mirror of
https://github.com/actions/checkout.git
synced 2026-07-15 22:33:03 +02:00
Compare commits
10 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 12cd2235ef | |||
| 62661c4e71 | |||
| e8d4307400 | |||
| 631c942040 | |||
| 4f1f4aec02 | |||
| ba097532fb | |||
| b9e0990d21 | |||
| e8cb398be4 | |||
| 5de26ee9b1 | |||
| 79102f2503 |
@@ -1,3 +0,0 @@
|
|||||||
dist/
|
|
||||||
lib/
|
|
||||||
node_modules/
|
|
||||||
@@ -1,53 +0,0 @@
|
|||||||
{
|
|
||||||
"plugins": ["jest", "@typescript-eslint"],
|
|
||||||
"extends": ["plugin:github/recommended"],
|
|
||||||
"parser": "@typescript-eslint/parser",
|
|
||||||
"parserOptions": {
|
|
||||||
"ecmaVersion": 9,
|
|
||||||
"sourceType": "module",
|
|
||||||
"project": "./tsconfig.json"
|
|
||||||
},
|
|
||||||
"rules": {
|
|
||||||
"eslint-comments/no-use": "off",
|
|
||||||
"import/no-namespace": "off",
|
|
||||||
"no-unused-vars": "off",
|
|
||||||
"@typescript-eslint/no-unused-vars": "error",
|
|
||||||
"@typescript-eslint/explicit-member-accessibility": ["error", {"accessibility": "no-public"}],
|
|
||||||
"@typescript-eslint/no-require-imports": "error",
|
|
||||||
"@typescript-eslint/array-type": "error",
|
|
||||||
"@typescript-eslint/await-thenable": "error",
|
|
||||||
"camelcase": "off",
|
|
||||||
"@typescript-eslint/explicit-function-return-type": ["error", {"allowExpressions": true}],
|
|
||||||
"@typescript-eslint/func-call-spacing": ["error", "never"],
|
|
||||||
"@typescript-eslint/no-array-constructor": "error",
|
|
||||||
"@typescript-eslint/no-empty-interface": "error",
|
|
||||||
"@typescript-eslint/no-explicit-any": "error",
|
|
||||||
"@typescript-eslint/no-extraneous-class": "error",
|
|
||||||
"@typescript-eslint/no-floating-promises": "error",
|
|
||||||
"@typescript-eslint/no-for-in-array": "error",
|
|
||||||
"@typescript-eslint/no-inferrable-types": "error",
|
|
||||||
"@typescript-eslint/no-misused-new": "error",
|
|
||||||
"@typescript-eslint/no-namespace": "error",
|
|
||||||
"@typescript-eslint/no-non-null-assertion": "warn",
|
|
||||||
"@typescript-eslint/no-unnecessary-qualifier": "error",
|
|
||||||
"@typescript-eslint/no-unnecessary-type-assertion": "error",
|
|
||||||
"@typescript-eslint/no-useless-constructor": "error",
|
|
||||||
"@typescript-eslint/no-var-requires": "error",
|
|
||||||
"@typescript-eslint/prefer-for-of": "warn",
|
|
||||||
"@typescript-eslint/prefer-function-type": "warn",
|
|
||||||
"@typescript-eslint/prefer-includes": "error",
|
|
||||||
"@typescript-eslint/prefer-string-starts-ends-with": "error",
|
|
||||||
"@typescript-eslint/promise-function-async": "error",
|
|
||||||
"@typescript-eslint/require-array-sort-compare": "error",
|
|
||||||
"@typescript-eslint/restrict-plus-operands": "error",
|
|
||||||
"semi": "off",
|
|
||||||
"@typescript-eslint/semi": ["error", "never"],
|
|
||||||
"@typescript-eslint/type-annotation-spacing": "error",
|
|
||||||
"@typescript-eslint/unbound-method": "error"
|
|
||||||
},
|
|
||||||
"env": {
|
|
||||||
"node": true,
|
|
||||||
"es6": true,
|
|
||||||
"jest/globals": true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -22,10 +22,10 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v6
|
- uses: actions/checkout@v7
|
||||||
|
|
||||||
- name: Set Node.js 24.x
|
- name: Set Node.js 24.x
|
||||||
uses: actions/setup-node@v4
|
uses: actions/setup-node@v6
|
||||||
with:
|
with:
|
||||||
node-version: 24.x
|
node-version: 24.x
