Skip to content

Commit

Permalink
fix: possible template injection in CI
Browse files Browse the repository at this point in the history
  • Loading branch information
@erikburt
erikburt committed Dec 16, 2024
1 parent 457ee7f commit ebeeb0c
Show file tree
Hide file tree
Showing 13 changed files with 147 additions and 67 deletions.
35 changes: 23 additions & 12 deletions .github/workflows/automation-ondemand-tests.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,45 +52,56 @@ jobs:
outputs:
test_list: ${{ steps.set-tests.outputs.test_list }}
require_chainlink_image_versions_in_qa_ecr: ${{ steps.determine-chainlink-image-check.outputs.require_chainlink_image_versions_in_qa_ecr }}
env:
GH_INPUTS_CHAINLINK_IMAGE: ${{ inputs.chainlinkImage }}
GH_INPUTS_CHAINLINK_IMAGE_UPDATE: ${{ inputs.chainlinkImageUpdate }}
GH_INPUTS_CHAINLINK_VERSION: ${{ inputs.chainlinkVersion }}
GH_INPUTS_CHAINLINK_VERSION_UPDATE: ${{ inputs.chainlinkVersionUpdate }}
steps:
- name: Determine build to use
id: determine-build
shell: bash
run: |
if [[ "${{ inputs.chainlinkImage }}" == "QA_ECR" ]]; then
if [[ "$GH_INPUTS_CHAINLINK_IMAGE" == "QA_ECR" ]]; then
echo "image='{{ env.QA_CHAINLINK_IMAGE }}'" >> $GITHUB_ENV
else
echo "image=${{ inputs.chainlinkImage }}" >> $GITHUB_ENV
echo "image=$GH_INPUTS_CHAINLINK_IMAGE" >> $GITHUB_ENV
fi
if [[ "${{ inputs.chainlinkImageUpdate }}" == "QA_ECR" ]]; then
if [[ "$GH_INPUTS_CHAINLINK_IMAGE_UPDATE" == "QA_ECR" ]]; then
echo "upgrade_image='{{ env.QA_CHAINLINK_IMAGE }}'" >> $GITHUB_ENV
else
echo "upgrade_image=${{ inputs.chainlinkImageUpdate }}" >> $GITHUB_ENV
echo "upgrade_image=$GH_INPUTS_CHAINLINK_IMAGE_UPDATE" >> $GITHUB_ENV
fi
if [[ -z "${{ inputs.chainlinkVersion }}" ]] && [[ "${{ inputs.chainlinkImage }}" == "QA_ECR" ]]; then
if [[ -z "$GH_INPUTS_CHAINLINK_VERSION" ]] && [[ "$CHAINLINK_IMAGE" == "QA_ECR" ]]; then
echo "version=${{ github.sha }}" >> $GITHUB_ENV
else
echo "version=${{ inputs.chainlinkVersion }}" >> $GITHUB_ENV
echo "version=$GH_INPUTS_CHAINLINK_VERSION" >> $GITHUB_ENV
fi
if [[ -z "${{ inputs.chainlinkVersionUpdate }}" ]] && [[ "${{ inputs.chainlinkImageUpdate }}" == "QA_ECR" ]]; then
if [[ -z "$GH_INPUTS_CHAINLINK_VERSION_UPDATE" ]] && [[ "$GH_INPUTS_CHAINLINK_IMAGE_UPDATE" == "QA_ECR" ]]; then
echo "upgrade_version=${{ github.sha }}" >> $GITHUB_ENV
else
echo "upgrade_version=${{ inputs.chainlinkVersionUpdate }}" >> $GITHUB_ENV
echo "upgrade_version=$GH_INPUTS_CHAINLINK_VERSION_UPDATE" >> $GITHUB_ENV
fi
- name: Check if chainlink image check required
id: determine-chainlink-image-check
shell: bash
env:
CHAINLKINK_IMAGE: ${{ github.event.inputs.chainlinkImage }}
CHAINLINK_IMAGE_UPDATE: ${{ github.event.inputs.chainlinkImageUpdate }}
run: |
chainlink_image_versions=""
if [ "${{ github.event.inputs.chainlinkImage }}" = "QA_ECR" ]; then
if [ "$CHAINLKINK_IMAGE" = "QA_ECR" ]; then
chainlink_image_versions+="${{ env.version }},"
fi
if [ "${{ github.event.inputs.chainlinkImageUpdate }}" = "QA_ECR" ]; then
if [ "$CHAINLINK_IMAGE_UPDATE" = "QA_ECR" ]; then
chainlink_image_versions+="${{ env.upgrade_version }}"
fi
echo "require_chainlink_image_versions_in_qa_ecr=$chainlink_image_versions" >> $GITHUB_OUTPUT
- name: Set tests to run
id: set-tests
env:
GH_EVENT_INPUTS_ENABLE_REORG: ${{ github.event.inputs.enableReorg }}
GH_EVENT_INPUTS_ENABLE_CHAOS: ${{ github.event.inputs.enableChaos }}
run: |
# Always run upgrade tests
Expand Down Expand Up @@ -118,7 +129,7 @@ jobs:
EOF
# Run reorg tests if enabled
if [[ "${{ github.event.inputs.enableReorg }}" == 'true' ]]; then
if [[ "$GH_EVENT_INPUTS_ENABLE_REORG" == 'true' ]]; then
cat >> test_list.yaml <<EOF
- id: reorg/automation_reorg_test.go^TestAutomationReorg/registry_2_0
test_env_vars:
Expand All @@ -143,7 +154,7 @@ jobs:
fi
# Run chaos tests if enabled
if [[ "${{ github.event.inputs.enableChaos }}" == 'true' ]]; then
if [[ "$GH_EVENT_INPUTS_ENABLE_CHAOS" == 'true' ]]; then
cat >> test_list.yaml <<EOF
- id: chaos/automation_chaos_test.go
test_env_vars:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/bash-scripts.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ jobs:
steps:
- name: Checkout the repo
uses: actions/[email protected]
with:
persist-credentials: false
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
id: bash-scripts
with:
Expand Down
17 changes: 11 additions & 6 deletions .github/workflows/build-publish-develop-pr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,23 +43,28 @@ jobs:

