8a21a212f8
Deploy Documentation / deploy (push) Has been cancelled
Canary / build-cli (push) Has been skipped
Canary / Upload Install Script (push) Has been skipped
Canary / bundle-desktop (push) Has been skipped
Canary / bundle-desktop-intel (push) Has been skipped
Canary / bundle-desktop-linux (push) Has been skipped
Canary / bundle-desktop-windows (push) Has been skipped
Canary / bundle-desktop-windows-cuda (push) Has been skipped
Canary / Release (push) Has been skipped
Cargo Deny / deny (push) Has been skipped
Unused Dependencies / machete (push) Has been skipped
Canary / Prepare Version (push) Failing after 1s
Live Provider Tests / check-fork (push) Failing after 0s
Create Minor Release PR / check-version-bump-pr (push) Has been skipped
Publish Ask AI Bot Docker Image / docker (push) Failing after 1s
Live Provider Tests / changes (push) Has been skipped
Scorecard supply-chain security / Scorecard analysis (push) Has been skipped
Publish Docker Image / docker (push) Failing after 1s
CI / changes (push) Failing after 8s
Create Minor Release PR / release (push) Has been skipped
Live Provider Tests / Smoke Tests (push) Has been cancelled
Live Provider Tests / Smoke Tests (Code Execution) (push) Has been cancelled
Live Provider Tests / Compaction Tests (push) Has been cancelled
CI / Build Rust Project on Windows (push) Has been cancelled
Live Provider Tests / Build Binary (push) Has been cancelled
CI / Lint Rust Code (push) Has been cancelled
CI / Check Generated Schemas are Up-to-Date (push) Has been cancelled
CI / Test and Lint Electron Desktop App (push) Has been cancelled
CI / Check Rust Code Format (push) Has been cancelled
CI / Build and Test Rust Project (push) Has been cancelled
CI / Check MSRV (push) Has been cancelled
152 lines
6.9 KiB
YAML
152 lines
6.9 KiB
YAML
# This workflow is triggered by a comment on PR with the text ".build-cli"
|
|
#
|
|
# SECURITY: This workflow checks out and builds code from PRs. To prevent
|
|
# malicious code execution (GHSA-4h72-4h3w-4587, GHSA-mqm8-hhf6-wvjq),
|
|
# we verify the commenter has write access before proceeding.
|
|
on:
|
|
issue_comment:
|
|
types: [created]
|
|
workflow_dispatch:
|
|
inputs:
|
|
pr_number:
|
|
description: 'PR number to comment on'
|
|
required: true
|
|
type: string
|
|
|
|
# permissions needed for reacting to IssueOps commands on PRs
|
|
permissions:
|
|
pull-requests: write
|
|
checks: read
|
|
|
|
name: Build CLI
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ (github.event.issue && github.event.issue.number) || github.event.inputs.pr_number }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
trigger-on-command:
|
|
if: >
|
|
github.event_name == 'workflow_dispatch' ||
|
|
(github.event.issue.pull_request && contains(github.event.comment.body, '.build-cli'))
|
|
name: Trigger on ".build-cli" PR comment
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
continue: ${{ steps.security_check.outputs.authorized }}
|
|
pr_number: ${{ steps.command.outputs.issue_number || github.event.inputs.pr_number }}
|
|
head_sha: ${{ steps.set_head_sha.outputs.head_sha || github.sha }}
|
|
steps:
|
|
# SECURITY: Verify commenter has write access BEFORE any checkout
|
|
# This prevents attackers from triggering builds on their own malicious PRs
|
|
- name: Verify commenter permissions
|
|
id: security_check
|
|
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
|
|
with:
|
|
script: |
|
|
// workflow_dispatch requires repo write access, so it's inherently safe
|
|
if (context.eventName === 'workflow_dispatch') {
|
|
core.setOutput('authorized', 'true');
|
|
console.log('✅ workflow_dispatch - authorized');
|
|
return;
|
|
}
|
|
|
|
const commenter = context.payload.comment.user.login;
|
|
console.log(`Checking permissions for: ${commenter}`);
|
|
|
|
try {
|
|
const { data: permission } = await github.rest.repos.getCollaboratorPermissionLevel({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
username: commenter
|
|
});
|
|
|
|
const allowed = ['admin', 'maintain', 'write'].includes(permission.permission);