|
||||||
|
|
||||||
@@ -44,7 +44,7 @@ jobs:
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# If dist/ was different than expected, upload the expected version as an artifact
|
# If dist/ was different than expected, upload the expected version as an artifact
|
||||||
- uses: actions/upload-artifact@v4
|
- uses: actions/upload-artifact@v7
|
||||||
if: ${{ failure() && steps.diff.conclusion == 'failure' }}
|
if: ${{ failure() && steps.diff.conclusion == 'failure' }}
|
||||||
with:
|
with:
|
||||||
name: dist
|
name: dist
|
||||||
|
|||||||
@@ -39,10 +39,10 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v6
|
uses: actions/checkout@v7
|
||||||
|
|
||||||
- name: Initialize CodeQL
|
- name: Initialize CodeQL
|
||||||
uses: github/codeql-action/init@v3
|
uses: github/codeql-action/init@v4
|
||||||
with:
|
with:
|
||||||
languages: ${{ matrix.language }}
|
languages: ${{ matrix.language }}
|
||||||
# If you wish to specify custom queries, you can do so here or in a config file.
|
# If you wish to specify custom queries, you can do so here or in a config file.
|
||||||
@@ -55,4 +55,4 @@ jobs:
|
|||||||
- run: rm -rf dist # We want code scanning to analyze lib instead (individual .js files)
|
- run: rm -rf dist # We want code scanning to analyze lib instead (individual .js files)
|
||||||
|
|
||||||
- name: Perform CodeQL Analysis
|
- name: Perform CodeQL Analysis
|
||||||
uses: github/codeql-action/analyze@v3
|
uses: github/codeql-action/analyze@v4
|
||||||
|
|||||||
@@ -9,6 +9,6 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
name: Check licenses
|
name: Check licenses
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v6
|
- uses: actions/checkout@v7
|
||||||
- run: npm ci
|
- run: npm ci
|
||||||
- run: npm run licensed-check
|
- run: npm run licensed-check
|
||||||
@@ -14,7 +14,7 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checking out
|
- name: Checking out
|
||||||
uses: actions/checkout@v6
|
uses: actions/checkout@v7
|
||||||
- name: Publish
|
- name: Publish
|
||||||
id: publish
|
id: publish
|
||||||
uses: actions/publish-immutable-action@v0.0.4
|
uses: actions/publish-immutable-action@v0.0.4
|
||||||
|
|||||||
@@ -16,10 +16,10 @@ jobs:
|
|||||||
build:
|
build:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/setup-node@v4
|
- uses: actions/setup-node@v6
|
||||||
with:
|
with:
|
||||||
node-version: 24.x
|
node-version: 24.x
|
||||||
- uses: actions/checkout@v6
|
- uses: actions/checkout@v7
|
||||||
- run: npm ci
|
- run: npm ci
|
||||||
- run: npm run build
|
- run: npm run build
|
||||||
- run: npm run format-check
|
- run: npm run format-check
|
||||||
@@ -37,7 +37,7 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
# Clone this repo
|
# Clone this repo
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v6
|
uses: actions/checkout@v7
|
||||||
|
|
||||||
# Basic checkout
|
# Basic checkout
|
||||||
- name: Checkout basic
|
- name: Checkout basic
|
||||||
@@ -229,7 +229,7 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
# Clone this repo
|
# Clone this repo
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v6
|
uses: actions/checkout@v7
|
||||||
|
|
||||||
# Basic checkout using git
|
# Basic checkout using git
|
||||||
- name: Checkout basic
|
- name: Checkout basic
|
||||||
@@ -261,7 +261,7 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
# Clone this repo
|
# Clone this repo
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v6
