Roberto Jiménez Sánchez
9b3b6fcdb2
Replace github.actor with github.event.pull_request.user.login to prevent actor context spoofing in pull requests from forks. This ensures only genuine Dependabot PRs can trigger the workspace update workflow. Fixes zizmor security finding with Medium confidence level. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-authored-by: Claude <noreply@anthropic.com>
70 lines
2.2 KiB
YAML
70 lines
2.2 KiB
YAML
name: "Update Go Workspace for Dependabot PRs"
|
|
on:
|
|
pull_request:
|
|
branches: [main]
|
|
paths:
|
|
- .github/workflows/pr-dependabot-update-go-workspace.yml
|
|
- go.mod
|
|
- go.sum
|
|
- go.work
|
|
- go.work.sum
|
|
- '**/go.mod'
|
|
- '**/go.sum'
|
|
- '**.go'
|
|
permissions:
|
|
contents: write
|
|
id-token: write
|
|
jobs:
|
|
update:
|
|
runs-on: "ubuntu-latest"
|
|
if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository }}
|
|
continue-on-error: true
|
|
steps:
|
|
- name: Retrieve GitHub App secrets
|
|
id: get-secrets
|
|
uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.0.1 # zizmor: ignore[unpinned-uses]
|
|
with:
|
|
repo_secrets: |
|
|
APP_ID=grafana-go-workspace-bot:app-id
|
|
APP_INSTALLATION_ID=grafana-go-workspace-bot:app-installation-id
|
|
PRIVATE_KEY=grafana-go-workspace-bot:private-key
|
|
|
|
- name: Generate GitHub App token
|
|
id: generate_token
|
|
uses: actions/create-github-app-token@v1
|
|
with:
|
|
app-id: ${{ env.APP_ID }}
|
|
private-key: ${{ env.PRIVATE_KEY }}
|
|
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
with:
|
|
repository: ${{ github.event.pull_request.head.repo.full_name }}
|
|
ref: ${{ github.event.pull_request.head.ref }}
|
|
token: ${{ steps.generate_token.outputs.token }}
|
|
persist-credentials: false
|
|
|
|
- name: Set go version
|
|
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5
|
|
with:
|
|
go-version-file: go.mod
|
|
|
|
- name: Configure Git
|
|
run: |
|
|
git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
|
|
git config --local user.name "github-actions[bot]"
|
|
git config --local --add --bool push.autoSetupRemote true
|
|
|
|
- name: Update workspace
|
|
run: make update-workspace
|
|
|
|
- name: Commit and push workspace changes
|
|
env:
|
|
BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
|
|
run: |
|
|
if ! git diff --exit-code --quiet; then
|
|
echo "Committing and pushing workspace changes"
|
|
git commit -a -m "update workspace"
|
|
git push origin "$BRANCH_NAME"
|
|
fi
|