mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-04-27 11:31:05 +00:00
a678046d13
A popular third-party action has recently been compromised [1][2] and the attacker managed to point multiple git version tags to a malicious commit containing code to exfiltrate secrets. This PR follows GitHub's recommendation [3] to pin third-party actions to a full-length commit hash, to mitigate such attacks. Hopefully actionlint starts warning about this soon [4]. [1] https://www.cve.org/CVERecord?id=CVE-2025-30066 [2] https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised [3] https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions [4] https://github.com/rhysd/actionlint/pull/436 Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
102 lines
4.4 KiB
YAML
102 lines
4.4 KiB
YAML
name: Commit Message Check
|
|
on:
|
|
pull_request:
|
|
types:
|
|
- opened
|
|
- reopened
|
|
- synchronize
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
env:
|
|
error_msg: |+
|
|
See the document below for help on formatting commits for the project.
|
|
|
|
https://github.com/kata-containers/community/blob/main/CONTRIBUTING.md#patch-format
|
|
|
|
jobs:
|
|
commit-message-check:
|
|
runs-on: ubuntu-22.04
|
|
env:
|
|
PR_AUTHOR: ${{ github.event.pull_request.user.login }}
|
|
name: Commit Message Check
|
|
steps:
|
|
- name: Get PR Commits
|
|
if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
|
|
id: 'get-pr-commits'
|
|
uses: tim-actions/get-pr-commits@c64db31d359214d244884dd68f971a110b29ab83 # v1.2.0
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
# Filter out revert commits
|
|
# The format of a revert commit is as follows:
|
|
#
|
|
# Revert "<original-subject-line>"
|
|
#
|
|
# The format of a re-re-vert commit as follows:
|
|
#
|
|
# Reapply "<original-subject-line>"
|
|
filter_out_pattern: '^Revert "|^Reapply "'
|
|
|
|
- name: DCO Check
|
|
if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
|
|
uses: tim-actions/dco@2fd0504dc0d27b33f542867c300c60840c6dcb20 # master (2020-04-28)
|
|
with:
|
|
commits: ${{ steps.get-pr-commits.outputs.commits }}
|
|
|
|
- name: Commit Body Missing Check
|
|
if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
|
|
uses: tim-actions/commit-body-check@d2e0e8e1f0332b3281c98867c42a2fbe25ad3f15 # v1.0.2
|
|
with:
|
|
commits: ${{ steps.get-pr-commits.outputs.commits }}
|
|
|
|
- name: Check Subject Line Length
|
|
if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
|
|
uses: tim-actions/commit-message-checker-with-regex@d6d9770051dd6460679d1cab1dcaa8cffc5c2bbd # v0.3.1
|
|
with:
|
|
commits: ${{ steps.get-pr-commits.outputs.commits }}
|
|
pattern: '^.{0,75}(\n.*)*$'
|
|
error: 'Subject too long (max 75)'
|
|
post_error: ${{ env.error_msg }}
|
|
|
|
- name: Check Body Line Length
|
|
if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
|
|
uses: tim-actions/commit-message-checker-with-regex@d6d9770051dd6460679d1cab1dcaa8cffc5c2bbd # v0.3.1
|
|
with:
|
|
commits: ${{ steps.get-pr-commits.outputs.commits }}
|
|
# Notes:
|
|
#
|
|
# - The subject line is not enforced here (see other check), but has
|
|
# to be specified at the start of the regex as the action is passed
|
|
# the entire commit message.
|
|
#
|
|
# - This check will pass if the commit message only contains a subject
|
|
# line, as other body message properties are enforced elsewhere.
|
|
#
|
|
# - Body lines *can* be longer than the maximum if they start
|
|
# with a non-alphabetic character or if there is no whitespace in
|
|
# the line.
|
|
#
|
|
# This allows stack traces, log files snippets, emails, long URLs,
|
|
# etc to be specified. Some of these naturally "work" as they start
|
|
# with numeric timestamps or addresses. Emails can but quoted using
|
|
# the normal ">" character, markdown bullets ("-", "*") are also
|
|
# useful for lists of URLs, but it is always possible to override
|
|
# the check by simply space indenting the content you need to add.
|
|
#
|
|
# - A SoB comment can be any length (as it is unreasonable to penalise
|
|
# people with long names/email addresses :)
|
|
pattern: '(^[^\n]+$|^.+(\n([a-zA-Z].{0,150}|[^a-zA-Z\n].*|[^\s\n]*|Signed-off-by:.*|))+$)'
|
|
error: 'Body line too long (max 150)'
|
|
post_error: ${{ env.error_msg }}
|
|
|
|
- name: Check Subsystem
|
|
if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
|
|
uses: tim-actions/commit-message-checker-with-regex@d6d9770051dd6460679d1cab1dcaa8cffc5c2bbd # v0.3.1
|
|
with:
|
|
commits: ${{ steps.get-pr-commits.outputs.commits }}
|
|
pattern: '^[\s\t]*[^:\s\t]+[\s\t]*:'
|
|
error: 'Failed to find subsystem in subject'
|
|
post_error: ${{ env.error_msg }}
|