actions · ericsciple · May 21, 2020 · May 20, 2020
diff --git a/dist/index.js b/dist/index.js
@@ -3359,7 +3359,7 @@ module.exports = {"name":"@octokit/rest","version":"16.43.1","publishConfig":{"a
 /***/ }),
 
 /***/ 227:
-/***/ (function(__unusedmodule, exports) {
+/***/ (function(__unusedmodule, exports, __webpack_require__) {
 
 "use strict";
 
@@ -3372,7 +3372,17 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
         step((generator = generator.apply(thisArg, _arguments || [])).next());
     });
 };
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k];
+    result["default"] = mod;
+    return result;
+};
 Object.defineProperty(exports, "__esModule", { value: true });
+const url_1 = __webpack_require__(835);
+const core = __importStar(__webpack_require__(470));
+const github = __importStar(__webpack_require__(469));
 function getCheckoutInfo(git, ref, commit) {
     return __awaiter(this, void 0, void 0, function* () {
         if (!git) {
@@ -3468,6 +3478,85 @@ function getRefSpec(ref, commit) {
     }
 }
 exports.getRefSpec = getRefSpec;
+function checkCommitInfo(token, commitInfo, repositoryOwner, repositoryName, ref, commit) {
+    return __awaiter(this, void 0, void 0, function* () {
+        try {
+            // GHES?
+            if (isGhes()) {
+                return;
+            }
+            // Auth token?
+            if (!token) {
+                return;
+            }
+            // Public PR synchronize, for workflow repo?
+            if (fromPayload('repository.private') !== false ||
+                github.context.eventName !== 'pull_request' ||
+                fromPayload('action') !== 'synchronize' ||
+                repositoryOwner !== github.context.repo.owner ||
+                repositoryName !== github.context.repo.repo ||
+                ref !== github.context.ref ||
+                !ref.startsWith('refs/pull/') ||
+                commit !== github.context.sha) {
+                return;
+            }
+            // Head SHA
+            const expectedHeadSha = fromPayload('after');
+            if (!expectedHeadSha) {
+                core.debug('Unable to determine head sha');
+                return;
+            }
+            // Base SHA
+            const expectedBaseSha = fromPayload('pull_request.base.sha');
+            if (!expectedBaseSha) {
+                core.debug('Unable to determine base sha');
+                return;
+            }
+            // Expected message?
+            const expectedMessage = `Merge ${expectedHeadSha} into ${expectedBaseSha}`;
+            if (commitInfo.indexOf(expectedMessage) >= 0) {
+                return;
+            }
+            // Extract details from message
+            const match = commitInfo.match(/Merge ([0-9a-f]{40}) into ([0-9a-f]{40})/);
+            if (!match) {
+                core.debug('Unexpected message format');
+                return;
+            }
+            // Post telemetry
+            const actualHeadSha = match[1];
+            if (actualHeadSha !== expectedHeadSha) {
+                core.debug(`Expected head sha ${expectedHeadSha}; actual head sha ${actualHeadSha}`);
+                const octokit = new github.GitHub(token, {
+                    userAgent: `actions-checkout-tracepoint/1.0 (code=STALE_MERGE;owner=${repositoryOwner};repo=${repositoryName};pr=${fromPayload('number')};run_id=${process.env['GITHUB_RUN_ID']};expected_head_sha=${expectedHeadSha};actual_head_sha=${actualHeadSha})`
+                });
+                yield octokit.repos.get({ owner: repositoryOwner, repo: repositoryName });
+            }
+        }
+        catch (err) {
+            core.debug(`Error when validating commit info: ${err.stack}`);
+        }
+    });
+}
+exports.checkCommitInfo = checkCommitInfo;
+function fromPayload(path) {
+    return select(github.context.payload, path);
+}
+function select(obj, path) {
+    if (!obj) {
+        return undefined;
+    }
+    const i = path.indexOf('.');
+    if (i < 0) {
+        return obj[path];
+    }
+    const key = path.substr(0, i);
+    return select(obj[key], path.substr(i + 1));
+}
+function isGhes() {
+    const ghUrl = new url_1.URL(process.env['GITHUB_SERVER_URL'] || 'https://github.com');
+    return ghUrl.hostname.toUpperCase() !== 'GITHUB.COM';
+}
 
 
 /***/ }),
@@ -5718,7 +5807,8 @@ class GitCommandManager {
     }
     log1() {
         return __awaiter(this, void 0, void 0, function* () {
-            yield this.execGit(['log', '-1']);
+            const output = yield this.execGit(['log', '-1']);
+            return output.stdout;
         });
     }
     remoteAdd(remoteName, remoteUrl) {
@@ -6057,7 +6147,9 @@ function getSource(settings) {
                 }
             }
             // Dump some info about the checked out commit
-            yield git.log1();
+            const commitInfo = yield git.log1();
+            // Check for incorrect pull request merge commit
+            yield refHelper.checkCommitInfo(settings.authToken, commitInfo, settings.repositoryOwner, settings.repositoryName, settings.ref, settings.commit);
         }
         finally {
             // Remove auth

diff --git a/src/git-command-manager.ts b/src/git-command-manager.ts
@@ -29,7 +29,7 @@ export interface IGitCommandManager {
   isDetached(): Promise<boolean>
   lfsFetch(ref: string): Promise<void>
   lfsInstall(): Promise<void>
-  log1(): Promise<void>
+  log1(): Promise<string>
   remoteAdd(remoteName: string, remoteUrl: string): Promise<void>
   removeEnvironmentVariable(name: string): void
   setEnvironmentVariable(name: string, value: string): void
@@ -225,8 +225,9 @@ class GitCommandManager {
     await this.execGit(['lfs', 'install', '--local'])
   }
 