|
uses: actions/checkout@v7
|
||||||
|
|
||||||
# Basic checkout using git
|
# Basic checkout using git
|
||||||
- name: Checkout basic
|
- name: Checkout basic
|
||||||
@@ -291,7 +291,7 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
# Clone this repo
|
# Clone this repo
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v6
|
uses: actions/checkout@v7
|
||||||
with:
|
with:
|
||||||
path: localClone
|
path: localClone
|
||||||
|
|
||||||
@@ -319,7 +319,7 @@ jobs:
|
|||||||
|
|
||||||
# needed to make checkout post cleanup succeed
|
# needed to make checkout post cleanup succeed
|
||||||
- name: Fix Checkout v6
|
- name: Fix Checkout v6
|
||||||
uses: actions/checkout@v6
|
uses: actions/checkout@v7
|
||||||
with:
|
with:
|
||||||
path: localClone
|
path: localClone
|
||||||
|
|
||||||
@@ -328,7 +328,7 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
# Clone this repo
|
# Clone this repo
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v6
|
uses: actions/checkout@v7
|
||||||
with:
|
with:
|
||||||
path: actions-checkout
|
path: actions-checkout
|
||||||
|
|
||||||
|
|||||||
@@ -23,7 +23,7 @@ jobs:
|
|||||||
# Note this update workflow can also be used as a rollback tool.
|
# Note this update workflow can also be used as a rollback tool.
|
||||||
# For that reason, it's best to pin `actions/checkout` to a known, stable version
|
# For that reason, it's best to pin `actions/checkout` to a known, stable version
|
||||||
# (typically, about two releases back).
|
# (typically, about two releases back).
|
||||||
- uses: actions/checkout@v6
|
- uses: actions/checkout@v7
|
||||||
with:
|
with:
|
||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
- name: Git config
|
- name: Git config
|
||||||
|
|||||||
@@ -26,12 +26,12 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v6
|
uses: actions/checkout@v7
|
||||||
|
|
||||||
# Use `docker/login-action` to log in to GHCR.io.
|
# Use `docker/login-action` to log in to GHCR.io.
|
||||||
# Once published, the packages are scoped to the account defined here.
|
# Once published, the packages are scoped to the account defined here.
|
||||||
- name: Log in to the ghcr.io container registry
|
- name: Log in to the ghcr.io container registry
|
||||||
uses: docker/login-action@v3.3.0
|
uses: docker/login-action@v4.4.0
|
||||||
with:
|
with:
|
||||||
registry: ${{ env.REGISTRY }}
|
registry: ${{ env.REGISTRY }}
|
||||||
username: ${{ github.actor }}
|
username: ${{ github.actor }}
|
||||||
@@ -48,7 +48,7 @@ jobs:
|
|||||||
|
|
||||||
# Use `docker/build-push-action` to build (and optionally publish) the image.
|
# Use `docker/build-push-action` to build (and optionally publish) the image.
|
||||||
- name: Build Docker Image (with optional Push)
|
- name: Build Docker Image (with optional Push)
|
||||||
uses: docker/build-push-action@v6.5.0
|
uses: docker/build-push-action@v7.3.0
|
||||||
with:
|
with:
|
||||||
context: .
|
context: .
|
||||||
file: images/test-ubuntu-git.Dockerfile
|
file: images/test-ubuntu-git.Dockerfile
|
||||||
|
|||||||
@@ -24,9 +24,20 @@ const mockGithubContext: any = {
|
|||||||
payload: {}
|
payload: {}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Replicate @actions/core getInput behavior: it trims whitespace by default
|
||||||
|
// (String.prototype.trim(), which strips characters such as a leading U+FEFF BOM)
|
||||||
|
// unless trimWhitespace is explicitly set to false.
