Protect submodule in workflow

evertlammerts · evertlammerts · commit 2a0671ea81cb · 2025-09-04T11:38:02.000+02:00
diff --git a/.github/workflows/on_pr.yml b/.github/workflows/on_pr.yml
@@ -19,25 +19,9 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  ensure_submodule_sanity:
-    name: Make sure we're not building with a fork
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout DuckDB Python
-        uses: actions/checkout@v4
-
-      - shell: bash
-        run: |
-          submodule_url=$(git config --file .gitmodules --get submodule.external/duckdb.url || true)
-          expected="github.com/duckdb/duckdb"
-          if [[ -z "$submodule_url" ]]; then
-            echo "::error::DuckDB submodule not found in .gitmodules"
-            exit 1
-          fi
-          if [[ "$submodule_url" != *"$expected"* ]]; then
-            echo "::error::DuckDB submodule must point to $expected, found: $submodule_url"
-            exit 1
-          fi
+  submodule_sanity_guard:
+    name: Make sure submodule is in a sane state
+    uses: .github/workflows/submodule_sanity.yml
 
   packaging_test:
     name: Build a minimal set of packages and run all tests on them
@@ -48,7 +32,7 @@ jobs:
     with:
       minimal: true
       testsuite: all
-      duckdb-git-ref: ${{ github.base_ref }}
+      duckdb-sha: ${{ github.base_ref }}
 
   coverage_test:
     name: Run coverage tests
diff --git a/.github/workflows/on_push_protected.yml b/.github/workflows/on_push_protected.yml
@@ -0,0 +1,10 @@
+name: Guard pushes to protected branches
+on:
+  push:
+    branches:
+      - main
+      - v*.*-*
+jobs:
+  submodule_sanity_guard:
+    name: Make sure submodule is in a sane state
+    uses: .github/workflows/submodule_sanity.yml
diff --git a/.github/workflows/packaging.yml b/.github/workflows/packaging.yml
@@ -16,15 +16,14 @@ on:
           - none
           - fast
           - all
-      git-ref:
+      duckdb-python-sha:
         type: string
-        description: Git ref of the DuckDB python package
+        description: The commit to build against (defaults to latest commit of current ref)
         required: false
-      duckdb-git-ref:
+      duckdb-sha:
         type: string
-        description: Git ref of DuckDB
-        required: true
-        default: refs/heads/main
+        description: Override the DuckDB submodule commit or ref to build against
+        required: false
       set-version:
         type: string
         description: Force version (vX.Y.Z-((rc|post)N))
@@ -40,13 +39,13 @@ on:
         description: Testsuite to run (none, fast, all)
         required: true
         default: all
-      git-ref:
+      duckdb-python-sha:
         type: string
-        description: Git ref of the DuckDB python package
+        description: The commit or ref to build against (defaults to latest commit of current ref)
         required: false
-      duckdb-git-ref:
+      duckdb-sha:
         type: string
-        description: Git ref of DuckDB
+        description: Override the DuckDB submodule commit or ref to build against
         required: false
       set-version:
         description: Force version (vX.Y.Z-((rc|post)N))
@@ -67,8 +66,8 @@ jobs:
     uses: ./.github/workflows/packaging_sdist.yml
     with:
       testsuite: all
-      git-ref: ${{ github.ref }}
-      duckdb-git-ref: ${{ inputs.duckdb-sha }}
+      duckdb-python-sha: ${{ inputs.duckdb-python-sha != '' && inputs.duckdb-python-sha || github.sha }}
+      duckdb-sha: ${{ inputs.duckdb-sha }}
       set-version: ${{ inputs.stable-version }}
 
   build_wheels:
@@ -77,6 +76,6 @@ jobs:
     with:
       minimal: false
       testsuite: all
-      git-ref: ${{ github.ref }}
-      duckdb-git-ref: ${{ inputs.duckdb-sha }}
+      duckdb-python-sha: ${{ inputs.duckdb-python-sha != '' && inputs.duckdb-python-sha || github.sha }}
+      duckdb-sha: ${{ inputs.duckdb-sha }}
       set-version: ${{ inputs.stable-version }}
diff --git a/.github/workflows/packaging_sdist.yml b/.github/workflows/packaging_sdist.yml
@@ -7,13 +7,13 @@ on:
         description: Testsuite to run (none, fast, all)
         required: true
         default: all
-      git-ref:
+      duckdb-python-sha:
         type: string
-        description: Git ref of the DuckDB python package
+        description: The commit or ref to build against (defaults to current ref)
         required: false
-      duckdb-git-ref:
+      duckdb-sha:
         type: string
-        description: Git ref of DuckDB
+        description: Override the DuckDB submodule commit or ref to build against
         required: false
       set-version:
         description: Force version (vX.Y.Z-((rc|post)N))
@@ -39,16 +39,17 @@ jobs:
       - name: Checkout DuckDB Python
         uses: actions/checkout@v4
         with:
-          ref: ${{ inputs.git-ref }}
+          ref: ${{ inputs.duckdb-python-sha }}
           fetch-depth: 0
           submodules: true
 
