From ac05ded844a742fb2f0821eead5b6704b2835a87 Mon Sep 17 00:00:00 2001 From: softworkz Date: Mon, 17 Nov 2025 02:49:45 +0100 Subject: [PATCH 1/3] Move PR comment creation to separate workflow on:pull_request_target --- .github/workflows/integration-tests.yml | 32 ++++++------- .github/workflows/pr-comment.yml | 61 +++++++++++++++++++++++++ 2 files changed, 75 insertions(+), 18 deletions(-) create mode 100644 .github/workflows/pr-comment.yml diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index ea520a77..adc91704 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -144,7 +144,6 @@ jobs: done echo "Processed $conv TRX file(s)" - - name: Publish Test Report if: always() uses: ctrf-io/github-test-reporter@v1 @@ -186,24 +185,21 @@ jobs: env: GITHUB_TOKEN: ${{ github.token }} + - name: Save PR Number + if: github.event_name == 'pull_request' + run: echo "PR_NUMBER=${{ github.event.pull_request.number }}" >> $GITHUB_ENV - - name: Create PR Comment - if: always() - uses: ctrf-io/github-test-reporter@v1 - with: - report-path: 'ctrf/**/*.json' - - summary: true - pull-request: true - use-suite-name: true - update-comment: true - always-group-by: true - overwrite-comment: true - upload-artifact: false + - name: Write PR Number to File + if: github.event_name == 'pull_request' + run: echo "$PR_NUMBER" > pr_number.txt + shell: bash - pull-request-report: true - env: - GITHUB_TOKEN: ${{ github.token }} + - name: Upload PR Number Artifact + if: github.event_name == 'pull_request' + uses: actions/upload-artifact@v4 + with: + name: pr_number + path: pr_number.txt - name: Summary - run: echo "All matrix test jobs completed." \ No newline at end of file + run: echo "All matrix test jobs completed." diff --git a/.github/workflows/pr-comment.yml b/.github/workflows/pr-comment.yml new file mode 100644 index 00000000..4edf1c1f --- /dev/null +++ b/.github/workflows/pr-comment.yml @@ -0,0 +1,61 @@ +name: Create PR Comments + +on: + workflow_run: + workflows: ["Tests"] + types: [completed] + +permissions: + contents: read + actions: read + pull-requests: write + +jobs: + pr-comment: + name: Post Test Result as PR comment + runs-on: ubuntu-24.04 + if: github.event.workflow_run.event == 'pull_request' + + steps: + - name: Download CTRF artifact + uses: dawidd6/action-download-artifact@v8 + with: + github_token: ${{ github.token }} + run_id: ${{ github.event.workflow_run.id }} + name: ctrf-report + path: ctrf + + - name: Download PR Number Artifact + uses: dawidd6/action-download-artifact@v8 + with: + github_token: ${{ github.token }} + run_id: ${{ github.event.workflow_run.id }} + name: pr_number + path: pr_number + + - name: Read PR Number + run: | + PR_NUMBER=$(cat pr_number/pr_number.txt | grep -E '^[0-9]+$') + if [ -z "$PR_NUMBER" ]; then + echo "Error: PR_NUMBER is not a valid integer." + exit 1 + fi + echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV + + - name: Post PR Comment + uses: ctrf-io/github-test-reporter@v1 + with: + report-path: 'ctrf/**/*.json' + issue: ${{ env.PR_NUMBER }} + + summary: true + pull-request: true + use-suite-name: true + update-comment: true + always-group-by: true + overwrite-comment: true + upload-artifact: false + + pull-request-report: true + env: + GITHUB_TOKEN: ${{ github.token }} From 54eac4b5213ce4fad3494e77771a9bec0f34b7fa Mon Sep 17 00:00:00 2001 From: softworkz Date: Mon, 17 Nov 2025 01:14:34 +0100 Subject: [PATCH 2/3] Add workflow files to solution --- src/ElectronNET.sln | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/ElectronNET.sln b/src/ElectronNET.sln index 6cadc125..8a3d25f0 100644 --- a/src/ElectronNET.sln +++ b/src/ElectronNET.sln @@ -42,6 +42,10 @@ EndProject Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Build", "Build", "{985D39A7-5216-4945-8167-2FD0CB387BD8}" ProjectSection(SolutionItems) = preProject ..\.github\workflows\ci.yml = ..\.github\workflows\ci.yml + ..\.github\workflows\integration-tests.yml = ..\.github\workflows\integration-tests.yml + ..\.github\workflows\pr-comment.yml = ..\.github\workflows\pr-comment.yml + ..\.github\workflows\publish-wiki.yml = ..\.github\workflows\publish-wiki.yml + ..\.github\workflows\trailing-whitespace-check.yml = ..\.github\workflows\trailing-whitespace-check.yml EndProjectSection EndProject Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "_build", "..\nuke\_build.csproj", "{015CB06B-6CAE-209F-E050-21C3ACA5FE9F}" From 91ed116cb142e313e367b9effa2a88e6ad6b38ee Mon Sep 17 00:00:00 2001 From: softworkz Date: Mon, 17 Nov 2025 03:33:51 +0100 Subject: [PATCH 3/3] Harden reading of PR number against injection attacks --- .github/workflows/pr-comment.yml | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pr-comment.yml b/.github/workflows/pr-comment.yml index 4edf1c1f..862f1c75 100644 --- a/.github/workflows/pr-comment.yml +++ b/.github/workflows/pr-comment.yml @@ -35,12 +35,32 @@ jobs: - name: Read PR Number run: | - PR_NUMBER=$(cat pr_number/pr_number.txt | grep -E '^[0-9]+$') - if [ -z "$PR_NUMBER" ]; then - echo "Error: PR_NUMBER is not a valid integer." + set -Eeuo pipefail + FILE='pr_number/pr_number.txt' + + # Ensure file exists + if [ ! -f "$FILE" ] || [ -L "$FILE" ]; then + echo "Error: $FILE is missing or is not a regular file." >&2 exit 1 fi - echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV + + # Chec file size + if [ "$(wc -c < "$FILE" | tr -d ' ')" -gt 200 ]; then + echo "Error: $FILE is too large." >&2 + exit 1 + fi + + # Read first line + PR_NUMBER="" + IFS= read -r PR_NUMBER < "$FILE" || true + + # Validate whether it's a number + if ! [[ "$PR_NUMBER" =~ ^[0-9]{1,10}$ ]]; then + echo "Error: PR_NUMBER is not a valid integer on the first line." >&2 + exit 1 + fi + + printf 'PR_NUMBER=%s\n' "$PR_NUMBER" >> "$GITHUB_ENV" - name: Post PR Comment uses: ctrf-io/github-test-reporter@v1