-  async log1(): Promise<void> {
-    await this.execGit(['log', '-1'])
+  async log1(): Promise<string> {
+    const output = await this.execGit(['log', '-1'])
+    return output.stdout
   }
 
   async remoteAdd(remoteName: string, remoteUrl: string): Promise<void> {

diff --git a/src/git-source-provider.ts b/src/git-source-provider.ts
@@ -170,7 +170,17 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
     }
 
     // Dump some info about the checked out commit
-    await git.log1()
+    const commitInfo = await git.log1()
+
+    // Check for incorrect pull request merge commit
+    await refHelper.checkCommitInfo(
+      settings.authToken,
+      commitInfo,
+      settings.repositoryOwner,
+      settings.repositoryName,
+      settings.ref,
+      settings.commit
+    )
   } finally {
     // Remove auth
     if (!settings.persistCredentials) {

diff --git a/src/ref-helper.ts b/src/ref-helper.ts
@@ -1,4 +1,7 @@
+import {URL} from 'url'
 import {IGitCommandManager} from './git-command-manager'
+import * as core from '@actions/core'
+import * as github from '@actions/github'
 
 export interface ICheckoutInfo {
   ref: string
@@ -107,3 +110,108 @@ export function getRefSpec(ref: string, commit: string): string[] {
     return [`+${ref}:${ref}`]
   }
 }
+
+export async function checkCommitInfo(
+  token: string,
+  commitInfo: string,
+  repositoryOwner: string,
+  repositoryName: string,
+  ref: string,
+  commit: string
+): Promise<void> {
+  try {
+    // GHES?
+    if (isGhes()) {
+      return
+    }
+
+    // Auth token?
+    if (!token) {
+      return
+    }
+
+    // Public PR synchronize, for workflow repo?
+    if (
+      fromPayload('repository.private') !== false ||
+      github.context.eventName !== 'pull_request' ||
+      fromPayload('action') !== 'synchronize' ||
+      repositoryOwner !== github.context.repo.owner ||
+      repositoryName !== github.context.repo.repo ||
+      ref !== github.context.ref ||
+      !ref.startsWith('refs/pull/') ||
+      commit !== github.context.sha
+    ) {
+      return
+    }
+
+    // Head SHA
+    const expectedHeadSha = fromPayload('after')
+    if (!expectedHeadSha) {
+      core.debug('Unable to determine head sha')
+      return
+    }
+
+    // Base SHA
+    const expectedBaseSha = fromPayload('pull_request.base.sha')
+    if (!expectedBaseSha) {
+      core.debug('Unable to determine base sha')
+      return
+    }
+
+    // Expected message?
+    const expectedMessage = `Merge ${expectedHeadSha} into ${expectedBaseSha}`
+    if (commitInfo.indexOf(expectedMessage) >= 0) {
+      return
+    }
+
+    // Extract details from message
+    const match = commitInfo.match(/Merge ([0-9a-f]{40}) into ([0-9a-f]{40})/)
+    if (!match) {
+      core.debug('Unexpected message format')
+      return
+    }
+
+    // Post telemetry
+    const actualHeadSha = match[1]
+    if (actualHeadSha !== expectedHeadSha) {
+      core.debug(
+        `Expected head sha ${expectedHeadSha}; actual head sha ${actualHeadSha}`
+      )
+      const octokit = new github.GitHub(token, {
+        userAgent: `actions-checkout-tracepoint/1.0 (code=STALE_MERGE;owner=${repositoryOwner};repo=${repositoryName};pr=${fromPayload(
+          'number'
+        )};run_id=${
+          process.env['GITHUB_RUN_ID']
+        };expected_head_sha=${expectedHeadSha};actual_head_sha=${actualHeadSha})`
+      })
+      await octokit.repos.get({owner: repositoryOwner, repo: repositoryName})
+    }
+  } catch (err) {
+    core.debug(`Error when validating commit info: ${err.stack}`)
+  }
+}
+
+function fromPayload(path: string): any {
+  return select(github.context.payload, path)
+}
+
+function select(obj: any, path: string): any {
+  if (!obj) {
+    return undefined
+  }
+
+  const i = path.indexOf('.')
+  if (i < 0) {
+    return obj[path]
+  }
+
+  const key = path.substr(0, i)
+  return select(obj[key], path.substr(i + 1))
+}
+
+function isGhes(): boolean {
+  const ghUrl = new URL(
+    process.env['GITHUB_SERVER_URL'] || 'https://github.com'
+  )
+  return ghUrl.hostname.toUpperCase() !== 'GITHUB.COM'
+}