viaprog/shaka-player
1
0
Fork 0
mirror of https://github.com/shaka-project/shaka-player.git synced 2026-06-25 17:45:03 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
c3d82bea1d4f5b61ba4cf25b63fd58aea22612e6
shaka-player/.github/workflows/report-incremental-coverage.yaml
T
Joey Parrish 876511bad6 chore: Use only raw fields in gh api calls (#9482) 
Workflows using gh api should always use -f (raw field) instead of -F
(field including special characters) because a crafted message could be
used to read files from the host, which could lead to things like leaked
keys or other private information.

There is no known exploit, because these messages were not yet
controllable by an attacker as far as we know, but better safe than
sorry.

Discovered during a careful review of #9422, which adds new usage of gh
api.
2025-12-08 14:57:31 -08:00

63 lines
2.2 KiB
YAML
Raw Blame History

name: Report Incremental Coverage
# Runs when the build and test workflow completes. This will run with full
# privileges, even if the other workflow doesn't. That allows us to leave PR
# comments, when we would not be able to do so otherwise.
on:
workflow_run:
workflows: [Build and Test]
types: [completed]
jobs:
report:
if: ${{ github.event.workflow_run.event == 'pull_request' }}
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Compute incremental code coverage
id: compute
shell: bash
env:
GITHUB_TOKEN: ${{ secrets.SHAKA_BOT_TOKEN }}
# Fetches the coverage data from the run that triggered the report,
# parses it, compares it to the changed lines in the PR, and computes
# the incremental code coverage.
run: |
python3 .github/workflows/compute-incremental-coverage.py \
--repo ${{ github.repository }} \
--run-id ${{ github.event.workflow_run.id }}
- name: Report incremental code coverage
shell: bash
env:
GITHUB_TOKEN: ${{ secrets.SHAKA_BOT_TOKEN }}
PR_NUMBER: ${{ steps.compute.outputs.pr_number }}
MESSAGE: "Incremental code coverage: ${{ steps.compute.outputs.coverage }}"
COMMENT_INCLUDES: "Incremental code coverage: "
COMMENT_USER: "shaka-bot"
run: |
# Look for an old comment
jq_filter=".[] | select((.user.login == \"$COMMENT_USER\") and (.body | startswith(\"$COMMENT_INCLUDES\"))) | .id"
gh api \
/repos/${{ github.repository }}/issues/$PR_NUMBER/comments \
| jq "$jq_filter" > old-comment-id
if [[ -z "$(cat old-comment-id)" ]]; then
# Create a new comment
gh api \
--method POST \
/repos/${{ github.repository }}/issues/$PR_NUMBER/comments \
-f "body=$MESSAGE"
else
# Update an old comment
gh api \
--method PATCH \
/repos/${{ github.repository }}/issues/comments/$(cat old-comment-id) \
-f "body=$MESSAGE"
fi
Reference in New Issue View Git Blame Copy Permalink