From 613afc1d75c117d689cfc2d1d7341a649a9c1dba Mon Sep 17 00:00:00 2001 From: Lucas Nicodemus Date: Sun, 23 May 2021 12:23:08 -0700 Subject: [PATCH 1/2] Use Cardinal for danger CI This change uses Cardinal's PAT for GitHub Actions CI. The way this works is very convoluted, but it makes sense in theory. 1. Cardinal is a member of the Pryaxis org, in a group called "untrusted robots." She has write access to Pryaxis/TShock, so she can create status messages. This is because GitHub only allows status messages to be created if a user has write access. 2. Cardinal has a PAT, and that PAT only has access to creating repository status messages. 3. Danger requires permission to post comments and update CI status. 4. Cardinal's PAT is only authorized to create repo status messages, and cannot privilege escalate. 5. GitHub implicitly gives everyone the ability to post comments on public repositories. Thus, this really interesting and weird flow should mean that Cardinal can post comments and update status messages, by having write access but functionally being unable to use it. At least, that's the theory. --- .github/workflows/danger.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/danger.yml b/.github/workflows/danger.yml index fc662d0c..1afb25f7 100644 --- a/.github/workflows/danger.yml +++ b/.github/workflows/danger.yml @@ -1,7 +1,7 @@ name: Danger on: workflow_dispatch: - pull_request_target: + pull_request: types: [synchronize, edited, opened, reopened] jobs: run: @@ -17,5 +17,5 @@ jobs: sudo gem install danger - name: Run danger env: - DANGER_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} + DANGER_GITHUB_API_TOKEN: ${{ secrets.CARDINAL_PAT_CI_STATUS }} run: danger From 8611742286686434e14068806e056383477fe42f Mon Sep 17 00:00:00 2001 From: Lucas Nicodemus Date: Sun, 23 May 2021 12:59:21 -0700 Subject: [PATCH 2/2] Switch to entirely new action for changelog check Look, let's just be real here: GitHub needs to redo the entire permission model for GitHub. There is no way to create a secure combination of the following elements: post comment, edit comment, and post status check. If you want to be able to post comments, you have to authorize a token or app to have full authority to do literally anything that the user can do on a public repo. Full stop. If you want to post a status check, you have to give the user write access to the entire repo, which makes the first issue a problem. You can't just explicitly make a token that says "only allow this user to post and edit its own comments" and "allow this user to post status checks" because write access on the repo implies authority over all other issues/PRs opened by other people. Now Cardinal's token is restricted to just status checks, and we're using a different action. Thanks a ton for the huge mess Github. --- .github/workflows/danger.yml | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/.github/workflows/danger.yml b/.github/workflows/danger.yml index 1afb25f7..f7dd8cc2 100644 --- a/.github/workflows/danger.yml +++ b/.github/workflows/danger.yml @@ -4,18 +4,19 @@ on: pull_request: types: [synchronize, edited, opened, reopened] jobs: - run: - name: Run danger checks + build: + name: Run changelog check runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - with: - fetch-depth: 100 - submodules: 'recursive' - - name: Install danger - run: | - sudo gem install danger - - name: Run danger - env: - DANGER_GITHUB_API_TOKEN: ${{ secrets.CARDINAL_PAT_CI_STATUS }} - run: danger + - uses: actions/checkout@v2 + with: + submodules: 'recursive' + - name: Changelog check + uses: Zomzog/changelog-checker@564f4aa7a062e7498bd253f616569f02fb024c06 + with: + fileName: CHANGELOG.md + noChangelogLabel: Blocked + checkNotification: Simple + env: + GITHUB_TOKEN: ${{ secrets.CARDINAL_PAT_CI_STATUS }} +