- name: Get image tag
id: get-image-tag
env:
GH_EVENT_NAME: ${{ github.event_name }}
GH_EVENT_NUMBER: ${{ github.event.number }}
GH_INPUTS_BUILD_PUBLISH: ${{ inputs.build-publish }}
LABEL_HAS_BUILD_PUBLISH: ${{ contains(github.event.pull_request.labels.*.name, 'build-publish') }}
run: |
short_sha=$(git rev-parse --short HEAD)
echo "release-type=snapshot" | tee -a $GITHUB_OUTPUT
if [[ ${{ github.event_name }} == 'push' ]]; then
if [[ $GH_EVENT_NAME == 'push' ]]; then
echo "image-tag=develop" | tee -a $GITHUB_OUTPUT
echo "release-type=nightly" | tee -a $GITHUB_OUTPUT
elif [[ ${{ github.event_name }} == 'workflow_dispatch' ]]; then
elif [[ $GH_EVENT_NAME == 'workflow_dispatch' ]]; then
echo "image-tag=${short_sha}" | tee -a $GITHUB_OUTPUT
if [[ "${{ inputs.build-publish }}" == 'false' ]]; then
if [[ "$GH_INPUTS_BUILD_PUBLISH" == 'false' ]]; then
echo "release-type=snapshot" | tee -a $GITHUB_OUTPUT
else
echo "release-type=nightly" | tee -a $GITHUB_OUTPUT
fi
else
if [[ ${{ github.event_name }} == "pull_request" ]]; then
echo "image-tag=pr-${{ github.event.number }}-${short_sha}" | tee -a $GITHUB_OUTPUT
if [[ ${{ contains(github.event.pull_request.labels.*.name, 'build-publish') }} == "true" ]]; then
if [[ $GH_EVENT_NAME == "pull_request" ]]; then
echo "image-tag=pr-${GH_EVENT_NUMBER}-${short_sha}" | tee -a $GITHUB_OUTPUT
if [[ $LABEL_HAS_BUILD_PUBLISH == "true" ]]; then
echo "release-type=nightly" | tee -a $GITHUB_OUTPUT
fi
fi
Expand Down
8 changes: 6 additions & 2 deletions .github/workflows/ci-core.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -179,8 +179,10 @@ jobs:

