From b84067252968f9278bf55b15ef13800dd5247e0d Mon Sep 17 00:00:00 2001
From: Mike Woofter <108414937+mongoKart@users.noreply.github.com>
Date: Thu, 17 Oct 2024 12:59:04 -0500
Subject: [PATCH 1/2] security changes
---
.github/workflows/add-netlify-links.yml | 124 ++++++++++++++----------
1 file changed, 72 insertions(+), 52 deletions(-)
diff --git a/.github/workflows/add-netlify-links.yml b/.github/workflows/add-netlify-links.yml
index b953b5cc..d42429bd 100644
--- a/.github/workflows/add-netlify-links.yml
+++ b/.github/workflows/add-netlify-links.yml
@@ -1,55 +1,75 @@
name: Add Netlify Links To Changed Pages
on:
- workflow_call:
+ workflow_call:
+ pull_request_target:
jobs:
- get-pr-changes:
- name: Get Changed Files & Update PR Description
- runs-on: ubuntu-latest
- permissions:
- issues: write
- contents: write
- pull-requests: write
- repository-projects: write
- steps:
- - uses: actions/checkout@v4
- - name: Get Changed Files
- id: changed-files
- uses: tj-actions/changed-files@v44
- with:
- separator: ","
- files: source/**
- - name: Build Netlify Links for Changed Pages
- id: build_page_links
- run: |
- new_links=""
- base_link='https://deploy-preview-${{ github.event.number }}--mongodb-docs-csharp.netlify.app'
- changed_files=${{ steps.changed-files.outputs.all_changed_files }}
- files=$(echo $changed_files | tr "," "\n")
- for file in $files; do
- echo "processing ${file}"
- if (! grep -s "includes/" <<< $file) &&
- (! grep -s "images/" <<< $file) &&
- (! grep -s "examples/" <<< $file); then
- file="${file#source}"
- file="${file%.txt}"
- filenoslash="${file:1}"
- echo "${base_link}${file}"
- new_links+="${filenoslash}"
- else
- echo "(file skipped)"
- fi
- done
- if [ "$new_links" == "" ]; then
- new_links="No pages to preview"
- fi
- echo "Final new_links string: "
- echo "${new_links}"
- echo "staging_links=${new_links}" >> "$GITHUB_OUTPUT"
- - name: Update the PR Description
- uses: MongoCaleb/pr-description-action@master
- with:
- regex: ".*"
- appendContentOnMatchOnly: true
- regexFlags: is
- content: "\n${{ steps.build_page_links.outputs.staging_links }}\n"
- token: ${{ secrets.GITHUB_TOKEN }}
+ get-pr-changes:
+ name: Get Changed Files & Update PR Description
+ runs-on: ubuntu-latest
+ permissions:
+ issues: write
+ contents: write
+ pull-requests: write
+ repository-projects: write
+ steps:
+ - uses: actions/checkout@v4
+ - name: Get Changed Files
+ id: changed-files
+ # pin to a specific commit to ensure stability
+ uses: tj-actions/changed-files@c65cd883420fd2eb864698a825fc4162dd94482c
+ with:
+ separator: ","
+ files: source/**
+ - name: Build Netlify Links for Changed Pages
+ id: build_page_links
+ env:
+ CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
+ run: |
+ # Function to validate file paths
+ validate_file_path() {
+ local file_path="$1"
+ # Allow only alphanumeric characters, _ . / and -
+ if [[ ! "$file_path" =~ ^[a-zA-Z0-9._/-]+$ ]]; then
+ echo "Invalid file path detected: $file_path" >&2
+ return 1
+ fi
+ }
+
+ new_links=""
+ base_link='https://deploy-preview-${{ github.event.number }}--mongodb-docs-csharp.netlify.app'
+ files=$(echo "$CHANGED_FILES" | tr "," "\n")
+ for file in $files; do
+ echo "processing ${file}"
+
+ # Validate file path and skip if invalid
+ validate_file_path "$file"
+ if [ $? -ne 0 ]; then
+ continue
+ fi
+
+ if (! grep -s "includes/" <<< "$file") &&
+ (! grep -s "images/" <<< "$file") &&
+ (! grep -s "examples/" <<< "$file"); then
+ file="${file#source}"
+ file="${file%.txt}"
+ filenoslash="${file:1}"
+ echo "${base_link}${file}"
+ new_links+="${filenoslash}"
+ else
+ echo "(file skipped)"
+ fi
+ done
+ if [ "$new_links" == "" ]; then
+ new_links="No pages to preview"
+ fi
+ echo "Final new_links string: "
+ echo "${new_links}"
+ echo "staging_links=${new_links}" >> "$GITHUB_OUTPUT"
+ - name: Update the PR Description
+ uses: MongoCaleb/pr-description-action@master
+ with:
+ regex: ".*"
+ appendContentOnMatchOnly: true
+ regexFlags: is
+ content: "\n${{ steps.build_page_links.outputs.staging_links }}\n"
+ token: ${{ secrets.GITHUB_TOKEN }}
From 45578ef4ea2a5d3c2f2a445aeebe1435fc21808b Mon Sep 17 00:00:00 2001
From: Mike Woofter <108414937+mongoKart@users.noreply.github.com>
Date: Thu, 17 Oct 2024 15:27:19 -0500
Subject: [PATCH 2/2] remove file validation
---
.github/workflows/add-netlify-links.yml | 17 -----------------
1 file changed, 17 deletions(-)
diff --git a/.github/workflows/add-netlify-links.yml b/.github/workflows/add-netlify-links.yml
index d42429bd..b6b72fff 100644
--- a/.github/workflows/add-netlify-links.yml
+++ b/.github/workflows/add-netlify-links.yml
@@ -25,28 +25,11 @@ jobs:
env:
CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
run: |
- # Function to validate file paths
- validate_file_path() {
- local file_path="$1"
- # Allow only alphanumeric characters, _ . / and -
- if [[ ! "$file_path" =~ ^[a-zA-Z0-9._/-]+$ ]]; then
- echo "Invalid file path detected: $file_path" >&2
- return 1
- fi
- }
-
new_links=""
base_link='https://deploy-preview-${{ github.event.number }}--mongodb-docs-csharp.netlify.app'
files=$(echo "$CHANGED_FILES" | tr "," "\n")
for file in $files; do
echo "processing ${file}"
-
- # Validate file path and skip if invalid
- validate_file_path "$file"
- if [ $? -ne 0 ]; then
- continue
- fi
-
if (! grep -s "includes/" <<< "$file") &&
(! grep -s "images/" <<< "$file") &&
(! grep -s "examples/" <<< "$file"); then