Skip to content

Commit 4bbef32

Browse files
authored
Merge branch 'main' into main
2 parents ebcd9b9 + b59aa21 commit 4bbef32

3 files changed

Lines changed: 375 additions & 354 deletions

File tree

.github/workflows/security-vt-scan.yml

Lines changed: 39 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -4,32 +4,56 @@ on:
44
workflow_dispatch:
55
schedule:
66
- cron: "0 17 * * *"
7-
pull_request:
7+
pull_request_target:
88
types: [opened, synchronize]
99

10+
permissions:
11+
contents: read # Restrict GITHUB_TOKEN
12+
1013
jobs:
11-
changes:
14+
vt-plugin-scan-changes-check:
15+
if: github.event_name == 'pull_request_target'
1216
runs-on: ubuntu-latest
1317
outputs:
1418
plugins: ${{ steps.filter.outputs.plugins }}
19+
non_plugin_files: ${{ steps.filter.outputs.non_plugin_files }}
1520
steps:
1621
- name: Check out repository code
1722
uses: actions/checkout@v6
23+
with:
24+
ref: ${{ github.event.pull_request.head.sha }}
1825
- uses: dorny/paths-filter@v4
19-
if: github.event_name == 'pull_request'
2026
id: filter
2127
with:
28+
predicate-quantifier: 'every'
2229
filters: |
2330
plugins:
24-
- 'plugins/**'
31+
- 'plugins/*.json'
32+
non_plugin_files:
33+
- '**'
34+
- '!plugins/*.json'
35+
- name: Fail if non-plugin files changed
36+
if: github.event_name == 'pull_request_target' && steps.filter.outputs.plugins == 'true' && steps.filter.outputs.non_plugin_files == 'true'
37+
run: |
38+
echo "This PR contains changes to files outside the plugins directory."
39+
echo "Plugin submission PRs must only create/modify plugin manifest files in the plugins directory."
40+
exit 1
2541
2642
vt-plugin-scan:
27-
needs: changes
28-
if: needs.changes.outputs.plugins == 'true' || github.event_name == 'workflow_dispatch' || github.event_name == 'schedule'
43+
needs: vt-plugin-scan-changes-check
44+
if: |
45+
always() && (
46+
(github.event_name == 'pull_request_target' && needs.vt-plugin-scan-changes-check.outputs.plugins == 'true' && needs.vt-plugin-scan-changes-check.outputs.non_plugin_files == 'false') ||
47+
github.event_name == 'workflow_dispatch' ||
48+
github.event_name == 'schedule'
49+
)
2950
runs-on: ubuntu-latest
3051
steps:
3152
- name: Check out repository code
3253
uses: actions/checkout@v6
54+
# To actually check out and run the plugin downloader from the fork's PR
55+
with:
56+
ref: ${{ github.event.pull_request.head.sha }}
3357

3458
- name: Set up Python
3559
uses: actions/setup-python@v6
@@ -44,7 +68,7 @@ jobs:
4468
uses: actions/cache/restore@v5
4569
# No need to restore cache, PR's plugin is downloaded and scanned each time.
4670
# Plugin dev may repeatedly only update one version
47-
if: github.event_name != 'pull_request'
71+
if: github.event_name != 'pull_request_target'
4872
with:
4973
path: |
5074
scan-files/
@@ -53,21 +77,17 @@ jobs:
5377
restore-keys: plugin-zips-
5478

5579
- name: Download plugin submitted in this PR
56-
if: github.event_name == 'pull_request'
80+
if: github.event_name == 'pull_request_target'
5781
run: python ci/src/download_plugins.py --mode new --output-dir scan-files
58-
env:
59-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
6082

6183
- name: Download all plugins with cache metadata
62-
if: github.event_name != 'pull_request'
84+
if: github.event_name != 'pull_request_target'
6385
run: python ci/src/download_plugins.py --output-dir scan-files --cache-meta plugin-download-cache.json
64-
env:
65-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
6686

6787
- name: Restore VirusTotal scan cache from previous runs
6888
uses: actions/cache/restore@v5
6989
# Don't use cache, upload/retrieve report from VirustTotal each time for new submissions
70-
if: github.event_name != 'pull_request'
90+
if: github.event_name != 'pull_request_target'
7191
with:
7292
path: vt_cache.json
7393
key: vt-cache-restore-not-used
@@ -91,15 +111,15 @@ jobs:
91111
- name: Save VirusTotal scan cache for future runs
92112
uses: actions/cache/save@v5
93113
# Cache not used for PR plugin submissions
94-
if: always() && github.event_name != 'pull_request'
114+
if: always() && github.event_name != 'pull_request_target'
95115
with:
96116
path: vt_cache.json
97117
key: vt-cache-${{ hashFiles('vt_cache.json') }}
98118

99119
- name: Save plugin ZIPs and cache metadata for future runs
100120
uses: actions/cache/save@v5
101121
# Upload even if scan fails
102-
if: always() && github.event_name != 'pull_request'
122+
if: always() && github.event_name != 'pull_request_target'
103123
with:
104124
path: |
105125
scan-files/
@@ -116,15 +136,15 @@ jobs:
116136
- name: Upload VirusTotal scan cache as viewable artifact
117137
uses: actions/upload-artifact@v7
118138
# Cache not used for PR plugin submissions
119-
if: always() && github.event_name != 'pull_request'
139+
if: always() && github.event_name != 'pull_request_target'
120140
with:
121141
path: vt_cache.json
122142
archive: false
123143

124144
- name: Upload plugin download cache metadata as viewable artifact
125145
uses: actions/upload-artifact@v7
126146
# Upload even if scan fails
127-
if: always() && github.event_name != 'pull_request'
147+
if: always() && github.event_name != 'pull_request_target'
128148
with:
129149
path: plugin-download-cache.json
130-
archive: false
150+
archive: false

.github/workflows/test-src-files.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
name: src unit tests
1+
name: Src unit tests
22

33
on:
44
push:
@@ -17,6 +17,7 @@ jobs:
1717
filters: |
1818
src_files:
1919
- 'ci/src/download_plugins.py'
20+
- 'tests/**'
2021
2122
unit-tests:
2223
needs: changes

0 commit comments

Comments
 (0)