.github: allow upstream caller to run pre build script

rical · rical · commit 0b8d3307db86 · 2025-11-04T10:12:49.000+01:00
Allow a workflow caller to run pre-build scripts though a workflow
call variable. This is potentially dangerous as code can be injected
here. If for example a malicious actor wants to run there C2 code in
the context of someone else they could perhaps inject it here. I
assume this is protected by the same mecahism as the workflow files
themself. I.e. github users untrusted to the Infix org won't be able
to trigger workflows before being explicitly allowed to do so.

This patch also adds a checkout secret. This allows upstream callers
to fetch there own spin / fork though the infix workflows, if they
provide a checkout token with the correct permissions to do so.

Signed-off-by: Richard Alpe &lt;richard@bit42.se&gt;
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -36,6 +36,15 @@ on:
         required: false
         type: boolean
         default: true
+      pre_build_script:
+        required: false
+        type: string
+        default: ''
+        description: 'Optional script to run after checkout (for spin customization)'
+    secrets:
+      CHECKOUT_TOKEN:
+        required: false
+        description: 'Token for cross-repository access'
 
 env:
   NAME: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.name || inputs.name }}
@@ -77,6 +86,16 @@ jobs:
           clean: true
           fetch-depth: 0
           submodules: recursive
+          token: ${{ secrets.CHECKOUT_TOKEN || github.token }}
+
+      - name: Run pre-build script
+        if: ${{ inputs.pre_build_script != '' }}
+        run: |
+          cat > ./pre-build.sh << 'EOF'
+          ${{ inputs.pre_build_script }}
+          EOF
+          chmod +x ./pre-build.sh
+          bash ./pre-build.sh
 
       - name: Set Build Variables
         id: vars
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -29,6 +29,10 @@ on:
         required: false
         type: string
         default: 'test'
+    secrets:
+      CHECKOUT_TOKEN:
+        required: false
+        description: 'Token for cross-repository access'
 
 env:
   TARGET: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.target || inputs.target }}
@@ -59,6 +63,7 @@ jobs:
           clean: true
           fetch-depth: 0
           submodules: recursive
+          token: ${{ secrets.CHECKOUT_TOKEN || github.token }}
 
       - name: Set Build Variables
         id: vars
diff --git a/buildroot b/buildroot
@@ -1 +1 @@
-Subproject commit c32a08efd2824799ffb4fba4a7d713ec2c6bc8e9
+Subproject commit 658015549a8939565f8320a17e3a5189272c8277
