Skip to content

Commit

Permalink
fix: bypass token checks for forks and OIDC (#1404)
Browse files Browse the repository at this point in the history
* chore(log): dump context

* fix: add logic to bypass token for forks

* fix: running the same things

* fix: more logging

* fix: more core info

* fix: run the func

* fix: cleanup
  • Loading branch information
thomasrockhu-codecov authored May 1, 2024
1 parent dad251d commit 5a299d1
Show file tree
Hide file tree
Showing 3 changed files with 57 additions and 25 deletions.
60 changes: 37 additions & 23 deletions dist/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -32440,12 +32440,12 @@ var __webpack_exports__ = {};
// ESM COMPAT FLAG
__nccwpck_require__.r(__webpack_exports__);

// EXTERNAL MODULE: external "fs"
var external_fs_ = __nccwpck_require__(7147);
// EXTERNAL MODULE: external "https"
var external_https_ = __nccwpck_require__(5687);
// EXTERNAL MODULE: external "path"
var external_path_ = __nccwpck_require__(1017);
;// CONCATENATED MODULE: external "node:fs"
const external_node_fs_namespaceObject = require("node:fs");
;// CONCATENATED MODULE: external "node:https"
const external_node_https_namespaceObject = require("node:https");
;// CONCATENATED MODULE: external "node:path"
const external_node_path_namespaceObject = require("node:path");
// EXTERNAL MODULE: ./node_modules/@actions/exec/lib/exec.js
var exec = __nccwpck_require__(1514);
// EXTERNAL MODULE: ./node_modules/@actions/core/lib/core.js
Expand Down Expand Up @@ -32562,7 +32562,21 @@ const getGitService = () => {
}
return 'github';
};
const isFork = () => {
if (`${context.eventName}` !== 'pull_request' ||
`${context.eventName}` !== 'pull_request_target') {
return false;
}
const baseLabel = context.payload.pull_request.base.label;
const headLabel = context.payload.pull_request.head.label;
core.info(`baseRef: ${baseLabel} | headRef: ${headLabel}`);
return (baseLabel.split(':')[0] !== headLabel.split(':')[0]);
};
const getToken = () => buildExec_awaiter(void 0, void 0, void 0, function* () {
if (isFork()) {
core.info('==> Fork detected, tokenless uploading used');
return Promise.resolve('');
}
let token = core.getInput('token');
let url = core.getInput('url');
const useOIDC = isTrue(core.getInput('use_oidc'));
Expand Down Expand Up @@ -32863,8 +32877,8 @@ const buildUploadExec = () => buildExec_awaiter(void 0, void 0, void 0, function
});