|
||||||
|
const getInputImpl = (name: string, options?: {trimWhitespace?: boolean}) => {
|
||||||
|
const val = inputs[name] ?? ''
|
||||||
|
if (options && options.trimWhitespace === false) {
|
||||||
|
return val
|
||||||
|
}
|
||||||
|
return typeof val === 'string' ? val.trim() : val
|
||||||
|
}
|
||||||
|
|
||||||
// Mock @actions/core before loading input-helper
|
// Mock @actions/core before loading input-helper
|
||||||
jest.unstable_mockModule('@actions/core', () => ({
|
jest.unstable_mockModule('@actions/core', () => ({
|
||||||
getInput: jest.fn((name: string) => inputs[name]),
|
getInput: jest.fn(getInputImpl),
|
||||||
getBooleanInput: jest.fn((name: string) => inputs[name]),
|
getBooleanInput: jest.fn((name: string) => inputs[name]),
|
||||||
getMultilineInput: jest.fn((name: string) =>
|
getMultilineInput: jest.fn((name: string) =>
|
||||||
inputs[name] ? String(inputs[name]).split('\n').filter(Boolean) : []
|
inputs[name] ? String(inputs[name]).split('\n').filter(Boolean) : []
|
||||||
@@ -76,9 +87,7 @@ describe('input-helper tests', () => {
|
|||||||
inputs = {}
|
inputs = {}
|
||||||
jest.clearAllMocks()
|
jest.clearAllMocks()
|
||||||
// Re-apply default mocks
|
// Re-apply default mocks
|
||||||
;(core.getInput as jest.Mock<any>).mockImplementation(
|
;(core.getInput as jest.Mock<any>).mockImplementation(getInputImpl as any)
|
||||||
(name: string) => inputs[name]
|
|
||||||
)
|
|
||||||
mockDirectoryExistsSync.mockImplementation(
|
mockDirectoryExistsSync.mockImplementation(
|
||||||
(p: string) => p === gitHubWorkspace
|
(p: string) => p === gitHubWorkspace
|
||||||
)
|
)
|
||||||
@@ -176,8 +185,84 @@ describe('input-helper tests', () => {
|
|||||||
expect(settings.commit).toBeFalsy()
|
expect(settings.commit).toBeFalsy()
|
||||||
})
|
})
|
||||||
|
|
||||||
|
it('does not reclassify a ref as sha when a BOM is prefixed', async () => {
|
||||||
|
// A fork branch named "<U+FEFF>" + 40 hex chars. core.getInput trims the
|
||||||
|
// BOM by default, which previously collapsed this into a bare SHA and
|
||||||
|
// bypassed the unsafe fork PR checkout guard.
|
||||||
|
inputs.ref = '\uFEFF522d932fae5296da51fdf431934425ecf891c6a2'
|
||||||
|
const settings: IGitSourceSettings = await inputHelper.getInputs()
|
||||||
|
expect(settings.commit).toBeFalsy()
|
||||||
|
expect(settings.ref).toBe('522d932fae5296da51fdf431934425ecf891c6a2')
|
||||||
|
})
|
||||||
|
|
||||||
|
it('does not reclassify a sha-256 ref as sha when a BOM is prefixed', async () => {
|
||||||
|
inputs.ref =
|
||||||
|
'\uFEFF1111111111222222222233333333334444444444555555555566666666667777'
|
||||||
|
const settings: IGitSourceSettings = await inputHelper.getInputs()
|
||||||
|
expect(settings.commit).toBeFalsy()
|
||||||
|
expect(settings.ref).toBe(
|
||||||
|
'1111111111222222222233333333334444444444555555555566666666667777'
|
||||||
|
)
|
||||||
|
})
|
||||||
|
|
||||||
|
it('treats a sha surrounded by ascii whitespace as a commit', async () => {
|
||||||
|
// ASCII whitespace can only come from the workflow author's YAML (git ref
|
||||||
|
// names cannot contain it), so trimming it and treating the value as a
|
||||||
|
// commit is safe.
