Change the update-dependencies workflow

Add more security. Don't run the workflow if the actor is incorrect, or there is a fork involved. And then only run the update dependencies after a manual approval.
2025-12-25 16:50:21 +08:00 · 2021-10-21 15:41:25 -07:00
10 changed files with 28 additions and 20 deletions
--- a/.github/workflows/__split-workflow.yml
+++ b/.github/workflows/__split-workflow.yml
@@ -60,7 +60,6 @@ jobs:
    - uses: ./../action/analyze
      with:
        output: ${{ runner.temp }}/results
-        upload-database: false
      env:
        TEST_MODE: true
    - name: Assert Results
--- a/.github/workflows/update-dependencies.yml
+++ b/.github/workflows/update-dependencies.yml
@@ -4,10 +4,27 @@ on:
    types: [opened, synchronize, reopened, ready_for_review, labeled]

 jobs:
+  check:
+    name: Check for relevance
+    runs-on: ubuntu-latest
+    if: |
+      contains(github.event.pull_request.labels.*.name, 'Update dependencies') &&
+      (github.actor == 'dependabot[bot]' || github.actor == 'github-actions[bot]') &&
+      github.repository == 'github/codeql-action' &&
+      github.head.repo.full_name == 'github/codeql-action' &&
+      github.base.repo.full_name == 'github/codeql-action'
+    env:
+      ACTOR: '${{ github.actor }}'
+
+    steps:
+      - name: Check Actor
+        run: echo "This PR should run the Update Dependencies workflow because the actor is $ACTOR, there is no fork involved, and the 'Update dependencies' label exists."
+
  update:
+    needs: check
+    environment: Update dependencies
    name: Update dependencies
    runs-on: macos-latest
-    if: contains(github.event.pull_request.labels.*.name, 'Update dependencies') && (github.event.pull_request.head.repo.full_name == 'github/codeql-action')
    steps:
    - name: Checkout repository
      uses: actions/checkout@v2
@@ -24,8 +41,8 @@ jobs:
      env:
        BRANCH: '${{ github.head_ref }}'
      run: |
-        git fetch origin "$BRANCH" --depth=1
-        git checkout "origin/$BRANCH"
+        git fetch
+        git checkout $BRANCH
        sudo npm install --force -g npm@latest
        npm install
        npm ci
@@ -35,5 +52,5 @@ jobs:
          git config --global user.name "github-actions[bot]"
          git add node_modules
          git commit -am "Update checked-in dependencies"
-          git push origin "HEAD:$BRANCH"
+          git push origin "$BRANCH"
        fi
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,10 +4,6 @@

 No user facing changes.

-## 1.0.20 - 25 Oct 2021
-
-No user facing changes.
-
 ## 1.0.19 - 18 Oct 2021

 No user facing changes.
--- a/node_modules/.package-lock.json
+++ b/node_modules/.package-lock.json
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "1.0.21",
+  "version": "1.0.20",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "codeql",
-  "version": "1.0.21",
+  "version": "1.0.20",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
    "": {
      "name": "codeql",
-      "version": "1.0.21",
+      "version": "1.0.20",
      "license": "MIT",
      "dependencies": {
        "@actions/artifact": "^0.5.2",
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "1.0.21",
+  "version": "1.0.20",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
--- a/pr-checks/checks/split-workflow.yml
+++ b/pr-checks/checks/split-workflow.yml
@@ -28,7 +28,6 @@ steps:
  - uses: ./../action/analyze
    with:
      output: "${{ runner.temp }}/results"
-      upload-database: false
    env:
      TEST_MODE: true
  - name: Assert Results
--- a/runner/package-lock.json
+++ b/runner/package-lock.json
@@ -1,6 +1,6 @@
 {
  "name": "codeql-runner",
-  "version": "1.0.21",
+  "version": "1.0.20",
  "lockfileVersion": 1,
  "requires": true,
  "dependencies": {
--- a/runner/package.json
+++ b/runner/package.json
@@ -1,6 +1,6 @@
 {
  "name": "codeql-runner",
-  "version": "1.0.21",
+  "version": "1.0.20",
  "private": true,
  "description": "CodeQL runner",
  "scripts": {
--- a/upload-sarif/action.yml
+++ b/upload-sarif/action.yml
@@ -3,10 +3,7 @@ description: 'Upload the analysis results'
 author: 'GitHub'
 inputs:
  sarif_file:
-    description: |
-      The SARIF file or directory of SARIF files to be uploaded to GitHub code scanning.
-      See https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#uploading-a-code-scanning-analysis-with-github-actions
-      for information on the maximum number of results and maximum file size supported by code scanning. 
+    description: The SARIF file or directory of SARIF files to be uploaded. Each upload should contain a maximum of 1000 results, any additional results are ignored.
    required: false
    default: '../results'
  checkout_path: