split to stub

Author: dmcilvaney

.github/workflows/check-rendered-specs-stub.yml

@@ -0,0 +1,43 @@
+# Stub workflow — A copy of this workflow must live on the default branch (3.0) so that the
+# pull_request_target event can trigger it with access to GITHUB_TOKEN (pull-requests: write).
+# It delegates all real work to the reusable template on tomls/base/main.
+#
+# This two-stage design lets fork PRs trigger the check safely: the stub runs in the
+# context of the default branch (with write token), but the reusable workflow checks out
+# the PR's data files (TOML configs, specs) into a separate directory — never mixing
+# untrusted code with execution context.
+#
+# The stub must exist on the default branch because pull_request_target always runs
+# workflows from there. The reusable workflow on tomls/base/main has the actual scripts,
+# container setup, and rendering logic.
+name: Check Rendered Specs
+
+# pull_request_target gives us a GITHUB_TOKEN with pull-requests: write even for fork PRs.
+# The stub itself runs NO code from the PR — it only delegates to a trusted reusable
+# workflow pinned to tomls/base/main, which checks out PR data (not code) into an
+# isolated subdirectory.
+on: # zizmor: ignore[dangerous-triggers]
+  pull_request_target:
+    branches:
+      - tomls/base/main
+
+permissions: {}
+
+concurrency:
+  group: render-check-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  check:
+    # Prevent forks from running a stale/vulnerable copy of this stub with Actions enabled
+    if: github.repository == 'microsoft/azurelinux'
+    # Intentionally branch-pinned so the reusable workflow picks up updates automatically.
+    uses: microsoft/azurelinux/.github/workflows/check-rendered-specs.yml@tomls/base/main # zizmor: ignore[unpinned-uses]
+    permissions:
+      contents: read
+      pull-requests: write # Post/update/delete drift comments on PRs
+    with:
+      pr-head-sha: ${{ github.event.pull_request.head.sha }}
+      pr-head-repo: ${{ github.event.pull_request.head.repo.full_name }}
+      pr-number: ${{ github.event.pull_request.number }}
+      repo: ${{ github.repository }}

.github/workflows/check-rendered-specs.yml

@@ -1,16 +1,36 @@
-name: Check Rendered Specs
+# Reusable workflow — renders specs from a PR and checks for drift.
+#
+# Called by the stub on the default branch (check-rendered-specs-stub.yml) via
+# pull_request_target. The stub provides the PR details; this workflow does all
+# the real work:
+#   1. Checks out base branch (trusted tools/scripts)
+#   2. Checks out PR head into pr-head/ (untrusted data — TOML configs, specs)
+#   3. Renders specs inside a privileged container using azldev -C pr-head/
+#   4. Checks for drift (compares rendered output against PR's committed specs)
+#   5. Posts a PR comment with results + downloadable fix patch
+#
+# Security: the PR checkout is data-only. We never execute code from the PR —
+# azldev is installed from upstream, scripts come from the base branch checkout.
+name: "Check Rendered Specs"
 
 on:
-  pull_request:
-    branches:
-      - tomls/base/main
+  workflow_call:
+    inputs:
+      pr-head-sha:
+        required: true
+        type: string
+      pr-head-repo:
+        required: true
+        type: string
+      pr-number:
+        required: true
+        type: string
+      repo:
+        required: true
+        type: string
 
 permissions: {}
 
-concurrency:
-  group: render-check-${{ github.event.pull_request.number }}
-  cancel-in-progress: true
-
 jobs:
   check:
     name: Rendered specs freshness
@@ -19,11 +39,23 @@ jobs:
       contents: read
       pull-requests: write # Post/update/delete drift comments on PRs
     steps:
-      - name: Checkout
+      # --- Trusted base branch (tools, scripts, container config) ---
+      - name: Checkout base (trusted)
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          repository: ${{ inputs.repo }}
+          ref: tomls/base/main
           persist-credentials: false
+
+      # --- PR head (untrusted data — TOML configs, overlays, specs) ---
+      - name: Checkout PR head (data)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: ${{ inputs.pr-head-repo }}
+          ref: ${{ inputs.pr-head-sha }}
+          path: pr-head
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Go
         uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
@@ -46,13 +78,18 @@ jobs:
             -f .github/workflows/containers/render.Dockerfile \
             .github/workflows/containers/
 
+      # Render runs inside a privileged container because mock needs mount
+      # namespaces. Only the PR checkout is mounted (not the full workspace) —
+      # this prevents a malicious spec's %() macro from writing to the trusted
+      # base checkout where our scripts live. The azldev binary is mounted
+      # read-only from the host's GOPATH.
       - name: Render specs
         env:
           WORKSPACE: ${{ github.workspace }}
         run: |
           set -o pipefail
           docker run --privileged --rm \
-            -v "$WORKSPACE:/workdir" \
+            -v "$WORKSPACE/pr-head:/workdir" \
             -v "$(go env GOPATH)/bin:/gobin:ro" \
             -e PATH="/gobin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" \
             azldev-render \
@@ -62,7 +99,7 @@ jobs:
       - name: Resolve specs directory
         id: specs-dir
         run: |
-          SPECS_DIR=$(azldev config dump -q | grep 'rendered-specs-dir' | cut -d"'" -f2)
+          SPECS_DIR=$(azldev -C pr-head config dump -q | grep 'rendered-specs-dir' | cut -d"'" -f2)
           echo "path=$SPECS_DIR" >> "$GITHUB_OUTPUT"
 
       - name: Check for drift
@@ -71,10 +108,11 @@ jobs:
         env:
           SPECS_DIR: ${{ steps.specs-dir.outputs.path }}
         run: |
-          python .github/workflows/scripts/check_rendered_specs.py \
+          cd pr-head
+          python -I "$GITHUB_WORKSPACE/.github/workflows/scripts/check_rendered_specs.py" \
             --specs-dir "$SPECS_DIR" \
-            --report render-check-report.json \
-            --patch rendered-specs.patch
+            --report "$GITHUB_WORKSPACE/render-check-report.json" \
+            --patch "$GITHUB_WORKSPACE/rendered-specs.patch"
 
       - name: Upload fix patch
         id: upload-patch
@@ -85,8 +123,6 @@ jobs:
           archive: false
 
       # Also upload as a zipped artifact so `gh run download` works.
-      # The non-zipped upload above is for browser preview/download, but
-      # `gh run download` doesn't support non-zipped artifacts yet.
       # See: https://github.com/cli/cli/issues/13012
       - name: Upload fix patch (for gh cli)
         if: hashFiles('rendered-specs.patch') != ''
@@ -100,14 +136,12 @@ jobs:
         continue-on-error: true
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_REPO: ${{ github.repository }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-          SPECS_DIR: ${{ steps.specs-dir.outputs.path }}
+          PR_REPO: ${{ inputs.repo }}
+          PR_NUMBER: ${{ inputs.pr-number }}
           PATCH_URL: ${{ steps.upload-patch.outputs.artifact-url }}
           RUN_ID: ${{ github.run_id }}
         run: |
-          python .github/workflows/scripts/check_rendered_specs.py \
-            --specs-dir "$SPECS_DIR" \
+          python -I .github/workflows/scripts/post_render_comment.py \
             --repo "$PR_REPO" \
             --pr "$PR_NUMBER" \
             --report render-check-report.json \
@@ -121,4 +155,3 @@ jobs:
           name: render-output
           path: |
             render-output.json
-            render-check-report.json