       - name: Checkout DuckDB
         shell: bash
+        if: ${{ inputs.duckdb-sha }}
         run: |
           cd external/duckdb
           git fetch origin
-          git checkout ${{ inputs.duckdb-git-ref }}
+          git checkout ${{ inputs.duckdb-sha }}
 
       - name: Set OVERRIDE_GIT_DESCRIBE
         if: ${{ inputs.set-version != '' }}
diff --git a/.github/workflows/packaging_wheels.yml b/.github/workflows/packaging_wheels.yml
@@ -11,13 +11,13 @@ on:
         description: Testsuite to run (none, fast, all)
         required: true
         default: all
-      git-ref:
+      duckdb-python-sha:
         type: string
-        description: Git ref of the DuckDB python package
+        description: The commit or ref to build against (defaults to latest commit of current ref)
         required: false
-      duckdb-git-ref:
+      duckdb-sha:
         type: string
-        description: Git ref of DuckDB
+        description: Override the DuckDB submodule commit or ref to build against
         required: false
       set-version:
         description: Force version (vX.Y.Z-((rc|post)N))
@@ -59,16 +59,17 @@ jobs:
       - name: Checkout DuckDB Python
         uses: actions/checkout@v4
         with:
-          ref: ${{ inputs.git-ref }}
+          ref: ${{ inputs.duckdb-python-sha }}
           fetch-depth: 0
           submodules: true
 
       - name: Checkout DuckDB
         shell: bash
+        if: ${{ inputs.duckdb-python-sha }}
         run: |
           cd external/duckdb
           git fetch origin
-          git checkout ${{ inputs.duckdb-git-ref }}
+          git checkout ${{ inputs.duckdb-python-sha }}
 
       # Make sure that OVERRIDE_GIT_DESCRIBE is propagated to cibuildwhel's env, also when it's running linux builds
       - name: Set OVERRIDE_GIT_DESCRIBE
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -3,9 +3,13 @@ name: Release
 on:
   workflow_dispatch:
     inputs:
+      duckdb-python-sha:
+        type: string
+        description: The commit to build against (defaults to latest commit of current ref)
+        required: false
       duckdb-sha:
         type: string
-        description: The DuckDB submodule commit to build against
+        description: The DuckDB submodule commit or ref to build against
         required: true
       stable-version:
         type: string
@@ -33,8 +37,8 @@ jobs:
     uses: ./.github/workflows/packaging_sdist.yml
     with:
       testsuite: all
-      git-ref: ${{ github.ref }}
-      duckdb-git-ref: ${{ inputs.duckdb-sha }}
+      duckdb-python-sha: ${{ inputs.duckdb-python-sha != '' && inputs.duckdb-python-sha || github.sha }}
+      duckdb-sha: ${{ inputs.duckdb-sha }}
       set-version: ${{ inputs.stable-version }}
 
   workflow_state:
@@ -111,8 +115,8 @@ jobs:
     with:
       minimal: false
       testsuite: all
-      git-ref: ${{ github.ref }}
-      duckdb-git-ref: ${{ inputs.duckdb-sha }}
+      duckdb-python-sha: ${{ inputs.duckdb-python-sha != '' && inputs.duckdb-python-sha || github.sha }}
+      duckdb-sha: ${{ inputs.duckdb-sha }}
       set-version: ${{ inputs.stable-version }}
 
   upload_s3:
diff --git a/.github/workflows/submodule.yml b/.github/workflows/submodule.yml
@@ -0,0 +1,42 @@
+name: Check DuckDB submodule sanity
+on:
+  workflow_call:
+  workflow_dispatch:
+jobs:
+  submodule_sanity:
+    name: Make sure submodule is in a sane state
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout DuckDB Python
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Verify submodule origin
+        shell: bash
+        run: |
+          set -eux
+          git submodule update --init
+          cd external/duckdb
+          remote_count=$(git remote | wc -l)
+          if [[ $remote_count -gt 1 ]]; then
+            echo "::error::Multiple remotes found - only origin allowed"
+            git remote -v
+          fi
+          origin_url=$(git remote get-url origin)
+          if [[ "$origin_url" != "https://github.com/duckdb/duckdb"* ]]; then
+            echo "::error::Submodule origin has been tampered with: $origin_url"
+            exit 1
+          fi
+
+      - name: Disallow changes to .gitmodules in PRs and pushes
+        if: ${{ github.event_name == 'pull_request' || github.event_name == 'push' }}
+        shell: bash
+        run: |
+          set -eux
+          before=${{ github.event_name == 'push' && github.event.before || format('origin/{0}', github.base_ref) }}
+          after=${{ github.event_name == 'push' && github.event.after || github.head_ref }}
+          if git diff --name-only $before...$after | grep -q "^\.gitmodules$"; then
+            echo "::error::.gitmodules may not be modified. If you see a reason to update, please discuss with the maintainers."
+            exit 1
+          fi