|
||||||
|
inputs.ref = ' 1111111111222222222233333333334444444444 '
|
||||||
|
const settings: IGitSourceSettings = await inputHelper.getInputs()
|
||||||
|
expect(settings.ref).toBeFalsy()
|
||||||
|
expect(settings.commit).toBe('1111111111222222222233333333334444444444')
|
||||||
|
})
|
||||||
|
|
||||||
it('sets workflow organization ID', async () => {
|
it('sets workflow organization ID', async () => {
|
||||||
const settings: IGitSourceSettings = await inputHelper.getInputs()
|
const settings: IGitSourceSettings = await inputHelper.getInputs()
|
||||||
expect(settings.workflowOrganizationId).toBe(123456)
|
expect(settings.workflowOrganizationId).toBe(123456)
|
||||||
})
|
})
|
||||||
|
|
||||||
|
describe('unsafe PR checkout guard', () => {
|
||||||
|
const forkPayload = {
|
||||||
|
repository: {id: 100},
|
||||||
|
pull_request: {
|
||||||
|
head: {
|
||||||
|
sha: '1234567890123456789012345678901234567890',
|
||||||
|
repo: {id: 200, full_name: 'attacker/fork'}
|
||||||
|
},
|
||||||
|
merge_commit_sha: 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
it('allows the default self-checkout on a fork pull_request_target', async () => {
|
||||||
|
const originalEvent = mockGithubContext.eventName
|
||||||
|
const originalPayload = mockGithubContext.payload
|
||||||
|
try {
|
||||||
|
mockGithubContext.eventName = 'pull_request_target'
|
||||||
|
mockGithubContext.payload = forkPayload
|
||||||
|
// Simulate a rebase/fast-forward merge where the base tip (event SHA)
|
||||||
|
// equals the PR head SHA. The default self-checkout must still succeed.
|
||||||
|
mockGithubContext.sha = '1234567890123456789012345678901234567890'
|
||||||
|
const settings: IGitSourceSettings = await inputHelper.getInputs()
|
||||||
|
expect(settings.commit).toBe('1234567890123456789012345678901234567890')
|
||||||
|
} finally {
|
||||||
|
mockGithubContext.eventName = originalEvent
|
||||||
|
mockGithubContext.payload = originalPayload
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
it('refuses an explicit fork repository on pull_request_target', async () => {
|
||||||
|
const originalEvent = mockGithubContext.eventName
|
||||||
|
const originalPayload = mockGithubContext.payload
|
||||||
|
try {
|
||||||
|
mockGithubContext.eventName = 'pull_request_target'
|
||||||
|
mockGithubContext.payload = forkPayload
|
||||||
|
inputs.repository = 'attacker/fork'
|
||||||
|
await expect(inputHelper.getInputs()).rejects.toThrow(
|
||||||
|
/Refusing to check out fork pull request code/
|
||||||
|
)
|
||||||
|
} finally {
|
||||||
|
mockGithubContext.eventName = originalEvent
|
||||||
|
mockGithubContext.payload = originalPayload
|
||||||
|
}
|
||||||
|
})
|
||||||
|
})
|
||||||
})
|
})
|
||||||
|
|||||||
Vendored
+31
-8
@@ -42100,6 +42100,22 @@ async function getInputs() {
|
|||||||
`${github_context.repo.owner}/${github_context.repo.repo}`.toUpperCase();
|
`${github_context.repo.owner}/${github_context.repo.repo}`.toUpperCase();
|
||||||
// Source branch, source version
|
// Source branch, source version
|
||||||
result.ref = getInput('ref');
|
result.ref = getInput('ref');
|
||||||
|
// core.getInput()'s default trim strips a range of Unicode characters such as a
|
||||||
|
// leading BOM (U+FEFF) or NBSP (U+00A0). Those are valid in a git ref name, so
|
||||||
|
// a fork branch named "<BOM>" + 40 hex chars would trim down to a bare SHA and
|
||||||
|
// be silently reclassified as a commit, bypassing the unsafe fork PR checkout
|
||||||
|
// guard.
|
||||||
|
//
|
||||||
|
// The trim below strips only the ASCII whitespace characters which are all forbidden
|
||||||
|
// in a git branch name.
