diff --git a/packages/semgrep-action/rules/src/github-actions/checkout-pr-on-issue-comment.yaml b/packages/semgrep-action/rules/src/github-actions/checkout-pr-on-issue-comment.yaml new file mode 100644 index 0000000..e685aef --- /dev/null +++ b/packages/semgrep-action/rules/src/github-actions/checkout-pr-on-issue-comment.yaml @@ -0,0 +1,51 @@ +rules: +- id: checkout-pr-on-issue-comment + languages: + - yaml + message: >- + A workflow triggered by an `issue_comment` event is checking out a pull request. This could allow an attacker to inject malicious code by commenting on an issue in a way that causes unintended execution. Ensure proper validation is in place before checking out PRs. + severity: ERROR + patterns: + - pattern-either: + - pattern-inside: | + on: + ... + issue_comment: ... + ... + ... + - pattern-inside: | + on: [..., issue_comment, ...] + ... + - pattern-inside: | + on: issue_comment + ... + - pattern-inside: | + jobs: + ... + $JOBNAME: + ... + steps: + ... + - pattern: | + run: $CMD + - metavariable-regex: + metavariable: $CMD + regex: ".*gh pr checkout.*" + metadata: + category: security + cwe: + - "CWE-94: Improper Control of Generation of Code ('Code Injection')" + owasp: + - A08:2021 - Software and Data Integrity Failures + references: + - https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections + technology: + - github-actions + - actions/checkout + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM diff --git a/packages/semgrep-action/rules/src/github-actions/curl-eval.yaml b/packages/semgrep-action/rules/src/github-actions/curl-eval.yaml new file mode 100644 index 0000000..b5375ae --- /dev/null +++ b/packages/semgrep-action/rules/src/github-actions/curl-eval.yaml @@ -0,0 +1,33 @@ +rules: + - id: curl-eval + languages: + - yaml + severity: ERROR + metadata: + tags: [security] + shortDescription: Risk of code injection through curl and eval combination + confidence: LOW + help: | + ## Remediation + Avoid eval'ing data fetched from curl commands. If this operation is necessary, + verify the integrity of downloaded content by checking its SHA sum before evaluation. + See GitHub's security guidance for more details on script injection risks. + message: >- + Data is being eval'd from a `curl` command. An attacker with control of the server in the `curl` + command could inject malicious code into the `eval`, resulting in a system compromise. Avoid eval'ing + untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned + by the server to verify its integrity. + patterns: + - pattern-inside: 'steps: [...]' + - pattern-inside: | + - run: ... + ... + - pattern: 'run: $SHELL' + - metavariable-pattern: + language: bash + metavariable: $SHELL + patterns: + - pattern: | + $DATA=<... curl ...> + ... + eval <... $DATA ...> diff --git a/packages/semgrep-action/rules/src/github-actions/github-script-injection.yaml b/packages/semgrep-action/rules/src/github-actions/github-script-injection.yaml new file mode 100644 index 0000000..c7358ee --- /dev/null +++ b/packages/semgrep-action/rules/src/github-actions/github-script-injection.yaml @@ -0,0 +1,77 @@ +rules: + - id: github-script-injection + languages: + - yaml + severity: ERROR + metadata: + tags: [security] + shortDescription: Risk of code injection when using `github` context data in `actions/github-script`. + confidence: HIGH + help: | + ## Remediation + Instead of using variable interpolation with `github` context data directly in the script, + use an intermediate environment variable: + + 1. Store the data using `env:` + 2. Reference the environment variable in the script using double-quotes: "$ENVVAR" + category: security + cwe: + - "CWE-94: Improper Control of Generation of Code ('Code Injection')" + owasp: + - A03:2021 - Injection + references: + - https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections + - https://securitylab.github.com/research/github-actions-untrusted-input/ + - https://github.com/actions/github-script + technology: + - github-actions + cwe2022-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: HIGH + message: >- + Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`'s + `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context + data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment + variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes + the environment variable, like this: "$ENVVAR". + patterns: + - pattern-inside: 'steps: [...]' + - pattern-inside: | + uses: $ACTION + ... + - pattern-inside: | + with: + ... + script: ... + ... + - pattern: 'script: $SHELL' + - metavariable-regex: + metavariable: $ACTION + regex: actions/github-script@.