More secure

Author: trask

.github/workflows/auto-spotless-part-1.yml

@@ -0,0 +1,53 @@
+name: Auto spotless, part 1
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    outputs:
+      patch-created: ${{ steps.create-patch-file.outputs.nonempty }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Free disk space
+        run: .github/scripts/gha-free-disk-space.sh
+
+      - name: Set up JDK for running Gradle
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+        with:
+          distribution: temurin
+          java-version-file: .java-version
+
+      - name: Check out PR branch
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: gh pr checkout ${{ github.event.pull_request.number }}
+
+      - name: Spotless
+        run: ./gradlew spotlessApply
+
+      - id: create-patch-file
+        name: Create patch file
+        run: |
+          git diff > patch
+          if [ -s patch ]; then
+            echo "nonempty=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Upload patch file
+        if: steps.create-patch-file.outputs.nonempty == 'true'
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          path: patch
+          name: patch

.github/workflows/auto-spotless.yml renamed to .github/workflows/auto-spotless-part-2.yml

@@ -1,9 +1,10 @@
 name: Auto spotless
 on:
-  pull_request_target:
+  workflow_run:
+    workflows:
+      - "Auto spotless, part 1"
     types:
-      - opened
-      - synchronize
+      - completed
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
@@ -13,45 +14,6 @@ permissions:
   contents: read
 
 jobs:
-  check:
-    runs-on: ubuntu-latest
-    outputs:
-      patch-created: ${{ steps.create-patch-file.outputs.nonempty }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - name: Free disk space
-        run: .github/scripts/gha-free-disk-space.sh
-
-      - name: Set up JDK for running Gradle
-        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
-        with:
-          distribution: temurin
-          java-version-file: .java-version
-
-      - name: Check out PR branch
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: gh pr checkout ${{ github.event.pull_request.number }}
-
-      - name: Spotless
-        run: ./gradlew spotlessApply
-
-      - id: create-patch-file
-        name: Create patch file
-        run: |
-          git diff > patch
-          if [ -s patch ]; then
-            echo "nonempty=true" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Upload patch file
-        if: steps.create-patch-file.outputs.nonempty == 'true'
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          path: patch
-          name: patch
-
   apply:
     runs-on: ubuntu-latest
     needs: check
@@ -60,18 +22,44 @@ jobs:
       contents: write
       pull-requests: write
     steps:
+      - name: Download patch
+        uses: actions/[email protected]
+        with:
+          # this script copied from
+          # https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#using-data-from-the-triggering-workflow
+          script: |
+            let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: context.payload.workflow_run.id
+            });
+            let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "patch"
+            })[0];
+            let download = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip'
+            });
+            const fs = require('fs');
+            const path = require('path');
+            const temp = '${{ runner.temp }}/artifacts';
+            if (!fs.existsSync(temp)){
+              fs.mkdirSync(temp);
+            }
+            fs.writeFileSync(path.join(temp, 'patch.zip'), Buffer.from(download.data));
+
+      - name: Unzip patch
+        run: unzip patch.zip -d "${{ runner.temp }}/artifacts"
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Check out PR branch
         env:
           GH_TOKEN: ${{ github.token }}
         run: gh pr checkout ${{ github.event.pull_request.number }}
 
-      - name: Download patch
-        uses: actions/download-artifact@v4
-        with:
-          name: patch
-
       - name: Use CLA approved github bot
         # IMPORTANT do not call the .github/scripts/use-cla-approved-bot.sh
         # since that script could have been compromised in the PR branch
@@ -89,7 +77,7 @@ jobs:
         env:
           GH_TOKEN: ${{ steps.otelbot-token.outputs.token }}
         run: |
-          git apply patch
+          git apply "${{ runner.temp }}/artifacts/patch"
           git commit -a -m "./gradlew spotlessApply"
           git push