- name: Replace chainlink-evm deps
if: ${{ needs.filter.outputs.should-run-ci-core == 'true' && inputs.evm-ref != ''}}
env:
GH_INPUTS_EVM_REF: ${{ inputs.evm-ref }}
shell: bash
run: go get github.com/smartcontractkit/chainlink-integrations/evm/relayer@${{ inputs.evm-ref }}
run: go get github.com/smartcontractkit/chainlink-integrations/evm/relayer@$GH_INPUTS_EVM_REF

- name: Setup Solana
if: ${{ needs.filter.outputs.should-run-ci-core == 'true' }}
Expand Down Expand Up @@ -328,8 +330,10 @@ jobs:

- name: Replace chainlink-evm deps
if: ${{ github.event_name == 'workflow_dispatch' && inputs.evm-ref != ''}}
env:
GH_INPUTS_EVM_REF: ${{ inputs.evm-ref }}
shell: bash
run: go get github.com/smartcontractkit/chainlink-integrations/evm/relayer@${{ inputs.evm-ref }}
run: go get github.com/smartcontractkit/chainlink-integrations/evm/relayer@$GH_INPUTS_EVM_REF

- name: Build binary
run: go build -o chainlink.test .
Expand Down
46 changes: 30 additions & 16 deletions .github/workflows/client-compatibility-tests.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,24 +54,26 @@ jobs:
fetch-depth: 0
- name: Check for go.mod changes
id: changes
env:
GH_BASE_REF: ${{ github.base_ref }}
run: |
if [ -z "${{ github.base_ref }}" ]; then
if [ -z "$GH_BASE_REF" ]; then
echo "No base branch found, this should not happen in a PR or MQ. Please reach out to the Test Tooling team."
echo "Github even that triggered the workflow: $GITHUB_EVENT_NAME"
echo "Github ref that triggered the workflow: $GITHUB_REF"
exit 1
fi
git fetch origin ${{ github.base_ref }}
git fetch origin $GH_BASE_REF
# if no match is found then grep exits with code 1, but if there is a match it exits with code 0
# this will return a match if there are any changes on that corresponding line, for example if spacing was changed
DEPENDENCY_CHANGED=$(git diff -U0 origin/${{ github.base_ref }}...HEAD -- go.mod | grep -q 'github.com/ethereum/go-ethereum'; echo $?)
DEPENDENCY_CHANGED=$(git diff -U0 origin/$GH_BASE_REF...HEAD -- go.mod | grep -q 'github.com/ethereum/go-ethereum'; echo $?)
PR_VERSION=$(grep 'github.com/ethereum/go-ethereum' go.mod | awk '{print $2}')
# here 0 means a match was found, 1 means no match was found
if [ "$DEPENDENCY_CHANGED" -eq 0 ]; then
# Dependency was changed in the PR, now compare with the base branch
git fetch origin ${{ github.base_ref }}
BASE_VERSION=$(git show origin/${{ github.base_ref }}:go.mod | grep 'github.com/ethereum/go-ethereum' | awk '{print $2}')
git fetch origin $GH_BASE_REF
BASE_VERSION=$(git show origin/$GH_BASE_REF:go.mod | grep 'github.com/ethereum/go-ethereum' | awk '{print $2}')
echo "Base branch version: $BASE_VERSION"
echo "PR branch version: $PR_VERSION"
Expand Down Expand Up @@ -143,6 +145,9 @@ jobs:
go install github.com/smartcontractkit/chainlink-testing-framework/tools/[email protected]
- name: Select EVM implementations to test
id: select-implementations
env:
GH_EVENT_INPUTS_BASE64_TEST_LIST: ${{ github.event.inputs.base64TestList }}
GH_EVENT_INPUTS_EVM_IMPLEMENTATIONS: ${{ github.event.inputs.evmImplementations }}
run: |
PATH=$PATH:$(go env GOPATH)/bin
export PATH
Expand Down Expand Up @@ -185,18 +190,24 @@ jobs:
fi
echo "evm_implementations=$eth_implementations" >> $GITHUB_OUTPUT
elif [ "$GITHUB_EVENT_NAME" = "workflow_dispatch" ]; then
if [ -n "${{ github.event.inputs.base64TestList }}" ]; then
if [ -n "$GH_EVENT_INPUTS_BASE64_TEST_LIST" ]; then
echo "Base64-ed Test Input provided, ignoring EVM implementations"
