mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
bdb770a0aa
The prepare workflow runs in an untrusted context already and thus should not have anything worthwhile to exploit. However care should still be taken to avoid interpolating expressions into shell scripts directly that is data a user can control the value of. Especially to avoid any maintainer referencing an existing workflow from copying a risky snippet unaware of different security contexts for workflows. In this case, as per Github Documentation and referenced issue comment, the PR title is user controllable data, which if directly interpolated into the shell script being run (as it previously was), allows for injecting commands to execute.
78 lines
3.6 KiB
YAML
78 lines
3.6 KiB
YAML
name: 'Documentation (PR)'
|
|
|
|
on:
|
|
pull_request:
|
|
paths:
|
|
- 'docs/**'
|
|
- '.github/workflows/scripts/docs/build-docs.sh'
|
|
- '.github/workflows/docs-preview-prepare.yml'
|
|
|
|
# If the workflow for a PR is triggered multiple times, previous existing runs will be canceled.
|
|
# eg: Applying multiple suggestions from a review directly via the Github UI.
|
|
# Instances of the 2nd phase of this workflow (via `workflow_run`) presently lack concurrency limits due to added complexity.
|
|
concurrency:
|
|
group: deploypreview-pullrequest-${{ github.event.pull_request.number }}
|
|
cancel-in-progress: true
|
|
|
|
# `pull_request` workflow is unreliable alone: Non-collaborator contributions lack access to secrets for security reasons.
|
|
# A separate workflow (docs-preview-deploy.yml) handles the deploy after the potentially untrusted code is first run in this workflow.
|
|
# See: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
|
|
jobs:
|
|
prepare-preview:
|
|
name: 'Build Preview'
|
|
runs-on: ubuntu-20.04
|
|
env:
|
|
BUILD_DIR: docs/site
|
|
NETLIFY_SITE_PREFIX: pullrequest-${{ github.event.pull_request.number }}
|
|
NETLIFY_SITE_NAME: dms-doc-previews
|
|
steps:
|
|
- uses: actions/checkout@v2.4.0
|
|
|
|
- name: 'Build with mkdocs-material via Docker'
|
|
working-directory: docs
|
|
env:
|
|
PREVIEW_URL: 'https://${NETLIFY_SITE_PREFIX}--${NETLIFY_SITE_NAME}.netlify.app/'
|
|
NETLIFY_BRANDING: '<a href="https://www.netlify.com/"><img alt="Deploys by Netlify" src="https://www.netlify.com/img/global/badges/netlify-color-accent.svg" style="float: right;"></a>'
|
|
run: |
|
|
# Adjust mkdocs.yml for preview build
|
|
sed -i "s|^site_url:.*|site_url: '${PREVIEW_URL}'|" mkdocs.yml
|
|
|
|
# Insert sponsor branding into page content (Provider OSS plan requirement):
|
|
# Upstream does not provide a nicer maintainable way to do this..
|
|
# Prepends HTML to copyright text and then aligns to the right side.
|
|
sed -i "s|^copyright: '|copyright: '${NETLIFY_BRANDING}|" mkdocs.yml
|
|
# Need to override a CSS media query for parent element to always be full width:
|
|
echo '.md-footer-copyright { width: 100%; }' >> content/assets/css/customizations.css
|
|
|
|
../.github/workflows/scripts/docs/build-docs.sh
|
|
|
|
# ============================== #
|
|
# Volley over to secure workflow #
|
|
# ============================== #
|
|
|
|
# Minimize risk of upload failure by bundling files to a single compressed archive (tar + zstd).
|
|
# Bundles build dir and env file into a compressed archive, nested file paths will be preserved.
|
|
- name: 'Prepare artifact for transfer'
|
|
env:
|
|
# As a precaution, reference this value by an interpolated ENV var;
|
|
# instead of interpolating user controllable input directly in the shell script..
|
|
# https://github.com/docker-mailserver/docker-mailserver/issues/2332#issuecomment-998326798
|
|
PR_TITLE: ${{ github.event.pull_request.title }}
|
|
run: |
|
|
# Save ENV for transfer
|
|
{
|
|
echo "PR_HEADSHA=${{ github.event.pull_request.head.sha }}"
|
|
echo "PR_NUMBER=${{ github.event.pull_request.number }}"
|
|
echo "PR_TITLE=${PR_TITLE}"
|
|
echo "NETLIFY_SITE_PREFIX=${{ env.NETLIFY_SITE_PREFIX }}"
|
|
echo "BUILD_DIR=${{ env.BUILD_DIR }}"
|
|
} >> pr.env
|
|
tar --zstd -cf artifact.tar.zst pr.env ${{ env.BUILD_DIR }}
|
|
|
|
- name: 'Upload artifact for workflow transfer'
|
|
uses: actions/upload-artifact@v2
|
|
with:
|
|
name: preview-build
|
|
path: artifact.tar.zst
|
|
retention-days: 1
|