|
||||||
|
// \t U+0009 horizontal tab - ASCII control, forbidden in ref names
|
||||||
|
// \n U+000A line feed - ASCII control, forbidden in ref names
|
||||||
|
// \v U+000B vertical tab - ASCII control, forbidden in ref names
|
||||||
|
// \f U+000C form feed - ASCII control, forbidden in ref names
|
||||||
|
// \r U+000D carriage return - ASCII control, forbidden in ref names
|
||||||
|
// ' ' U+0020 space - forbidden in ref names
|
||||||
|
const asciiTrimmedRef = getInput('ref', { trimWhitespace: false })
|
||||||
|
.replace(/^[\t\n\v\f\r ]+|[\t\n\v\f\r ]+$/g, '');
|
||||||
if (!result.ref) {
|
if (!result.ref) {
|
||||||
if (isWorkflowRepository) {
|
if (isWorkflowRepository) {
|
||||||
result.ref = github_context.ref;
|
result.ref = github_context.ref;
|
||||||
@@ -42112,8 +42128,8 @@ async function getInputs() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
// SHA?
|
// SHA?
|
||||||
else if (result.ref.match(/^(?:[0-9a-fA-F]{40}|[0-9a-fA-F]{64})$/)) {
|
else if (asciiTrimmedRef.match(/^(?:[0-9a-fA-F]{40}|[0-9a-fA-F]{64})$/)) {
|
||||||
result.commit = result.ref;
|
result.commit = asciiTrimmedRef;
|
||||||
result.ref = '';
|
result.ref = '';
|
||||||
}
|
}
|
||||||
core_debug(`ref = '${result.ref}'`);
|
core_debug(`ref = '${result.ref}'`);
|
||||||
@@ -42191,12 +42207,19 @@ async function getInputs() {
|
|||||||
(getInput('allow-unsafe-pr-checkout') || 'false').toUpperCase() ===
|
(getInput('allow-unsafe-pr-checkout') || 'false').toUpperCase() ===
|
||||||
'TRUE';
|
'TRUE';
|
||||||
core_debug(`allow unsafe PR checkout = ${result.allowUnsafePrCheckout}`);
|
core_debug(`allow unsafe PR checkout = ${result.allowUnsafePrCheckout}`);
|
||||||
assertSafePrCheckout({
|
// The default self-checkout (this repository with no explicit ref) always
|
||||||
qualifiedRepository,
|
// resolves to the trusted ref/commit GitHub set for the triggering event, so
|
||||||
ref: result.ref,
|
// the fork-checkout guard only needs to run when the caller customized the
|
||||||
commit: result.commit,
|
// repository or ref.
|
||||||
allowUnsafePrCheckout: result.allowUnsafePrCheckout
|
const isDefaultCheckout = isWorkflowRepository && !getInput('ref');
|
||||||
});
|
if (!isDefaultCheckout) {
|
||||||
|
assertSafePrCheckout({
|
||||||
|
qualifiedRepository,
|
||||||
|
ref: result.ref,
|
||||||
|
commit: result.commit,
|
||||||
|
allowUnsafePrCheckout: result.allowUnsafePrCheckout
|
||||||
|
});
|
||||||
|
}
|
||||||
return result;
|
return result;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -0,0 +1,62 @@
|
|||||||
|
import github from 'eslint-plugin-github'
|
||||||
|
import jest from 'eslint-plugin-jest'
|
||||||
|
|
||||||
|
const githubConfigs = github.getFlatConfigs()
|
||||||
|
|
||||||
|
export default [
|
||||||
|
{
|
||||||
|
ignores: ['**/node_modules/**', '**/lib/**', '**/dist/**']
|
||||||
|
},
|
||||||
|
githubConfigs.recommended,
|
||||||
|
...githubConfigs.typescript,
|
||||||
|
{
|
||||||
|
files: ['**/*.ts'],
|
||||||
|
languageOptions: {
|
||||||
|
parserOptions: {
|
||||||
|
project: './tsconfig.json'
|
||||||
|
}
|
||||||
|
},
|
||||||
|
rules: {
|
||||||
|
'eslint-comments/no-use': 'off',
|
||||||
|
'import/no-namespace': 'off',
|
||||||
|
'no-unused-vars': 'off',
|
||||||
|
'@typescript-eslint/no-unused-vars': 'error',
|
||||||
|
'@typescript-eslint/explicit-member-accessibility': [
|
||||||
|
