Skip to content

Testscript #777

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
arthurclares wants to merge 9 commits into from
Closed

Testscript #777

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
c980589
add test workflow
arthurclares Sep 11, 2025
d93cc14
Test
arthurclares Sep 11, 2025
4fe23e5
include hash test
arthurclares Sep 11, 2025
d88699b
update test yml
arthurclares Sep 11, 2025
5a81275
update to yaml
arthurclares Sep 11, 2025
563e32d
check hash
arthurclares Sep 11, 2025
bd89032
update files
arthurclares Sep 11, 2025
6dd3092
hardenedPR2
arthurclares Sep 11, 2025
cd32c7c
test hash
arthurclares Sep 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/scripts/validate-kql-comments.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#Functions
##Functions##
Function Invoke-ValidateKqlComment([array]$filearray) {
$kqlresults = @()
ForEach($file in $filearray){
Expand Down
2 changes: 1 addition & 1 deletion .github/scripts/validate-kql-syntax.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#Install Az.ResourceGraph module
##Install Az.ResourceGraph module##
Install-Module -Name Az.resourcegraph -force -scope CurrentUser

#Functions
Expand Down
120 changes: 120 additions & 0 deletions .github/workflows/test-hardened-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
name: Test Hardened PR Workflow

on:
workflow_dispatch:
inputs:
simulate_pr_number:
description: "PR number to simulate (for logs only)"
required: false
default: "123"

permissions:
contents: read
pull-requests: read

jobs:
test-hardened:
name: Validate Hardened Workflow Logic
runs-on: ubuntu-latest

steps:
# 1) Harden Runner (AUDIT mode for testing – no blocks yet)
- name: Harden Runner (audit mode)
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit

# 2) Checkout THIS repository/branch so files are available in the workspace
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: main
fetch-depth: 1

# 3) Simulate PR metadata (purely informational)
- name: Simulate PR Context
run: |
echo "Simulating PR #${{ github.event.inputs.simulate_pr_number }}"
echo "Base branch: main"
Comment on lines +31 to +38
Copy link

Copilot AI Sep 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hard-coded branch reference 'main' should be made configurable or use a dynamic reference like ${{ github.event.repository.default_branch }} to support repositories with different default branch names.

Suggested change
ref: main
fetch-depth: 1
# 3) Simulate PR metadata (purely informational)
- name: Simulate PR Context
run: |
echo "Simulating PR #${{ github.event.inputs.simulate_pr_number }}"
echo "Base branch: main"
ref: ${{ github.event.repository.default_branch }}
fetch-depth: 1
# 3) Simulate PR metadata (purely informational)
- name: Simulate PR Context
run: |
echo "Simulating PR #${{ github.event.inputs.simulate_pr_number }}"
echo "Base branch: ${{ github.event.repository.default_branch }}"

Copilot uses AI. Check for mistakes.
echo "PR branch : (simulated)"

# 4) Show what is actually in .github/scripts to debug paths quickly
- name: List .github/scripts (if present)
run: |
echo "Listing .github/scripts..."
ls -la .github/scripts || echo "::warning::.github/scripts not found in this repo/branch"

# 5) Integrity Check (guarded): compute hash only if the file exists
- name: Integrity Check (Hash Compare)
id: integrity
shell: bash
env:
FILE_PATH: ".github/scripts/validate-kql-comments.ps1"
PR_NUMBER: ${{ github.event.pull_request.number }}
SIMULATE_PR_NUMBER: ${{ github.event.inputs.simulate_pr_number }}
run: |
set -euo pipefail
echo "Running integrity check for $FILE_PATH"

# Ensure we have the latest main ref available
git fetch --no-tags origin main || true

# Compute base hash from the file as it exists on the main branch (trusted source)
if ! git show "origin/main:${FILE_PATH}" >/dev/null 2>&1; then
echo "Error: ${FILE_PATH} not found on origin/main"
exit 1
fi
base_hash=$(git show "origin/main:${FILE_PATH}" | sha256sum | cut -d ' ' -f1)
echo "Base hash (origin/main): $base_hash"

# If this run was triggered by a pull_request, fetch the PR head and compute its file hash
if [ -n "${PR_NUMBER:-}" ]; then
echo "Detected PR run for PR #${PR_NUMBER}. Fetching PR head..."
git fetch origin "refs/pull/${PR_NUMBER}/head:refs/remotes/origin/pr/${PR_NUMBER}" || true

if ! git show "refs/remotes/origin/pr/${PR_NUMBER}:${FILE_PATH}" >/dev/null 2>&1; then
echo "Error: $FILE_PATH not found in PR #${PR_NUMBER}"
exit 1
fi

pr_hash=$(git show "refs/remotes/origin/pr/${PR_NUMBER}:${FILE_PATH}" | sha256sum | cut -d ' ' -f1)
echo "PR hash (PR #${PR_NUMBER}): $pr_hash"
else
# Manual run: fall back to workspace file (but still trust main as the baseline)
if [ -f "$FILE_PATH" ]; then
pr_hash=$(sha256sum "$FILE_PATH" | cut -d ' ' -f1)
echo "Manual run: PR hash computed from workspace file: $pr_hash"
else
echo "Error: no PR context and workspace file $FILE_PATH not found"
exit 1
fi
fi

if [ "$base_hash" != "$pr_hash" ]; then
echo "Integrity check failed! File on PR does not match trusted version on main."
echo "Base (main): $base_hash"
echo "PR/head: $pr_hash"
exit 1
fi

echo "Integrity check passed."
# 6) Conditional Execution Simulation (purely illustrative)
- name: Check Approval Condition (simulated)
run: |
echo "Simulating reviewDecision = APPROVED"
echo "PR approved"

Comment on lines +101 to +106
Copy link

Copilot AI Sep 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This step serves no functional purpose and only outputs static simulation messages. Consider removing this step or making it perform actual validation logic if this workflow will be used for real testing scenarios.

Suggested change
# 6) Conditional Execution Simulation (purely illustrative)
- name: Check Approval Condition (simulated)
run: |
echo "Simulating reviewDecision = APPROVED"
echo "PR approved"
# 6) Check PR Approval Status (actual validation)
- name: Check PR Approval Status
shell: bash
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_NUMBER: ${{ github.event.inputs.simulate_pr_number }}
run: |
echo "Checking approval status for PR #$PR_NUMBER"
APPROVAL_COUNT=$(gh pr reviews $PR_NUMBER --json state --jq '[.[] | select(.state=="APPROVED")] | length')
if [ "$APPROVAL_COUNT" -eq 0 ]; then
echo "PR is NOT approved. Failing workflow."
exit 1
else
echo "PR is approved."
fi

Copilot uses AI. Check for mistakes.
# 7) Mock Azure Login (no secrets)
- name: Mock Azure Login
run: |
echo "Simulating Azure OIDC login"
echo "Client ID: dummy"
echo "Tenant ID: dummy"
echo "Subscription ID: dummy"

# 8) Simulate KQL Validation
- name: Run KQL Validation (Dry Run)
shell: pwsh
run: |
Write-Host "Simulating KQL validation"
Write-Host "No real scripts executed"
Loading