-
Notifications
You must be signed in to change notification settings - Fork 69
161 lines (138 loc) · 5.67 KB
/
pr-check.yml
File metadata and controls
161 lines (138 loc) · 5.67 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
name: pr-check
# Note: If you need to make changes to this file, please use a branch off the main branch instead of a fork.
# The pull_request target from a forked repo will not have access to the secrets needed for this workflow.
on:
pull_request_target:
pull_request:
paths:
- '.github/workflows/pr-check.yml'
permissions: {}
jobs:
# Build job that safely builds artifacts from PR code without access to secrets
build:
runs-on: ${{ matrix.os }}
permissions:
contents: read
strategy:
matrix:
os: [windows-latest, ubuntu-latest]
steps:
- name: Checkout from PR branch
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: ${{ github.event.pull_request.head.repo.full_name }}
ref: ${{ github.event.pull_request.head.sha }}
- name: Verify package-lock.json exists
run: |
if (!(Test-Path package-lock.json)) {
Write-Error "package-lock.json not found. Please commit package-lock.json to ensure reproducible builds."
exit 1
}
shell: pwsh
- name: Check if package-lock.json was modified
run: |
# Check git log to see if package-lock.json was modified in this PR
git fetch origin ${{ github.base_ref }} --depth=1
$changedFiles = git diff --name-only origin/${{ github.base_ref }}...HEAD
if ($changedFiles -match "package-lock.json") {
Write-Warning "⚠️ package-lock.json has been modified in this PR."
Write-Warning "This requires manual review to ensure no malicious dependencies were added."
Write-Warning "Reviewers: Please carefully examine the dependency changes before approving."
} else {
Write-Host "✓ package-lock.json unchanged - no new dependencies" -ForegroundColor Green
}
shell: pwsh
continue-on-error: true
- name: Verify package.json integrity
run: |
# Check for suspicious scripts that could be used for attacks
$packageJson = Get-Content package.json | ConvertFrom-Json
$suspiciousScripts = @('preinstall', 'postinstall', 'prepack', 'postpack')
foreach ($script in $suspiciousScripts) {
if ($packageJson.scripts.$script) {
Write-Warning "⚠️ Found lifecycle script '$script' in package.json"
Write-Warning "Script content: $($packageJson.scripts.$script)"
Write-Warning "Reviewers: Please verify this script is legitimate"
}
}
shell: pwsh
- name: Installing node_modules with ci (uses lockfile, ignores scripts)
run: npm ci --ignore-scripts
- name: Audit dependencies for known vulnerabilities
run: npm audit --audit-level=high
continue-on-error: true
- name: Build GitHub Action
run: npm run build
- name: Upload build artifact
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: action-build-${{ matrix.os }}
path: |
lib/
node_modules/
action.yml
package.json
package-lock.json
retention-days: 1
# Deploy job that uses the built artifacts and has access to secrets
deploy:
needs: build
environment: Automation test # this environment requires approval before running the action
runs-on: ${{ matrix.os }}
permissions:
checks: write
id-token: write # This is needed for Azure login with OIDC
continue-on-error: true
strategy:
matrix:
os: [windows-latest, ubuntu-latest]
env:
TEST_DB: 'SqlActionTest-${{ matrix.os }}'
steps:
- name: Checkout base repository (for test data only)
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Download build artifact
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: action-build-${{ matrix.os }}
path: .
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:
dotnet-version: '8.x'
- name: Install SqlPackage (Linux only)
if: runner.os == 'Linux'
run: dotnet tool install -g microsoft.sqlpackage
- name: Azure Login
uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
# Deploy a DACPAC with only a table to server
- name: Test DACPAC Action
uses: ./
with:
connection-string: 'Server=${{ secrets.TEST_SERVER }};Initial Catalog=${{ env.TEST_DB }};Authentication=Active Directory Default;'
path: ./__testdata__/sql-action.dacpac
action: 'publish'
# Build and publish sqlproj that should create a new view
- name: Test Build and Publish
uses: ./
with:
connection-string: 'Server=${{ secrets.TEST_SERVER }};Initial Catalog=${{ env.TEST_DB }};Authentication=Active Directory Default;'
path: ./__testdata__/TestProject/sql-action.sqlproj
action: 'publish'
# Execute testsql.sql via script action on server
- name: Test SQL Action
uses: ./
with:
connection-string: 'Server=${{ secrets.TEST_SERVER }};Initial Catalog=${{ env.TEST_DB }};Authentication=Active Directory Default;'
path: ./__testdata__/testsql.sql
- name: Cleanup Test Database
if: always()
uses: ./
with:
connection-string: 'Server=${{ secrets.TEST_SERVER }};Initial Catalog=master;Authentication=Active Directory Default;'
path: ./__testdata__/cleanup.sql
arguments: '-v DbName="${{ env.TEST_DB }}"'