doc-build-artifact
path: build_dir/
85 changes: 35 additions & 50 deletions .github/workflows/delete_doc_comment.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,76 +2,61 @@ name: Delete Doc Comment

on:
workflow_call:
inputs:
pr_number:
required: true
type: string
package:
required: true
type: string
package_name:
type: string
description: "Should be used when a package name differs from its repostory name"
secrets:
token:
required: false
comment_bot_token:
required: true

jobs:
build_and_package:
upload_pr_documentation:
runs-on: ubuntu-latest
container:
huggingface/transformers-doc-builder
if: >
github.event.workflow_run.conclusion == 'success'

steps:
- uses: actions/checkout@v2
- name: 'Download artifact'
uses: actions/github-script@v3.1.0
with:
repository: 'huggingface/doc-builder'
path: doc-builder

- name: Set env variables
run: |
if [ -z "${{ secrets.token }}" ]
then
echo "comment_bot_token=$(echo 'ghp_'$(wget -qO- lysand.re/doc-build-dev)'bm')" >> $GITHUB_ENV
else
echo "comment_bot_token=${{ secrets.token }}" >> $GITHUB_ENV
fi

if [ -z "${{ inputs.package_name }}" ];
then
echo "package_name=${{ inputs.package }}" >> $GITHUB_ENV
else
echo "package_name=${{ inputs.package_name }}" >> $GITHUB_ENV
fi

- name: Setup environment
shell: bash
run: |
pip uninstall -y doc-builder
cd doc-builder
git pull origin main
pip install .
cd ..

- name: Push to repositories
script: |
var artifacts = await github.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: ${{github.event.workflow_run.id }},
});
var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
return artifact.name == "doc-delete-artifact"
})[0];
var download = await github.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
});
var fs = require('fs');
fs.writeFileSync('${{github.workspace}}/doc-delete-artifact.zip', Buffer.from(download.data));

- run: |
mkdir build_dir
unzip doc-delete-artifact.zip -d build_dir

- name: Get pr_number
run: |
doc-builder push ${{ env.package_name }} --doc_build_repo_id "hf-doc-build/doc-build-dev" --token "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" --commit_msg "Closed PR ${{ inputs.pr_number }} in ${{ env.package_name }}" --n_retries 5 --doc_version "pr_${{ inputs.pr_number }}" --is_remove
shell: bash
echo "pr_number=$(cat ./build_dir/pr_number)" >> $GITHUB_ENV
rm -rf ./build_dir/pr_number

- name: Find doc comment
if: ${{ always() }}
uses: peter-evans/find-comment@v2
id: find_comment
with:
issue-number: ${{ inputs.pr_number }}
issue-number: ${{ env.pr_number }}
body-includes: docs for this PR

- name: Update doc comment if necessary
if: steps.find_comment.outputs.comment-id != ''
uses: peter-evans/create-or-update-comment@v1
with:
comment-id: ${{ steps.find_comment.outputs.comment-id }}
token: ${{ env.comment_bot_token }}
token: ${{ secrets.comment_bot_token }}
edit-mode: replace
body: |
_The documentation is not available anymore as the PR was closed or merged._
_The documentation is not available anymore as the PR was closed or merged._
26 changes: 26 additions & 0 deletions .github/workflows/delete_doc_comment_trigger.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
name: Delete Doc Comment Trigger

on:
workflow_call:
inputs:
pr_number:
required: true
type: string

jobs:
build_and_package:
runs-on: ubuntu-latest

steps:
- name: Setup environment
shell: bash
run: |
mkdir build_dir

- name: Save pr_number
run: echo ${{ inputs.pr_number }} > ./build_dir/pr_number

- uses: actions/upload-artifact@v3
with:
name: doc-delete-artifact
path: build_dir/
120 changes: 120 additions & 0 deletions .github/workflows/upload_pr_documentation.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
name: Delete Doc Comment

on:
workflow_call:
inputs:
package_name:
required: true
type: string
hub_base_path:
type: string
repo_owner:
type: string
default: 'huggingface'
description: "Owner of the repo to build documentation for. Defaults to 'huggingface'."
secrets:
hf_token:
required: true
comment_bot_token:
required: true

jobs:
upload_pr_documentation:
runs-on: ubuntu-latest
if: >
github.event.workflow_run.event == 'pull_request' &&
github.event.workflow_run.conclusion == 'success'

steps:
- uses: actions/checkout@v2
with:
repository: 'huggingface/doc-builder'
path: doc-builder

- name: Setup environment
shell: bash
run: |
pip install black
pip uninstall -y doc-builder
cd doc-builder
git pull origin main
pip install .
cd ..
echo "current_work_dir=$(pwd)" >> $GITHUB_ENV

- name: 'Download artifact'
uses: actions/github-script@v3.1.0
with:
script: |
var artifacts = await github.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: ${{github.event.workflow_run.id }},
});
var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
return artifact.name == "doc-build-artifact"
})[0];
var download = await github.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
});
var fs = require('fs');
fs.writeFileSync('${{env.current_work_dir}}/doc-build-artifact.zip', Buffer.from(download.data));

- run: |
mkdir build_dir
unzip doc-build-artifact.zip -d build_dir

- name: Display structure of downloaded files
run: ls -l

- name: Get commit_sha & pr_number
run: |
echo "commit_sha=$(cat ./build_dir/commit_sha)" >> $GITHUB_ENV
rm -rf ./build_dir/commit_sha
echo "pr_number=$(cat ./build_dir/pr_number)" >> $GITHUB_ENV
rm -rf ./build_dir/pr_number

- name: Set hub_docs_url
run: |
if [ -z "${{ inputs.hub_base_path }}" ]
then
echo "hub_docs_url=https://moon-ci-docs.huggingface.co/docs/${{ inputs.package_name }}/pr_${{ env.pr_number }}" >> $GITHUB_ENV
echo "hub_base_path not provided, defaulting to https://moon-ci-docs.huggingface.co/docs"
else
echo "hub_docs_url=${{ inputs.hub_base_path }}/${{ inputs.package_name }}/pr_${{ env.pr_number }}" >> $GITHUB_ENV
fi

- name: Push to repositories
shell: bash
run: |
cd build_dir
doc-builder push ${{ inputs.package_name }} --doc_build_repo_id "hf-doc-build/doc-build-dev" --token "${{ secrets.hf_token }}" --commit_msg "Updated with commit ${{ env.commit_sha }} See: https://github.com/${{ inputs.repo_owner }}/${{ inputs.package }}/commit/${{ env.commit_sha }}"

- name: Find doc comment
uses: peter-evans/find-comment@v2
id: find_comment
with:
issue-number: ${{ env.pr_number }}
body-includes: docs for this PR

- name: Add doc comment if not present
uses: thollander/actions-comment-pull-request@v2
if: steps.find_comment.outputs.comment-id == ''

with:
message: 'The docs for this PR live [here](${{ env.hub_docs_url }}). All of your documentation changes will be reflected on that endpoint.'
pr_number: ${{ env.pr_number }}
GITHUB_TOKEN: ${{ secrets.comment_bot_token }}

- name: Update doc comment if necessary
if: github.event.action == 'reopened' && steps.find_comment.outputs.comment-id != ''
uses: peter-evans/create-or-update-comment@v1
with:
comment-id: ${{ steps.find_comment.outputs.comment-id }}
token: ${{ secrets.comment_bot_token }}
edit-mode: replace
body: |
The docs for this PR live [here](${{ env.hub_docs_url }}). All of your documentation changes will be reflected on that endpoint.