mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2025-09-25 12:15:54 +00:00
cf0e697d13
This avoids issue_comment events on pull requests to get that flag set and subsequently not get access to secrets. ### Tests - I added test coverage for Go changes... - [x] in their respective `*_test.go` for unit tests. - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I added test coverage for JavaScript changes... - [ ] in `web_src/js/*.test.js` if it can be unit tested. - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)). ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] I do not want this change to show in the release notes. - [x] I want the title to show in the release notes with a link to this pull request. - [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title. <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Bug fixes - [PR](https://codeberg.org/forgejo/forgejo/pulls/9003): <!--number 9003 --><!--line 0 --><!--description QWN0aW9ucyB3b3JrZmxvd3MgdHJpZ2dlcmVkIGJ5IGNvbW1lbnRzIG9yIGxhYmVscyB0byBwdWxsIHJlcXVlc3RzIG1heSBhY2Nlc3Mgc2VjcmV0cw==-->Actions workflows triggered by comments or labels to pull requests may access secrets<!--description--> <!--end release-notes-assistant--> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9003 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Co-authored-by: BtbN <btbn@btbn.de> Co-committed-by: BtbN <btbn@btbn.de>
146 lines
4.6 KiB
Go
146 lines
4.6 KiB
Go
// Copyright 2024 The Forgejo Authors
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package actions
|
|
|
|
import (
|
|
"testing"
|
|
|
|
actions_model "forgejo.org/models/actions"
|
|
"forgejo.org/models/db"
|
|
issues_model "forgejo.org/models/issues"
|
|
repo_model "forgejo.org/models/repo"
|
|
"forgejo.org/models/unittest"
|
|
user_model "forgejo.org/models/user"
|
|
actions_module "forgejo.org/modules/actions"
|
|
"forgejo.org/modules/git"
|
|
api "forgejo.org/modules/structs"
|
|
webhook_module "forgejo.org/modules/webhook"
|
|
|
|
"code.forgejo.org/forgejo/runner/v9/act/jobparser"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func Test_SkipPullRequestEvent(t *testing.T) {
|
|
require.NoError(t, unittest.PrepareTestDatabase())
|
|
|
|
repoID := int64(1)
|
|
commitSHA := "1234"
|
|
|
|
// event is not webhook_module.HookEventPullRequestSync, never skip
|
|
assert.False(t, SkipPullRequestEvent(db.DefaultContext, webhook_module.HookEventPullRequest, repoID, commitSHA))
|
|
|
|
// event is webhook_module.HookEventPullRequestSync but there is nothing in the ActionRun table, do not skip
|
|
assert.False(t, SkipPullRequestEvent(db.DefaultContext, webhook_module.HookEventPullRequestSync, repoID, commitSHA))
|
|
|
|
// there is a webhook_module.HookEventPullRequest event but the SHA is different, do not skip
|
|
index := int64(1)
|
|
run := &actions_model.ActionRun{
|
|
Index: index,
|
|
Event: webhook_module.HookEventPullRequest,
|
|
RepoID: repoID,
|
|
CommitSHA: "othersha",
|
|
}
|
|
unittest.AssertSuccessfulInsert(t, run)
|
|
assert.False(t, SkipPullRequestEvent(db.DefaultContext, webhook_module.HookEventPullRequestSync, repoID, commitSHA))
|
|
|
|
// there already is a webhook_module.HookEventPullRequest with the same SHA, skip
|
|
index++
|
|
run = &actions_model.ActionRun{
|
|
Index: index,
|
|
Event: webhook_module.HookEventPullRequest,
|
|
RepoID: repoID,
|
|
CommitSHA: commitSHA,
|
|
}
|
|
unittest.AssertSuccessfulInsert(t, run)
|
|
assert.True(t, SkipPullRequestEvent(db.DefaultContext, webhook_module.HookEventPullRequestSync, repoID, commitSHA))
|
|
}
|
|
|
|
func Test_IssueCommentOnForkPullRequestEvent(t *testing.T) {
|
|
require.NoError(t, unittest.PrepareTestDatabase())
|
|
|
|
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 10})
|
|
doer := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
|
|
pr := unittest.AssertExistsAndLoadBean(t, &issues_model.PullRequest{ID: 3})
|
|
require.NoError(t, pr.LoadIssue(db.DefaultContext))
|
|
|
|
require.True(t, pr.IsFromFork())
|
|
|
|
commit := &git.Commit{
|
|
ID: git.MustIDFromString("0000000000000000000000000000000000000000"),
|
|
CommitMessage: "test",
|
|
}
|
|
detectedWorkflows := []*actions_module.DetectedWorkflow{
|
|
{
|
|
TriggerEvent: &jobparser.Event{
|
|
Name: "issue_comment",
|
|
},
|
|
},
|
|
}
|
|
input := ¬ifyInput{
|
|
Repo: repo,
|
|
Doer: doer,
|
|
Event: webhook_module.HookEventIssueComment,
|
|
PullRequest: pr,
|
|
Payload: &api.IssueCommentPayload{},
|
|
}
|
|
|
|
unittest.AssertSuccessfulDelete(t, &actions_model.ActionRun{RepoID: repo.ID})
|
|
|
|
err := handleWorkflows(db.DefaultContext, detectedWorkflows, commit, input, "")
|
|
require.NoError(t, err)
|
|
|
|
runs, err := db.Find[actions_model.ActionRun](db.DefaultContext, actions_model.FindRunOptions{
|
|
RepoID: repo.ID,
|
|
})
|
|
require.NoError(t, err)
|
|
require.Len(t, runs, 1)
|
|
|
|
assert.Equal(t, webhook_module.HookEventIssueComment, runs[0].Event)
|
|
assert.False(t, runs[0].IsForkPullRequest)
|
|
}
|
|
|
|
func Test_OpenForkPullRequestEvent(t *testing.T) {
|
|
require.NoError(t, unittest.PrepareTestDatabase())
|
|
|
|
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 10})
|
|
doer := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
|
|
pr := unittest.AssertExistsAndLoadBean(t, &issues_model.PullRequest{ID: 3})
|
|
require.NoError(t, pr.LoadIssue(db.DefaultContext))
|
|
|
|
require.True(t, pr.IsFromFork())
|
|
|
|
commit := &git.Commit{
|
|
ID: git.MustIDFromString("0000000000000000000000000000000000000000"),
|
|
CommitMessage: "test",
|
|
}
|
|
detectedWorkflows := []*actions_module.DetectedWorkflow{
|
|
{
|
|
TriggerEvent: &jobparser.Event{
|
|
Name: "pull_request",
|
|
},
|
|
},
|
|
}
|
|
input := ¬ifyInput{
|
|
Repo: repo,
|
|
Doer: doer,
|
|
Event: webhook_module.HookEventPullRequest,
|
|
PullRequest: pr,
|
|
Payload: &api.PullRequestPayload{},
|
|
}
|
|
|
|
unittest.AssertSuccessfulDelete(t, &actions_model.ActionRun{RepoID: repo.ID})
|
|
|
|
err := handleWorkflows(db.DefaultContext, detectedWorkflows, commit, input, "")
|
|
require.NoError(t, err)
|
|
|
|
runs, err := db.Find[actions_model.ActionRun](db.DefaultContext, actions_model.FindRunOptions{
|
|
RepoID: repo.ID,
|
|
})
|
|
require.NoError(t, err)
|
|
require.Len(t, runs, 1)
|
|
|
|
assert.Equal(t, webhook_module.HookEventPullRequest, runs[0].Event)
|
|
assert.True(t, runs[0].IsForkPullRequest)
|
|
}
|