'error',
|
||||||
|
{accessibility: 'no-public'}
|
||||||
|
],
|
||||||
|
'@typescript-eslint/no-require-imports': 'error',
|
||||||
|
'@typescript-eslint/array-type': 'error',
|
||||||
|
'@typescript-eslint/await-thenable': 'error',
|
||||||
|
camelcase: 'off',
|
||||||
|
'@typescript-eslint/explicit-function-return-type': [
|
||||||
|
'error',
|
||||||
|
{allowExpressions: true}
|
||||||
|
],
|
||||||
|
'@typescript-eslint/no-array-constructor': 'error',
|
||||||
|
'@typescript-eslint/no-explicit-any': 'error',
|
||||||
|
'@typescript-eslint/no-extraneous-class': 'error',
|
||||||
|
'@typescript-eslint/no-floating-promises': 'error',
|
||||||
|
'@typescript-eslint/no-for-in-array': 'error',
|
||||||
|
'@typescript-eslint/no-inferrable-types': 'error',
|
||||||
|
'@typescript-eslint/no-misused-new': 'error',
|
||||||
|
'@typescript-eslint/no-namespace': 'error',
|
||||||
|
'@typescript-eslint/no-non-null-assertion': 'warn',
|
||||||
|
'@typescript-eslint/no-unnecessary-qualifier': 'error',
|
||||||
|
'@typescript-eslint/no-unnecessary-type-assertion': 'error',
|
||||||
|
'@typescript-eslint/no-useless-constructor': 'error',
|
||||||
|
'@typescript-eslint/prefer-for-of': 'warn',
|
||||||
|
'@typescript-eslint/prefer-function-type': 'warn',
|
||||||
|
'@typescript-eslint/prefer-includes': 'error',
|
||||||
|
'@typescript-eslint/prefer-string-starts-ends-with': 'error',
|
||||||
|
'@typescript-eslint/promise-function-async': 'error',
|
||||||
|
'@typescript-eslint/require-array-sort-compare': 'error',
|
||||||
|
'@typescript-eslint/restrict-plus-operands': 'error',
|
||||||
|
'@typescript-eslint/unbound-method': 'error'
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
files: ['__test__/**/*.ts'],
|
||||||
|
...jest.configs['flat/recommended']
|
||||||
|
}
|
||||||
|
]
|
||||||
Generated
+1913
-1074
File diff suppressed because it is too large
Load Diff
+5
-5
@@ -41,12 +41,12 @@
|
|||||||
"devDependencies": {
|
"devDependencies": {
|
||||||
"@types/jest": "^29.5.12",
|
"@types/jest": "^29.5.12",
|
||||||
"@types/node": "^24.1.0",
|
"@types/node": "^24.1.0",
|
||||||
"@typescript-eslint/eslint-plugin": "^7.9.0",
|
"@typescript-eslint/eslint-plugin": "^8.54.0",
|
||||||
"@typescript-eslint/parser": "^7.9.0",
|
"@typescript-eslint/parser": "^8.54.0",
|
||||||
"@vercel/ncc": "^0.44.0",
|
"@vercel/ncc": "^0.44.0",
|
||||||
"eslint": "^8.57.0",
|
"eslint": "^9.39.2",
|
||||||
"eslint-plugin-github": "^4.10.2",
|
"eslint-plugin-github": "^6.0.0",
|
||||||
"eslint-plugin-jest": "^28.8.2",
|
"eslint-plugin-jest": "^29.12.1",
|
||||||
"jest": "^29.7.0",
|
"jest": "^29.7.0",
|
||||||
"js-yaml": "^4.2.0",
|
"js-yaml": "^4.2.0",
|
||||||
"prettier": "^3.8.4",
|
"prettier": "^3.8.4",
|
||||||
|
|||||||
+32
-8
@@ -59,6 +59,23 @@ export async function getInputs(): Promise<IGitSourceSettings> {
|
|||||||
|
|
||||||
// Source branch, source version
|
// Source branch, source version
|
||||||
result.ref = core.getInput('ref')
|
result.ref = core.getInput('ref')
|
||||||
|
// core.getInput()'s default trim strips a range of Unicode characters such as a
|
||||||
|
// leading BOM (U+FEFF) or NBSP (U+00A0). Those are valid in a git ref name, so
|
||||||
|
// a fork branch named "<BOM>" + 40 hex chars would trim down to a bare SHA and
|
||||||
|
// be silently reclassified as a commit, bypassing the unsafe fork PR checkout
|
||||||
|
// guard.