* + - metavariable-pattern: + language: generic + metavariable: $SHELL + patterns: + - pattern-either: + - pattern: ${{ github.event.issue.title }} + - pattern: ${{ github.event.issue.body }} + - pattern: ${{ github.event.pull_request.title }} + - pattern: ${{ github.event.pull_request.body }} + - pattern: ${{ github.event.comment.body }} + - pattern: ${{ github.event.review.body }} + - pattern: ${{ github.event.review_comment.body }} + - pattern: ${{ github.event.pages. ... .page_name}} + - pattern: ${{ github.event.head_commit.message }} + - pattern: ${{ github.event.head_commit.author.email }} + - pattern: ${{ github.event.head_commit.author.name }} + - pattern: ${{ github.event.commits ... .author.email }} + - pattern: ${{ github.event.commits ... .author.name }} + - pattern: ${{ github.event.pull_request.head.ref }} + - pattern: ${{ github.event.pull_request.head.label }} + - pattern: ${{ github.event.pull_request.head.repo.default_branch }} + - pattern: ${{ github.head_ref }} + - pattern: ${{ github.event.inputs ... }} + - pattern: ${{ github.event.discussion.title }} + - pattern: ${{ github.event.discussion.body }} diff --git a/packages/semgrep-action/rules/src/github-actions/pull-request-target-code-checkout.yaml b/packages/semgrep-action/rules/src/github-actions/pull-request-target-code-checkout.yaml new file mode 100644 index 0000000..c06761b --- /dev/null +++ b/packages/semgrep-action/rules/src/github-actions/pull-request-target-code-checkout.yaml @@ -0,0 +1,77 @@ +rules: +- id: pull-request-target-code-checkout + languages: + - yaml + message: >- + This GitHub Actions workflow file uses `pull_request_target` and checks out code + from the incoming pull request. When using `pull_request_target`, the Action + runs in the context of the target repository, which includes access to all repository + secrets. Normally, this is safe because the Action only runs code from the target + repository, not the incoming PR. However, by checking out the incoming PR code, you're now using + the incoming code for the rest of the action. You may be inadvertently executing arbitrary code + from the incoming PR with access to repository secrets, which would let an attacker steal repository + secrets. + This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation + scripts (e.g., `python setup.py install`). + Audit your workflow file to make sure no code from the incoming PR is executed. + Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional + mitigations. + metadata: + tags: [security] + shortDescription: Unsafe code checkout in pull_request_target workflow + confidence: LOW + help: | + ## Remediation + When using `pull_request_target`, avoid checking out code from the incoming PR. If you must check out PR code, + ensure no untrusted code is executed (including build scripts and dependency installation). + See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations. + category: security + owasp: + - A01:2021 - Broken Access Control + cwe: + - 'CWE-913: Improper Control of Dynamically-Managed Code Resources' + references: + - https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ + - https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md + technology: + - github-actions + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + patterns: + - pattern-either: + - pattern-inside: | + on: + ... + pull_request_target: ... + ... + ... + - pattern-inside: | + on: [..., pull_request_target, ...] + ... + - pattern-inside: | + on: pull_request_target + ... + - pattern-inside: | + jobs: + ... + $JOBNAME: + ... + steps: + ... + - pattern: | + ... + uses: "$ACTION" + with: + ... + ref: $EXPR + - metavariable-regex: + metavariable: $ACTION + regex: actions/checkout@.* + - metavariable-pattern: + language: generic + metavariable: $EXPR + patterns: + - pattern: ${{ github.event.pull_request ... }} + severity: WARNING diff --git a/packages/semgrep-action/rules/src/github-actions/run-shell-injection.yaml b/packages/semgrep-action/rules/src/github-actions/run-shell-injection.yaml new file mode 100644 index 0000000..7064577 --- /dev/null +++ b/packages/semgrep-action/rules/src/github-actions/run-shell-injection.yaml @@ -0,0 +1,71 @@ +rules: +- id: run-shell-injection + languages: + - yaml + message: 'Using variable interpolation `${{...}}` with `github` context data in a `run:` step could + allow an attacker to inject their own code into the runner. This would allow them to steal secrets + and code. `github` context data can have arbitrary user input and should be treated as untrusted. + Instead, use an intermediate environment variable with `env:` to store the data and use the environment + variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".' + metadata: + category: security + cwe: + - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections + - https://securitylab.github.com/research/github-actions-untrusted-input/ + technology: + - github-actions + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: HIGH + confidence: HIGH + tags: [security] + shortDescription: Shell injection risk in GitHub Actions run steps + help: | + ## Remediation + Instead of using `github` context data directly in `run:` steps, use an intermediate environment variable: + ```yaml + steps: + - run: echo "$MY_VAR" + env: + MY_VAR: ${{ github.event.issue.title }} + ``` + patterns: + - pattern-inside: 'steps: [...]' + - pattern-inside: | + - run: ... + ... + - pattern: 'run: $SHELL' + - metavariable-pattern: + language: generic + metavariable: $SHELL + patterns: + - pattern-either: + - pattern: ${{ github.event.issue.title }} + - pattern: ${{ github.event.issue.body }} + - pattern: ${{ github.event.pull_request.title }} + - pattern: ${{ github.event.pull_request.body }} + - pattern: ${{ github.event.comment.body }} + - pattern: ${{ github.event.review.body }} + - pattern: ${{ github.event.review_comment.body }} + - pattern: ${{ github.event.pages. ... .page_name}} + - pattern: ${{ github.event.head_commit.message }} + - pattern: ${{ github.event.head_commit.author.email }} + - pattern: ${{ github.event.head_commit.author.name }} + - pattern: ${{ github.event.commits ... .author.email }} + - pattern: ${{ github.event.commits ... .author.name }} + - pattern: ${{ github.event.pull_request.head.ref }} + - pattern: ${{ github.event.pull_request.head.label }} + - pattern: ${{ github.event.pull_request.head.repo.default_branch }} + - pattern: ${{ github.head_ref }} + - pattern: ${{ github.event.inputs ... }} + - pattern: ${{ github.event.discussion.title }} + - pattern: ${{ github.event.discussion.body }} + severity: ERROR diff --git a/packages/semgrep-action/rules/src/github-actions/workflow-run-target-code-checkout.yaml b/packages/semgrep-action/rules/src/github-actions/workflow-run-target-code-checkout.yaml new file mode 100644 index 0000000..3c3a70c --- /dev/null +++ b/packages/semgrep-action/rules/src/github-actions/workflow-run-target-code-checkout.yaml @@ -0,0 +1,68 @@ +rules: +- id: workflow-run-target-code-checkout + languages: + - yaml + message: >- + This GitHub Actions workflow file uses `workflow_run` and checks out code + from the incoming pull request. When using `workflow_run`, the Action + runs in the context of the target repository, which includes access to all repository + secrets. Normally, this is safe because the Action only runs code from the target + repository, not the incoming PR. However, by checking out the incoming PR code, you're now using + the incoming code for the rest of the action. You may be inadvertently executing arbitrary code + from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. + This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation + scripts (e.g., `python setup.py install`). + Audit your workflow file to make sure no code from the incoming PR is executed. + Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional + mitigations. + metadata: + category: security + owasp: "A01:2017 - Injection" + cwe: "CWE-913: Improper Control of Dynamically-Managed Code Resources" + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + subcategory: + - vuln + references: + - https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ + - https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md + - https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability + technology: + - github-actions + tags: [security] + shortDescription: Unsafe code checkout in workflow_run trigger + help: | + ## Remediation + When using `workflow_run`, avoid checking out code from the triggering workflow. If you must check out external code, + ensure no untrusted code is executed (including build scripts and dependency installation). + See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations. + patterns: + - pattern-inside: | + on: + ... + workflow_run: ... + ... + ... + - pattern-inside: | + jobs: + ... + $JOBNAME: + ... + steps: + ... + - pattern: | + ... + uses: "$ACTION" + with: + ... + ref: $EXPR + - metavariable-regex: + metavariable: $ACTION + regex: actions/checkout@.* + - metavariable-pattern: + language: generic + metavariable: $EXPR + patterns: + - pattern: ${{ github.event.workflow_run ... }} + severity: WARNING diff --git a/packages/semgrep-action/rules/test/github-actions/checkout-pr-on-issue-comment.test.yaml b/packages/semgrep-action/rules/test/github-actions/checkout-pr-on-issue-comment.test.yaml new file mode 100644 index 0000000..6b84e56 --- /dev/null +++ b/packages/semgrep-action/rules/test/github-actions/checkout-pr-on-issue-comment.test.yaml @@ -0,0 +1,84 @@ +name: Update Attibutions + +on: + issue_comment: + types: created + +jobs: + react-to-comment: + name: React to the comment + runs-on: ubuntu-latest + if: ${{ github.event.issue.pull_request && startsWith(github.event.comment.body, '@metamaskbot update-attributions') }} + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: