rpc server: fix deny unsafe on RpcMethods::Auto #987
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Command | |
on: | |
issue_comment: # listen for comments on issues | |
types: [created] | |
permissions: # allow the action to comment on the PR | |
contents: write | |
issues: write | |
pull-requests: write | |
actions: read | |
jobs: | |
is-org-member: | |
if: startsWith(github.event.comment.body, '/cmd') | |
runs-on: ubuntu-latest | |
outputs: | |
member: ${{ steps.is-member.outputs.result }} | |
steps: | |
- name: Generate token | |
id: generate_token | |
uses: tibdex/github-app-token@v2.1.0 | |
with: | |
app_id: ${{ secrets.CMD_BOT_APP_ID }} | |
private_key: ${{ secrets.CMD_BOT_APP_KEY }} | |
- name: Check if user is a member of the organization | |
id: is-member | |
uses: actions/github-script@v7 | |
with: | |
github-token: ${{ steps.generate_token.outputs.token }} | |
result-encoding: string | |
script: | | |
const fs = require("fs"); | |
try { | |
const org = '${{ github.event.repository.owner.login }}'; | |
const username = '${{ github.event.comment.user.login }}'; | |
const membership = await github.rest.orgs.checkMembershipForUser({ | |
org: org, | |
username: username | |
}); | |
console.log(membership, membership.status, membership.status === 204); | |
if (membership.status === 204) { | |
return 'true'; | |
} else { | |
console.log(membership); | |
fs.appendFileSync(process.env["GITHUB_STEP_SUMMARY"], `${membership.data && membership.data.message || 'Unknown error happened, please check logs'}`); | |
} | |
} catch (error) { | |
console.log(error) | |
} | |
return 'false'; | |
reject-non-members: | |
needs: is-org-member | |
if: ${{ startsWith(github.event.comment.body, '/cmd') && needs.is-org-member.outputs.member != 'true' }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Add reaction to rejected comment | |
uses: actions/github-script@v7 | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
github.rest.reactions.createForIssueComment({ | |
comment_id: ${{ github.event.comment.id }}, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
content: 'confused' | |
}) | |
- name: Comment PR (Rejected) | |
uses: actions/github-script@v7 | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
github.rest.issues.createComment({ | |
issue_number: context.issue.number, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
body: `Sorry, only members of the organization ${{ github.event.repository.owner.login }} members can run commands.` | |
}) | |
acknowledge: | |
needs: is-org-member | |
if: ${{ startsWith(github.event.comment.body, '/cmd') && needs.is-org-member.outputs.member == 'true' }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Add reaction to triggered comment | |
uses: actions/github-script@v7 | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
github.rest.reactions.createForIssueComment({ | |
comment_id: ${{ github.event.comment.id }}, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
content: 'eyes' | |
}) | |
clean: | |
needs: is-org-member | |
runs-on: ubuntu-latest | |
steps: | |
- name: Clean previous comments | |
if: ${{ startsWith(github.event.comment.body, '/cmd') && contains(github.event.comment.body, '--clean') && needs.is-org-member.outputs.member == 'true' }} | |
uses: actions/github-script@v7 | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
github.rest.issues.listComments({ | |
issue_number: context.issue.number, | |
owner: context.repo.owner, | |
repo: context.repo.repo | |
}).then(comments => { | |
for (let comment of comments.data) { | |
console.log(comment) | |
if ( | |
${{ github.event.comment.id }} !== comment.id && | |
( | |
( | |
( | |
comment.body.startsWith('Command') || | |
comment.body.startsWith('<details><summary>Command') || | |
comment.body.startsWith('Sorry, only ') | |
) && comment.user.type === 'Bot' | |
) || | |
(comment.body.startsWith('/cmd') && comment.user.login === context.actor) | |
) | |
) { | |
github.rest.issues.deleteComment({ | |
comment_id: comment.id, | |
owner: context.repo.owner, | |
repo: context.repo.repo | |
}) | |
} | |
} | |
}) | |
help: | |
needs: [clean, is-org-member] | |
if: ${{ startsWith(github.event.comment.body, '/cmd') && contains(github.event.comment.body, '--help') && needs.is-org-member.outputs.member == 'true' }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Get command | |
uses: actions-ecosystem/action-regex-match@v2 | |
id: get-pr-comment | |
with: | |
text: ${{ github.event.comment.body }} | |
regex: '^(\/cmd )([-\/\s\w.=:]+)$' # see explanation in docs/contributor/commands-readme.md#examples | |
- name: Save output of help | |
id: help | |
env: | |