|
||||||
|
//
|
||||||
|
// The trim below strips only the ASCII whitespace characters which are all forbidden
|
||||||
|
// in a git branch name.
|
||||||
|
// \t U+0009 horizontal tab - ASCII control, forbidden in ref names
|
||||||
|
// \n U+000A line feed - ASCII control, forbidden in ref names
|
||||||
|
// \v U+000B vertical tab - ASCII control, forbidden in ref names
|
||||||
|
// \f U+000C form feed - ASCII control, forbidden in ref names
|
||||||
|
// \r U+000D carriage return - ASCII control, forbidden in ref names
|
||||||
|
// ' ' U+0020 space - forbidden in ref names
|
||||||
|
const asciiTrimmedRef = core
|
||||||
|
.getInput('ref', {trimWhitespace: false})
|
||||||
|
.replace(/^[\t\n\v\f\r ]+|[\t\n\v\f\r ]+$/g, '')
|
||||||
if (!result.ref) {
|
if (!result.ref) {
|
||||||
if (isWorkflowRepository) {
|
if (isWorkflowRepository) {
|
||||||
result.ref = github.context.ref
|
result.ref = github.context.ref
|
||||||
@@ -72,8 +89,8 @@ export async function getInputs(): Promise<IGitSourceSettings> {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
// SHA?
|
// SHA?
|
||||||
else if (result.ref.match(/^(?:[0-9a-fA-F]{40}|[0-9a-fA-F]{64})$/)) {
|
else if (asciiTrimmedRef.match(/^(?:[0-9a-fA-F]{40}|[0-9a-fA-F]{64})$/)) {
|
||||||
result.commit = result.ref
|
result.commit = asciiTrimmedRef
|
||||||
result.ref = ''
|
result.ref = ''
|
||||||
}
|
}
|
||||||
core.debug(`ref = '${result.ref}'`)
|
core.debug(`ref = '${result.ref}'`)
|
||||||
@@ -168,12 +185,19 @@ export async function getInputs(): Promise<IGitSourceSettings> {
|
|||||||
'TRUE'
|
'TRUE'
|
||||||
core.debug(`allow unsafe PR checkout = ${result.allowUnsafePrCheckout}`)
|
core.debug(`allow unsafe PR checkout = ${result.allowUnsafePrCheckout}`)
|
||||||
|
|
||||||
unsafePrCheckoutHelper.assertSafePrCheckout({
|
// The default self-checkout (this repository with no explicit ref) always
|
||||||
qualifiedRepository,
|
// resolves to the trusted ref/commit GitHub set for the triggering event, so
|
||||||
ref: result.ref,
|
// the fork-checkout guard only needs to run when the caller customized the
|
||||||
commit: result.commit,
|
// repository or ref.
|
||||||
allowUnsafePrCheckout: result.allowUnsafePrCheckout
|
const isDefaultCheckout = isWorkflowRepository && !core.getInput('ref')
|
||||||
})
|
if (!isDefaultCheckout) {
|
||||||
|
unsafePrCheckoutHelper.assertSafePrCheckout({
|
||||||
|
qualifiedRepository,
|
||||||
|
ref: result.ref,
|
||||||
|
commit: result.commit,
|
||||||
|
allowUnsafePrCheckout: result.allowUnsafePrCheckout
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
return result
|
return result
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user