mirror of
https://github.com/EDCD/EDMarketConnector.git
synced 2025-04-12 23:37:14 +03:00
214bed27ee
This is with regards to what happened to another project, ref: <https://www.wiz.io/blog/ultralytics-ai-library-hacked-via-github-for-cryptomining> Basically, do NOT trust that things like branch names don't contain any attempt at executing shell code if referenced in a workflow segment that runs a shell command.
75 lines
2.3 KiB
YAML
75 lines
2.3 KiB
YAML
---
|
|
name: Submodule Updates
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
logLevel:
|
|
description: 'Log level'
|
|
required: true
|
|
default: 'warning'
|
|
push:
|
|
branches: [develop]
|
|
schedule:
|
|
- cron: '0 12 * * *'
|
|
|
|
jobs:
|
|
check_submodules:
|
|
name: Pull Request for updated submodules
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
PARENT_REPOSITORY: 'EDCD/EDMarketConnector'
|
|
CHECKOUT_BRANCH: 'develop'
|
|
PR_AGAINST_BRANCH: 'develop'
|
|
OWNER: 'EDCD'
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
ref: '${{ env.CHECKOUT_BRANCH }}'
|
|
submodules: true
|
|
|
|
- name: Update submodules
|
|
shell: bash
|
|
run: |
|
|
git config user.name github-actions
|
|
git config user.email github-actions@github.com
|
|
git submodule update --remote
|
|
|
|
- name: Check for changes
|
|
id: check_for_changes
|
|
continue-on-error: true
|
|
run: |
|
|
changes=$(git status --porcelain)
|
|
git status --porcelain
|
|
if [ -n "${changes}" ];
|
|
then
|
|
echo 'changes=true' >> $GITHUB_OUTPUT
|
|
echo "changes_text=${changes}" >> $GITHUB_OUTPUT
|
|
else
|
|
echo 'changes=false' >> $GITHUB_OUTPUT
|
|
fi
|
|
exit 0
|
|
|
|
- name: Create submodules changes branch
|
|
if: steps.check_for_changes.outputs.changes == 'true'
|
|
run: |
|
|
git checkout -b "submodule-change/$GITHUB_RUN_ID" "$CHECKOUT_BRANCH"
|
|
git commit -am "updating submodules"
|
|
git push --set-upstream origin "submodule-change/$GITHUB_RUN_ID"
|
|
|
|
- name: Create pull request against target branch
|
|
if: steps.check_for_changes.outputs.changes == 'true'
|
|
uses: actions/github-script@v7
|
|
with:
|
|
github-token: "${{ secrets.GITHUB_TOKEN }}"
|
|
script: |
|
|
await github.rest.pulls.create({
|
|
owner: '${{ github.repository_owner }}',
|
|
repo: '${{ github.repository }}'.split('/')[1].trim(),
|
|
head: 'submodule-change/${{ github.run_id }}',
|
|
base: '${{ env.PR_AGAINST_BRANCH }}',
|
|
title: `[Auto-generated] Submodule Updates ${process.env.GITHUB_RUN_ID}`,
|
|
body: '${{ steps.check_for_changes.outputs.changes_text }}',
|
|
});
|