// EXTERNAL MODULE: external "crypto"
var external_crypto_ = __nccwpck_require__(6113);
;// CONCATENATED MODULE: external "node:crypto"
const external_node_crypto_namespaceObject = require("node:crypto");
// EXTERNAL MODULE: ./node_modules/gpg/lib/gpg.js
var gpg = __nccwpck_require__(40);
// EXTERNAL MODULE: ./node_modules/undici/index.js
Expand Down Expand Up @@ -32896,24 +32910,24 @@ const verify = (filename, platform, version, verbose, failCi) => validate_awaite
if (verbose) {
console.log(`Received SHA256SUM ${shasum}`);
}
yield external_fs_.writeFileSync(external_path_.join(__dirname, `${uploaderName}.SHA256SUM`), shasum);
yield external_node_fs_namespaceObject.writeFileSync(external_node_path_namespaceObject.join(__dirname, `${uploaderName}.SHA256SUM`), shasum);
const shaSigRes = yield (0,undici.request)(`${getBaseUrl(platform, version)}.SHA256SUM.sig`);
const shaSig = yield shaSigRes.body.text();
if (verbose) {
console.log(`Received SHA256SUM signature ${shaSig}`);
}
yield external_fs_.writeFileSync(external_path_.join(__dirname, `${uploaderName}.SHA256SUM.sig`), shaSig);
yield external_node_fs_namespaceObject.writeFileSync(external_node_path_namespaceObject.join(__dirname, `${uploaderName}.SHA256SUM.sig`), shaSig);
const validateSha = () => validate_awaiter(void 0, void 0, void 0, function* () {
const calculateHash = (filename) => validate_awaiter(void 0, void 0, void 0, function* () {
const stream = external_fs_.createReadStream(filename);
const uploaderSha = external_crypto_.createHash(`sha256`);
const stream = external_node_fs_namespaceObject.createReadStream(filename);
const uploaderSha = external_node_crypto_namespaceObject.createHash(`sha256`);
stream.pipe(uploaderSha);
return new Promise((resolve, reject) => {
stream.on('end', () => resolve(`${uploaderSha.digest('hex')} ${uploaderName}`));
stream.on('error', reject);
});
});
const hash = yield calculateHash(external_path_.join(__dirname, `${uploaderName}`));
const hash = yield calculateHash(external_node_path_namespaceObject.join(__dirname, `${uploaderName}`));
if (hash === shasum) {
core.info(`==> Uploader SHASUM verified (${hash})`);
}
Expand All @@ -32927,11 +32941,11 @@ const verify = (filename, platform, version, verbose, failCi) => validate_awaite
'--logger-fd',
'1',
'--verify',
external_path_.join(__dirname, `${uploaderName}.SHA256SUM.sig`),
external_path_.join(__dirname, `${uploaderName}.SHA256SUM`),
external_node_path_namespaceObject.join(__dirname, `${uploaderName}.SHA256SUM.sig`),
external_node_path_namespaceObject.join(__dirname, `${uploaderName}.SHA256SUM`),
], (err, verifyResult) => validate_awaiter(void 0, void 0, void 0, function* () {
if (err) {
setFailure('Codecov: Error importing pgp key', failCi);
setFailure(`Codecov: Error importing pgp key: ${err.message}`, failCi);
}
core.info(verifyResult);
yield validateSha();
Expand All @@ -32943,10 +32957,10 @@ const verify = (filename, platform, version, verbose, failCi) => validate_awaite
'1',
'--no-default-keyring',
'--import',
__nccwpck_require__.ab + "pgp_keys.asc",
external_node_path_namespaceObject.join(__dirname, 'pgp_keys.asc'),
], (err, importResult) => validate_awaiter(void 0, void 0, void 0, function* () {
if (err) {
setFailure('Codecov: Error importing pgp key', failCi);
setFailure(`Codecov: Error importing pgp key: ${err.message}`, failCi);
}
core.info(importResult);
verifySignature();
Expand Down Expand Up @@ -33011,10 +33025,10 @@ const run = () => src_awaiter(void 0, void 0, void 0, function* () {
const { uploadExecArgs, uploadOptions, disableSafeDirectory, failCi, os, uploaderVersion, uploadCommand, } = yield buildUploadExec();
const { args, verbose } = buildGeneralExec();
const platform = getPlatform(os);
const filename = external_path_.join(__dirname, getUploaderName(platform));
external_https_.get(getBaseUrl(platform, uploaderVersion), (res) => {
const filename = external_node_path_namespaceObject.join(__dirname, getUploaderName(platform));
external_node_https_namespaceObject.get(getBaseUrl(platform, uploaderVersion), (res) => {
// Image will be stored at this path
const filePath = external_fs_.createWriteStream(filename);
const filePath = external_node_fs_namespaceObject.createWriteStream(filename);
res.pipe(filePath);
filePath
.on('error', (err) => {
Expand All @@ -33023,12 +33037,12 @@ const run = () => src_awaiter(void 0, void 0, void 0, function* () {
filePath.close();
yield validate(filename, platform, uploaderVersion, verbose, failCi);
yield version(platform, uploaderVersion);
yield external_fs_.chmodSync(filename, '777');
yield external_node_fs_namespaceObject.chmodSync(filename, '777');
if (!disableSafeDirectory) {
yield setSafeDirectory();
}
const unlink = () => {
external_fs_.unlink(filename, (err) => {
external_node_fs_namespaceObject.unlink(filename, (err) => {
if (err) {
setFailure(`Codecov: Could not unlink uploader: ${err.message}`, failCi);
}
Expand Down
2 changes: 1 addition & 1 deletion dist/index.js.map

Large diffs are not rendered by default.

20 changes: 19 additions & 1 deletion src/buildExec.ts
Original file line number Diff line number Diff line change
Expand Up @@ -29,11 +29,29 @@ const getGitService = (): string => {
return 'github';
};

const isFork = (): boolean => {
if (
`${context.eventName}` !== 'pull_request' ||
`${context.eventName}` !== 'pull_request_target'
) {
return false;
}

const baseLabel = context.payload.pull_request.base.label;
const headLabel = context.payload.pull_request.head.label;

core.info(`baseRef: ${baseLabel} | headRef: ${headLabel}`);
return (baseLabel.split(':')[0] !== headLabel.split(':')[0]);
};

const getToken = async (): Promise<string> => {
if (isFork()) {
core.info('==> Fork detected, tokenless uploading used');
return Promise.resolve('');
}
let token = core.getInput('token');
let url = core.getInput('url');
const useOIDC = isTrue(core.getInput('use_oidc'));

if (useOIDC) {
if (!url) {
url = 'https://codecov.io';
Expand Down

0 comments on commit 5a299d1

Please sign in to comment.