CMD: ${{ steps.get-pr-comment.outputs.group2 }} # to avoid "" around the command | |
run: | | |
echo 'help<<EOF' >> $GITHUB_OUTPUT | |
python3 -m pip install -r .github/scripts/generate-prdoc.requirements.txt | |
python3 .github/scripts/cmd/cmd.py $CMD >> $GITHUB_OUTPUT | |
echo 'EOF' >> $GITHUB_OUTPUT | |
- name: Comment PR (Help) | |
uses: actions/github-script@v7 | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
github.rest.issues.createComment({ | |
issue_number: context.issue.number, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
body: `<details><summary>Command help:</summary> | |
\`\`\` | |
${{ steps.help.outputs.help }} | |
\`\`\` | |
</details>` | |
}) | |
- name: Add confused reaction on failure | |
uses: actions/github-script@v7 | |
if: ${{ failure() }} | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
github.rest.reactions.createForIssueComment({ | |
comment_id: ${{ github.event.comment.id }}, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
content: 'confused' | |
}) | |
- name: Add π reaction on success | |
uses: actions/github-script@v7 | |
if: ${{ !failure() }} | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
github.rest.reactions.createForIssueComment({ | |
comment_id: ${{ github.event.comment.id }}, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
content: '+1' | |
}) | |
set-image: | |
needs: [clean, is-org-member] | |
if: ${{ startsWith(github.event.comment.body, '/cmd') && !contains(github.event.comment.body, '--help') && needs.is-org-member.outputs.member == 'true' }} | |
runs-on: ubuntu-latest | |
outputs: | |
IMAGE: ${{ steps.set-image.outputs.IMAGE }} | |
RUNNER: ${{ steps.set-image.outputs.RUNNER }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- id: set-image | |
run: | | |
BODY=$(echo "${{ github.event.comment.body }}" | xargs) | |
IMAGE_OVERRIDE=$(echo $BODY | grep -oe 'docker.io/paritytech/ci-unified:.*\s' | xargs) | |
cat .github/env >> $GITHUB_OUTPUT | |
if [ -n "$IMAGE_OVERRIDE" ]; then | |
echo "IMAGE=$IMAGE_OVERRIDE" >> $GITHUB_OUTPUT | |
fi | |
if [[ $BODY == "/cmd bench"* ]]; then | |
echo "RUNNER=arc-runners-polkadot-sdk-benchmark" >> $GITHUB_OUTPUT | |
elif [[ $BODY == "/cmd update-ui"* ]]; then | |
echo "RUNNER=arc-runners-polkadot-sdk-beefy" >> $GITHUB_OUTPUT | |
else | |
echo "RUNNER=ubuntu-latest" >> $GITHUB_OUTPUT | |
fi | |
# Get PR branch name, because the issue_comment event does not contain the PR branch name | |
get-pr-branch: | |
needs: [set-image] | |
runs-on: ubuntu-latest | |
outputs: | |
pr-branch: ${{ steps.get-pr.outputs.pr_branch }} | |
repo: ${{ steps.get-pr.outputs.repo }} | |
steps: | |
- name: Check if the issue is a PR | |
id: check-pr | |
run: | | |
if [ -n "${{ github.event.issue.pull_request.url }}" ]; then | |
echo "This is a pull request comment" | |
else | |
echo "This is not a pull request comment" | |
exit 1 | |
fi | |
- name: Get PR Branch Name and Repo | |
if: steps.check-pr.outcome == 'success' | |
id: get-pr | |
uses: actions/github-script@v7 | |
with: | |
script: | | |
const pr = await github.rest.pulls.get({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
pull_number: context.issue.number, | |
}); | |
const prBranch = pr.data.head.ref; | |
const repo = pr.data.head.repo.full_name; | |
console.log(prBranch, repo) | |
core.setOutput('pr_branch', prBranch); | |
core.setOutput('repo', repo); | |
- name: Use PR Branch Name and Repo | |
run: | | |
echo "The PR branch is ${{ steps.get-pr.outputs.pr_branch }}" | |
echo "The repository is ${{ steps.get-pr.outputs.repo }}" | |
cmd: | |
needs: [set-image, get-pr-branch] | |
env: | |
JOB_NAME: "cmd" | |
runs-on: ${{ needs.set-image.outputs.RUNNER }} | |
container: | |
image: ${{ needs.set-image.outputs.IMAGE }} | |
steps: | |
- name: Get command | |
uses: actions-ecosystem/action-regex-match@v2 | |
id: get-pr-comment | |
with: | |
text: ${{ github.event.comment.body }} | |
regex: '^(\/cmd )([-\/\s\w.=:]+)$' # see explanation in docs/contributor/commands-readme.md#examples | |
- name: Build workflow link | |
if: ${{ !contains(github.event.comment.body, '--quiet') }} | |
id: build-link | |
run: | | |
# Get exactly the CMD job link, filtering out the other jobs | |
jobLink=$(curl -s \ | |
-H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | |
-H "Accept: application/vnd.github.v3+json" \ | |
https://api.github.com/repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/jobs | jq '.jobs[] | select(.name | contains("${{ env.JOB_NAME }}")) | .html_url') | |
runLink=$(curl -s \ | |
-H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | |
-H "Accept: application/vnd.github.v3+json" \ | |
https://api.github.com/repos/${{ github.repository }}/actions/runs/${{ github.run_id }} | jq '.html_url') | |
echo "job_url=${jobLink}" | |
echo "run_url=${runLink}" | |
echo "job_url=$jobLink" >> $GITHUB_OUTPUT | |
echo "run_url=$runLink" >> $GITHUB_OUTPUT | |
- name: Comment PR (Start) | |
if: ${{ !contains(github.event.comment.body, '--quiet') }} | |
uses: actions/github-script@v7 | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
let job_url = ${{ steps.build-link.outputs.job_url }} | |
github.rest.issues.createComment({ | |
issue_number: context.issue.number, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
body: `Command "${{ steps.get-pr-comment.outputs.group2 }}" has started π [See logs here](${job_url})` | |
}) | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
repository: ${{ needs.get-pr-branch.outputs.repo }} | |
ref: ${{ needs.get-pr-branch.outputs.pr-branch }} | |
- name: Install dependencies for bench | |
if: startsWith(steps.get-pr-comment.outputs.group2, 'bench') | |
run: cargo install subweight frame-omni-bencher --locked | |
- name: Run cmd | |
id: cmd | |
env: | |
CMD: ${{ steps.get-pr-comment.outputs.group2 }} # to avoid "" around the command | |
run: | | |
echo "Running command: '$CMD' on '${{ needs.set-image.outputs.RUNNER }}' runner, container: '${{ needs.set-image.outputs.IMAGE }}'" | |
echo "RUST_NIGHTLY_VERSION: $RUST_NIGHTLY_VERSION" | |
# Fixes "detected dubious ownership" error in the ci | |
git config --global --add safe.directory '*' | |
git remote -v | |
python3 -m pip install -r .github/scripts/generate-prdoc.requirements.txt | |
python3 .github/scripts/cmd/cmd.py $CMD | |
git status | |
git diff | |
- name: Commit changes | |
run: | | |
if [ -n "$(git status --porcelain)" ]; then | |
git config --local user.email "action@github.com" | |
git config --local user.name "GitHub Action" | |
git add . | |
git restore --staged Cargo.lock # ignore changes in Cargo.lock | |
git commit -m "Update from ${{ github.actor }} running command '${{ steps.get-pr-comment.outputs.group2 }}'" || true | |
git pull --rebase origin ${{ needs.get-pr-branch.outputs.pr-branch }} | |
git push origin ${{ needs.get-pr-branch.outputs.pr-branch }} | |
else | |
echo "Nothing to commit"; | |
fi | |
- name: Run Subweight | |
id: subweight | |
if: startsWith(steps.get-pr-comment.outputs.group2, 'bench') | |
shell: bash | |
run: | | |
git fetch | |
result=$(subweight compare commits \ | |
--path-pattern "./**/weights/**/*.rs,./**/weights.rs" \ | |
--method asymptotic \ | |
--format markdown \ | |
--no-color \ | |
--change added changed \ | |
--ignore-errors \ | |
refs/remotes/origin/master refs/heads/${{ needs.get-pr-branch.outputs.pr-branch }}) | |
# Save the multiline result to the output | |
{ | |
echo "result<<EOF" | |
echo "$result" | |
echo "EOF" | |
} >> $GITHUB_OUTPUT | |
- name: Comment PR (End) | |
if: ${{ !failure() && !contains(github.event.comment.body, '--quiet') }} | |
uses: actions/github-script@v7 | |
env: | |
SUBWEIGHT: "${{ steps.subweight.outputs.result }}" | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
let runUrl = ${{ steps.build-link.outputs.run_url }} | |
let subweight = process.env.SUBWEIGHT; | |
let subweightCollapsed = subweight | |
? `<details>\n\n<summary>Subweight results:</summary>\n\n${subweight}\n\n</details>` | |
: ''; | |
github.rest.issues.createComment({ | |
issue_number: context.issue.number, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
body: `Command "${{ steps.get-pr-comment.outputs.group2 }}" has finished β [See logs here](${runUrl})${subweightCollapsed}` | |
}) | |
- name: Comment PR (Failure) | |
if: ${{ failure() && !contains(github.event.comment.body, '--quiet') }} | |
uses: actions/github-script@v7 | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
let jobUrl = ${{ steps.build-link.outputs.job_url }} | |
github.rest.issues.createComment({ | |
issue_number: context.issue.number, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
body: `Command "${{ steps.get-pr-comment.outputs.group2 }}" has failed β! [See logs here](${jobUrl})` | |
}) | |
- name: Add π reaction on failure | |
uses: actions/github-script@v7 | |
if: ${{ failure() }} | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
github.rest.reactions.createForIssueComment({ | |
comment_id: ${{ github.event.comment.id }}, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
content: 'confused' | |
}) | |
- name: Add π reaction on success | |
uses: actions/github-script@v7 | |
if: ${{ !failure() }} | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
github.rest.reactions.createForIssueComment({ | |
comment_id: ${{ github.event.comment.id }}, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
content: '+1' | |
}) |