else
echo "Will test following EVM implementations: ${{ github.event.inputs.evmImplementations }}"
echo "evm_implementations=${{ github.event.inputs.evmImplementations }}" >> $GITHUB_OUTPUT
echo "Will test following EVM implementations: $GH_EVENT_INPUTS_EVM_IMPLEMENTATIONS"
echo "evm_implementations=$GH_EVENT_INPUTS_EVM_IMPLEMENTATIONS" >> $GITHUB_OUTPUT
fi
else
echo "Will test all EVM implementations"
echo "evm_implementations=geth,besu,nethermind,erigon,reth" >> $GITHUB_OUTPUT
fi
- name: Select Chainlink version
id: select-chainlink-version
env:
GH_EVENT_INPUTS_CHAINLINK_VERSION: ${{ github.event.inputs.chainlinkVersion }}
GH_EVENT_PULL_REQUEST_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
GH_EVENT_MERGE_GROUP_HEAD_SHA: ${{ github.event.merge_group.head_sha }}
GH_REF_NAME: ${{ github.ref_name }}
GH_SHA: ${{ github.sha }}
run: |
PATH=$PATH:$(go env GOPATH)/bin
export PATH
Expand All @@ -210,9 +221,9 @@ jobs:
cl_ref_path="releases"
elif [ "$GITHUB_EVENT_NAME" = "workflow_dispatch" ]; then
echo "Fetching Chainlink version from input"
if [ -n "${{ github.event.inputs.chainlinkVersion }}" ]; then
if [ -n "$GH_EVENT_INPUTS_CHAINLINK_VERSION" ]; then
echo "Chainlink version provided in input"
chainlink_version="${{ github.event.inputs.chainlinkVersion }}"
chainlink_version="$GH_EVENT_INPUTS_CHAINLINK_VERSION"
if [[ "$chainlink_version" =~ ^[0-9a-f]{40}$ ]]; then
cl_ref_path="commit"
chainlink_image_version=$chainlink_version
Expand All @@ -223,23 +234,23 @@ jobs:
fi
else
echo "Chainlink version not provided in input. Using latest commit SHA."
chainlink_version=${{ github.sha }}
chainlink_version=$GH_SHA
chainlink_image_version=$chainlink_version
cl_ref_path="commit"
fi
elif [ "$GITHUB_EVENT_NAME" = "pull_request" ]; then
echo "Fetching Chainlink version from PR's head commit"
chainlink_version="${{ github.event.pull_request.head.sha }}"
chainlink_version="$GH_EVENT_PULL_REQUEST_HEAD_SHA"
chainlink_image_version=$chainlink_version
cl_ref_path="commit"
elif [ "$GITHUB_EVENT_NAME" = "merge_queue" ]; then
echo "Fetching Chainlink version from merge queue's head commit"
chainlink_version="${{ github.event.merge_group.head_sha }}"
chainlink_version="$GH_EVENT_MERGE_GROUP_HEAD_SHA"
chainlink_image_version=$chainlink_version
cl_ref_path="commit"
elif [ "$GITHUB_REF_TYPE" = "tag" ]; then
echo "Fetching Chainlink version from tag"
chainlink_version="${{ github.ref_name }}"
chainlink_version="$GH_REF_NAME"
# strip the 'v' from the version, because we tag our Docker images without it
chainlink_image_version="${chainlink_version#v}"
cl_ref_path="releases"
Expand All @@ -254,13 +265,16 @@ jobs:
echo "cl_ref_path=$cl_ref_path" >> $GITHUB_OUTPUT
- name: Get image count
id: get-image-count
env:
GH_EVENT_INPUTS_BASE64_TEST_LIST: ${{ github.event.inputs.base64TestList }}
GH_EVENT_INPUTS_LATEST_VERSIONS_NUMBER: ${{ github.event.inputs.latestVersionsNumber }}
run: |
if [ "$GITHUB_EVENT_NAME" = "workflow_dispatch" ]; then
echo "Fetching latest image count from input"
if [ -n "${{ github.event.inputs.base64TestList }}" ]; then
if [ -n "$GH_EVENT_INPUTS_BASE64_TEST_LIST" ]; then
echo "Base64-ed Test Input provided, ignoring latest image count"
else
image_count="${{ github.event.inputs.latestVersionsNumber }}"
image_count="$GH_EVENT_INPUTS_LATEST_VERSIONS_NUMBER"
echo "image_count=$image_count" >> $GITHUB_OUTPUT
fi
else
Expand Down
Loading

0 comments on commit ebeeb0c

Please sign in to comment.