|
|
console.log(`Permission level: ${permission.permission}, Authorized: ${allowed}`);
|
|
|
|
if (!allowed) {
|
|
// Post a comment explaining the rejection
|
|
await github.rest.issues.createComment({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
issue_number: context.payload.issue.number,
|
|
body: `⚠️ @${commenter} Only repository collaborators with write access can trigger builds.`
|
|
});
|
|
core.setOutput('authorized', 'false');
|
|
} else {
|
|
core.setOutput('authorized', 'true');
|
|
}
|
|
} catch (error) {
|
|
console.log(`Permission check failed: ${error.message}`);
|
|
core.setOutput('authorized', 'false');
|
|
}
|
|
|
|
- name: Run command action
|
|
if: steps.security_check.outputs.authorized == 'true' && github.event_name == 'issue_comment'
|
|
uses: github/command@v2.0.3
|
|
id: command
|
|
with:
|
|
command: ".build-cli"
|
|
skip_reviews: true
|
|
reaction: "eyes"
|
|
allowed_contexts: pull_request
|
|
|
|
- name: Checkout code
|
|
if: steps.security_check.outputs.authorized == 'true'
|
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
|
|
- name: Get PR head SHA with gh
|
|
id: set_head_sha
|
|
if: steps.security_check.outputs.authorized == 'true'
|
|
run: |
|
|
echo "Get PR head SHA with gh"
|
|
HEAD_SHA=$(gh pr view "$ISSUE_NUMBER" --json headRefOid -q .headRefOid)
|
|
echo "head_sha=$HEAD_SHA" >> $GITHUB_OUTPUT
|
|
echo "head_sha=$HEAD_SHA"
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
ISSUE_NUMBER: ${{ steps.command.outputs.issue_number || github.event.inputs.pr_number }}
|
|
|
|
build-cli:
|
|
needs: [trigger-on-command]
|
|
if: ${{ needs.trigger-on-command.outputs.continue == 'true' }}
|
|
uses: ./.github/workflows/build-cli.yml
|
|
with:
|
|
ref: ${{ needs.trigger-on-command.outputs.head_sha }}
|
|
|
|
pr-comment-cli:
|
|
name: PR Comment with CLI builds
|
|
runs-on: ubuntu-latest
|
|
needs: [trigger-on-command, build-cli]
|
|
permissions:
|
|
pull-requests: write
|
|
|
|
steps:
|
|
- name: Download CLI artifacts
|
|
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
|
|
with:
|
|
pattern: goose-*
|
|
path: cli-dist
|
|
merge-multiple: true
|
|
|
|
- name: Comment on PR with CLI download links
|
|
uses: peter-evans/create-or-update-comment@v5
|
|
with:
|
|
issue-number: ${{ needs.trigger-on-command.outputs.pr_number }}
|
|
body: |
|
|
### CLI Builds
|
|
|
|
Download CLI builds for different platforms:
|
|
- [📦 Linux (x86_64, Ubuntu 22.04-compatible)](https://nightly.link/${{ github.repository }}/actions/runs/${{ github.run_id }}/goose-x86_64-unknown-linux-gnu.zip)
|
|
- [📦 Linux (aarch64, Ubuntu 22.04-compatible)](https://nightly.link/${{ github.repository }}/actions/runs/${{ github.run_id }}/goose-aarch64-unknown-linux-gnu.zip)
|
|
- [📦 Linux musl (x86_64)](https://nightly.link/${{ github.repository }}/actions/runs/${{ github.run_id }}/goose-x86_64-unknown-linux-musl.zip)
|
|
- [📦 Linux musl (aarch64)](https://nightly.link/${{ github.repository }}/actions/runs/${{ github.run_id }}/goose-aarch64-unknown-linux-musl.zip)
|
|
- [📦 Linux Vulkan (x86_64, Ubuntu 24.04+)](https://nightly.link/${{ github.repository }}/actions/runs/${{ github.run_id }}/goose-x86_64-unknown-linux-gnu-vulkan.zip)
|
|
- [📦 Linux Vulkan (aarch64, Ubuntu 24.04+)](https://nightly.link/${{ github.repository }}/actions/runs/${{ github.run_id }}/goose-aarch64-unknown-linux-gnu-vulkan.zip)
|
|
- [📦 macOS (x86_64)](https://nightly.link/${{ github.repository }}/actions/runs/${{ github.run_id }}/goose-x86_64-apple-darwin.zip)
|
|
- [📦 macOS (aarch64)](https://nightly.link/${{ github.repository }}/actions/runs/${{ github.run_id }}/goose-aarch64-apple-darwin.zip)
|
|
- [📦 Windows (x86_64)](https://nightly.link/${{ github.repository }}/actions/runs/${{ github.run_id }}/goose-x86_64-pc-windows-msvc.zip)
|
|
- [📦 Windows CUDA (x86_64)](https://nightly.link/${{ github.repository }}/actions/runs/${{ github.run_id }}/goose-x86_64-pc-windows-msvc-cuda.zip)
|
|
|
|
These links are provided by nightly.link and will work even if you're not logged into GitHub.
|
|
|