Merge pull request #23144 from mattermost/SEC-3673_DisableBranchNameManipulation

fix: Disable branch name manipulation to remove attack vector
2025-02-25 18:55:24 -06:00 · 2023-04-26 12:03:01 +01:00 · 2023-04-26 12:03:01 +01:00 · 5aaedb5e9d
commit 5aaedb5e9d
parent 506c4178b5 ee23f6dc6b
1 changed files with 66 additions and 69 deletions
--- a/.github/workflows/artifacts.yml
+++ b/.github/workflows/artifacts.yml
@ -4,15 +4,12 @@ on:
    workflows: ["Mattermost Build"]
    types:
      - completed
 jobs:
  upload-s3:
    name: cd/Upload artifacts to S3
    runs-on: ubuntu-22.04
-    env:
+    if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
      REPO_NAME: ${{ github.event.repository.name }}
    if: >
      github.event.workflow_run.event == 'pull_request' &&
      github.event.workflow_run.conclusion == 'success'
    steps:
      - name: cd/Configure AWS
        uses: aws-actions/configure-aws-credentials@07c2f971bac433df982ccc261983ae443861db49 # v1-node16
@ -28,23 +25,20 @@ jobs:
          workflow_conclusion: success
          name: server-dist-artifact
          path: server/dist
      # Get Branch name from calling workflow
      # Search for the string "pull" and replace it with "PR" in branch-name
      - name: cd/Get branch name
        run: echo "BRANCH_NAME=$(echo ${{ github.event.workflow_run.head_branch }} | sed 's/^pull\//PR-/g')" >> $GITHUB_ENV
      - name: cd/Upload artifacts to S3
        env:
          BRANCH_NAME: ${{ github.event.workflow_run.head_branch }}
          REPO_NAME: ${{ github.event.repository.name }}
          COMMIT_SHA: ${{ github.event.workflow_run.head_sha }}
        run: |
          aws s3 cp server/dist/ s3://pr-builds.mattermost.com/$REPO_NAME/$BRANCH_NAME/ --acl public-read --cache-control "no-cache" --recursive --no-progress
-          aws s3 cp server/dist/ s3://pr-builds.mattermost.com/$REPO_NAME/commit/${{ github.sha }}/ --acl public-read --cache-control "no-cache" --recursive --no-progress
+          aws s3 cp server/dist/ s3://pr-builds.mattermost.com/$REPO_NAME/commit/$COMMIT_SHA/ --acl public-read --cache-control "no-cache" --recursive --no-progress
  build-docker:
    name: cd/Build and push docker image
    needs: upload-s3
    env:
      REPO_NAME: ${{ github.event.repository.name }}
    runs-on: ubuntu-22.04
-    if: >
+    if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
      github.event.workflow_run.event == 'pull_request' &&
      github.event.workflow_run.conclusion == 'success'
    steps:
      - name: cd/Login to Docker Hub
        uses: docker/login-action@3da7dc6e2b31f99ef2cb9fb4c50fb0971e0d0139 # v2.1.0
@ -64,12 +58,15 @@ jobs:
      - name: cd/Docker build and push
        env:
          DOCKER_CLI_EXPERIMENTAL: enabled
          REPO_NAME: ${{ github.event.repository.name }}
          COMMIT_SHA: ${{ github.event.workflow_run.head_sha }}
        run: |
-        export TAG=$(echo "${{ github.event.pull_request.head.sha || github.sha }}" | cut -c1-7)
+          export TAG=$(echo "${{ github.event.pull_request.head.sha || github.event.workflow_run.head_sha }}" | cut -c1-7)
          cd server/build
          export DOCKER_CLI_EXPERIMENTAL=enabled
-        export MM_PACKAGE=https://pr-builds.mattermost.com/$REPO_NAME/commit/${{ github.sha }}/mattermost-team-linux-amd64.tar.gz
+          export MM_PACKAGE=https://pr-builds.mattermost.com/$REPO_NAME/commit/$COMMIT_SHA/mattermost-team-linux-amd64.tar.gz
          docker buildx build --push --build-arg MM_PACKAGE=$MM_PACKAGE -t mattermostdevelopment/mm-te-test:${TAG} .
  # Temporary uploading also to mattermost/mm-te-test:${TAG} except mattermostdevelopment/mm-te-test:${TAG}
  # Context: https://community.mattermost.com/private-core/pl/3jzzxzfiji8hx833ewyuthzkjh
  build-docker-temp:
@ -77,10 +74,9 @@ jobs:
    needs: upload-s3
    env:
      REPO_NAME: ${{ github.event.repository.name }}
    runs-on: ubuntu-22.04
-    if: >
+    if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
      github.event.workflow_run.event == 'pull_request' &&
      github.event.workflow_run.conclusion == 'success'
    steps:
      - name: cd/Login to Docker Hub
        uses: docker/login-action@3da7dc6e2b31f99ef2cb9fb4c50fb0971e0d0139 # v2.1.0
@ -100,17 +96,18 @@ jobs:
      - name: cd/Docker build and push
        env:
          DOCKER_CLI_EXPERIMENTAL: enabled
          REPO_NAME: ${{ github.event.repository.name }}
          COMMIT_SHA: ${{ github.event.workflow_run.head_sha }}
        run: |
-        export TAG=$(echo "${{ github.event.pull_request.head.sha || github.sha }}" | cut -c1-7)
+          export TAG=$(echo "${{ github.event.pull_request.head.sha || github.event.workflow_run.head_sha }}" | cut -c1-7)
          cd server/build
          export DOCKER_CLI_EXPERIMENTAL=enabled
-        export MM_PACKAGE=https://pr-builds.mattermost.com/$REPO_NAME/commit/${{ github.sha }}/mattermost-team-linux-amd64.tar.gz
+          export MM_PACKAGE=https://pr-builds.mattermost.com/$REPO_NAME/commit/$COMMIT_SHA/mattermost-team-linux-amd64.tar.gz
          docker buildx build --push --build-arg MM_PACKAGE=$MM_PACKAGE -t mattermost/mm-te-test:${TAG} .
  sentry:
    name: Send build info to sentry
-    if: >
+    if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
      github.event.workflow_run.event == 'pull_request' &&
      github.event.workflow_run.conclusion == 'success'
    runs-on: ubuntu-22.04
    env:
      SENTRY_AUTH_TOKEN: ${{ secrets.MM_SERVER_SENTRY_AUTH_TOKEN }}