React to the comment + run: | + gh api \ + --method POST \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "/repos/${REPO}/issues/comments/${COMMENT_ID}/reactions" \ + -f content='+1' + env: + COMMENT_ID: ${{ github.event.comment.id }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + REPO: ${{ github.repository }} + + prepare: + name: Prepare dependencies + runs-on: ubuntu-latest + if: ${{ github.event.issue.pull_request && startsWith(github.event.comment.body, '@metamaskbot update-attributions') }} + outputs: + COMMIT_SHA: ${{ steps.commit-sha.outputs.COMMIT_SHA }} + steps: + - name: Checkout repository + # ok: checkout-pr-on-issue-comment + uses: actions/checkout@v4 + - name: Checkout pull request + # ruleid: checkout-pr-on-issue-comment + run: gh pr checkout "${PR_NUMBER}" + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ github.event.issue.number }} + - run: corepack enable + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version-file: '.nvmrc' + cache: 'yarn' + - name: Install Yarn dependencies + run: yarn --immutable + - name: Get commit SHA + id: commit-sha + run: echo "COMMIT_SHA=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" +# 'gh pr checkout "..."' + update-attributions: + name: Update Attributions + runs-on: ubuntu-latest + needs: + - prepare + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Checkout pull request + # ruleid: checkout-pr-on-issue-comment + run: gh pr checkout "${PR_NUMBER}" + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ github.event.issue.number }} + - run: corepack enable + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version-file: '.nvmrc' + cache: 'yarn' + - name: Install dependencies from cache + run: yarn --immutable --immutable-cache + - name: Generate Atributions + run: yarn attributions:generate + - name: Cache attributions file + uses: actions/cache/save@v3 + with: + path: attribution.txt + key: cache-build-${{ needs.prepare.outputs.COMMIT_SHA }} diff --git a/packages/semgrep-action/rules/test/github-actions/curl-eval.test.yaml b/packages/semgrep-action/rules/test/github-actions/curl-eval.test.yaml new file mode 100644 index 0000000..f63db6e --- /dev/null +++ b/packages/semgrep-action/rules/test/github-actions/curl-eval.test.yaml @@ -0,0 +1,25 @@ +name: Build and deploy Semgrep scanner lambda + +on: + workflow_dispatch: + push: + branches: develop + +jobs: + docker-build: + runs-on: ubuntu-latest + env: + workdir: lambdas/run-semgrep + steps: + - uses: actions/checkout@v2 + - name: Build Docker image + working-directory: + ${{ env.workdir }}/src + # ok: curl-eval + run: docker build -t semgrep-scanner:latest . + - name: + blah + # ruleid: curl-eval + run: | + CONTENTS=$(curl https://blah.com) + eval $CONTENTS diff --git a/packages/semgrep-action/rules/test/github-actions/github-script-injection.test.yaml b/packages/semgrep-action/rules/test/github-actions/github-script-injection.test.yaml new file mode 100644 index 0000000..02809ea --- /dev/null +++ b/packages/semgrep-action/rules/test/github-actions/github-script-injection.test.yaml @@ -0,0 +1,69 @@ +name: test-script-run + +on: +- push + +jobs: + script-run: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run script 1 + uses: actions/github-script@v6 + if: steps.report-diff.outputs.passed == 'true' + with: + # ruleid: github-script-injection + script: | + const fs = require('fs'); + const body = fs.readFileSync('/tmp/file.txt', {encoding: 'utf8'}); + + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: '${{ github.event.pull_request.title }}' + body + }) + + return true; + + - name: Run script 2 + uses: actions/github-script@latest + with: + # ruleid: github-script-injection + script: | + const fs = require('fs'); + const body = fs.readFileSync('/tmp/${{ github.event.issue.title }}.txt', {encoding: 'utf8'}); + + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Thanks for reporting!' + }) + + return true; + + - name: Ok script 1 + uses: not-github/custom-action@latest + with: + # ok: github-script-injection + script: | + return ${{ github.event.issue.title }}; + + - name: Ok script 2 + uses: actions/github-script@latest + with: + # ok: github-script-injection + script: | + console.log('${{ github.event.workflow_run.artifacts_url }}'); + + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Thanks for reporting!' + }) + + return true; \ No newline at end of file diff --git a/packages/semgrep-action/rules/test/github-actions/pull-request-target-code-checkout.test.yaml b/packages/semgrep-action/rules/test/github-actions/pull-request-target-code-checkout.test.yaml new file mode 100644 index 0000000..b3e71f8 --- /dev/null +++ b/packages/semgrep-action/rules/test/github-actions/pull-request-target-code-checkout.test.yaml @@ -0,0 +1,73 @@ +# cf. https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ +# INSECURE. Provided as an example only. +on: + pull_request_target: + pull_request: + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + # ruleid: pull-request-target-code-checkout + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - uses: actions/setup-node@v1 + - run: | + npm install + npm build + + - uses: completely/fakeaction@v2 + with: + arg1: ${{ secrets.supersecret }} + + - uses: fakerepo/comment-on-pr@v1 + with: + message: | + Thank you! + + build2: + name: Build and test 2 + runs-on: ubuntu-latest + steps: + # ruleid: pull-request-target-code-checkout + - uses: actions/checkout@v2.3.4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - uses: actions/setup-node@v1 + - run: | + npm install + npm build + + - uses: completely/fakeaction@v2 + with: + arg1: ${{ secrets.supersecret }} + + - uses: fakerepo/comment-on-pr@v1 + with: + message: | + Thank you! + + this-is-safe-because-no-checkout: + name: Echo + runs-on: ubuntu-latest + steps: + # ok: pull-request-target-code-checkout + - name: echo + run: | + echo "Hello, world" + + # cf. https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md + spelling: + name: Spell checking + runs-on: ubuntu-latest + steps: + # ruleid: pull-request-target-code-checkout + - name: checkout-merge + if: contains(github.event_name, 'pull_request') + uses: actions/checkout@v2 + with: + ref: refs/pull/${{github.event.pull_request.number}}/merge diff --git a/packages/semgrep-action/rules/test/github-actions/run-shell-injection.test.yaml b/packages/semgrep-action/rules/test/github-actions/run-shell-injection.test.yaml new file mode 100644 index 0000000..cd6ac6c --- /dev/null +++ b/packages/semgrep-action/rules/test/github-actions/run-shell-injection.test.yaml @@ -0,0 +1,59 @@ +name: Test GitHub Actions Shell Injection + +on: + workflow_dispatch: + inputs: + message_to_print: + type: string + required: false + push: + branches: [main] + +env: + PULL_REQUEST_TITLE: ${{ github.event.pull_request.title }} + +jobs: + test-job: + runs-on: ubuntu-latest + steps: + - name: Safe command + # ok: run-shell-injection + run: echo "Hello World" + + - name: unsafe command using workflow environment variable + # ok: run-shell-injection + run: echo "$PULL_REQUEST_TITLE" + + - name: Unsafe command with direct input + # ruleid: run-shell-injection + run: | + MESSAGE=${{ github.event.inputs.message_to_print }} + eval "$MESSAGE" + + - name: Safe PR title check + # ok: run-shell-injection + run: | + if [[ "$TITLE" =~ ^octocat ]]; then + echo "Valid title" + fi + env: + TITLE: ${{ github.event.pull_request.title }} + + + - name: Unsafe direct usage in command + # ruleid: run-shell-injection + run: | + curl ${{ github.event.inputs.url }} | bash + + # ok: run-shell-injection + - name: Safe token usage + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh api --header "Authorization: Bearer $GITHUB_TOKEN" + + - name: Unsafe artifact download + # ok: run-shell-injection + run: | + URL=${{ github.event.workflow_run.artifacts_url }} + wget "$URL" -O - | sh \ No newline at end of file diff --git a/packages/semgrep-action/rules/test/github-actions/workflow-run-target-code-checkout.test.yaml b/packages/semgrep-action/rules/test/github-actions/workflow-run-target-code-checkout.test.yaml new file mode 100644 index 0000000..c4b7370 --- /dev/null +++ b/packages/semgrep-action/rules/test/github-actions/workflow-run-target-code-checkout.test.yaml @@ -0,0 +1,74 @@ +on: + # pull_request_target: + workflow_run: + workflows: ["smth-else"] + types: + - completed + pull_request: + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + # ruleid: workflow-run-target-code-checkout + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.workflow_run.head.sha }} + + - uses: actions/setup-node@v1 + - run: | + npm install + npm build + + - uses: completely/fakeaction@v2 + with: + arg1: ${{ secrets.supersecret }} + + - uses: fakerepo/comment-on-pr@v1 + with: + message: | + Thank you! + + build2: + name: Build and test 2 + runs-on: ubuntu-latest + steps: + # ruleid: workflow-run-target-code-checkout + - uses: actions/checkout@v2.3.4 + with: + ref: ${{ github.event.workflow_run.head.sha }} + + - uses: actions/setup-node@v1 + - run: | + npm install + npm build + + - uses: completely/fakeaction@v2 + with: + arg1: ${{ secrets.supersecret }} + + - uses: fakerepo/comment-on-pr@v1 + with: + message: | + Thank you! + + this-is-safe-because-no-checkout: + name: Echo + runs-on: ubuntu-latest + steps: + # ok: workflow-run-target-code-checkout + - name: echo + run: | + echo "Hello, world" + + spelling: + name: Spell checking + runs-on: ubuntu-latest + steps: + # ruleid: workflow-run-target-code-checkout + - name: checkout-merge + if: contains(github.event_name, 'pull_request') + uses: actions/checkout@v2 + with: + ref: refs/pull/${{github.event.workflow_run.number}}/merge