44 issue_comment :
55 types : [created]
66
7- permissions :
8- pull-requests : write
7+ permissions : {}
98
109jobs :
1110 trigger :
1211 runs-on : ubuntu-latest
1312 if : github.repository == 'nuxt/nuxt' && github.event.issue.pull_request && startsWith(github.event.comment.body, '/ecosystem-ci run')
13+ permissions :
14+ issues : write # to add reactions and post comments
15+ pull-requests : read # to read PR data
1416 steps :
1517 - uses : actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
1618 with :
@@ -31,23 +33,24 @@ jobs:
3133 }
3234
3335 if (hasTriagePermission) {
34- console.log('Allowed ')
36+ console.log('User is allowed. Adding +1 reaction. ')
3537 await github.rest.reactions.createForIssueComment({
3638 owner: context.repo.owner,
3739 repo: context.repo.repo,
3840 comment_id: context.payload.comment.id,
3941 content: '+1',
4042 })
4143 } else {
42- console.log('Not allowed')
44+ console.log('User is not allowed. Adding -1 reaction. ')
4345 await github.rest.reactions.createForIssueComment({
4446 owner: context.repo.owner,
4547 repo: context.repo.repo,
4648 comment_id: context.payload.comment.id,
4749 content: '-1',
4850 })
49- throw new Error('not allowed ')
51+ throw new Error('User does not have the necessary permissions. ')
5052 }
53+
5154uses : actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
5255 id : get-pr-data
5356 with :
@@ -58,17 +61,52 @@ jobs:
5861 repo: context.repo.repo,
5962 pull_number: context.issue.number
6063 })
64+
65+ const commentCreatedAt = new Date(context.payload.comment.created_at)
66+ const commitPushedAt = new Date(pr.head.repo.pushed_at)
67+
68+ console.log(`Comment created at: ${commentCreatedAt.toISOString()}`)
69+ console.log(`PR last pushed at: ${commitPushedAt.toISOString()}`)
70+
71+ // Check if any commits were pushed after the comment was created
72+ if (commitPushedAt > commentCreatedAt) {
73+ const errorMsg = [
74+ '⚠️ Security warning: PR was updated after the trigger command was posted.',
75+ '',
76+ `Comment posted at: ${commentCreatedAt.toISOString()}`,
77+ `PR last pushed at: ${commitPushedAt.toISOString()}`,
78+ '',
79+ 'This could indicate an attempt to inject code after approval.',
80+ 'Please review the latest changes and re-run /ecosystem-ci run if they are acceptable.'
81+ ].join('\n')
82+
83+ core.setFailed(errorMsg)
84+
85+ await github.rest.issues.createComment({
86+ owner: context.repo.owner,
87+ repo: context.repo.repo,
88+ issue_number: context.issue.number,
89+ body: errorMsg
90+ })
91+
92+ throw new Error('PR was pushed to after comment was created')
93+ }
94+
95+ core.setOutput('head_sha', pr.head.sha)
6196 return {
6297 num: context.issue.number,
6398 branchName: pr.head.ref,
99+ commit: pr.head.sha,
64100 repo: pr.head.repo.full_name
65101 }
102+
66103id : generate-token
67104 uses : tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
68105 with :
69106 app_id : ${{ secrets.ECOSYSTEM_CI_GITHUB_APP_ID }}
70107 private_key : ${{ secrets.ECOSYSTEM_CI_GITHUB_APP_PRIVATE_KEY }}
71108 installation_retrieval_payload : " ${{ github.repository_owner }}/ecosystem-ci"
109+
72110 - uses : actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
73111 id : trigger
74112 env :
91129 prNumber: '' + prData.num,
92130 branchName: prData.branchName,
93131 repo: prData.repo,
132+ commit: prData.commit,
94133 suite: suite === '' ? '-' : suite
95134 }
96135 })
0 commit comments