Skip to content

chore: Revoke Access Tokens when a User is Deactivated #25709

chore: Revoke Access Tokens when a User is Deactivated

chore: Revoke Access Tokens when a User is Deactivated #25709

---
name: "Check Rebaseable"
############################################################
# Understand this security concern before you edit this file:
# https://securitylab.github.com/research/github-actions-preventing-pwn-requests
############################################################
on: # yamllint disable-line rule:truthy
push:
branches:
- 'main'
- 'master'
pull_request_target: {}
env:
EE_REPO: determined-ai/determined-ee
OSS_REPO: determined-ai/determined
permissions:
pull-requests: read
contents: read
jobs:
pre-check-rebaseable:
runs-on: ubuntu-latest
outputs:
rebase_exit: ${{ steps.rebase.outputs.rebase_exit }}
steps:
- name: get EE
# https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability
# the env context is only available on the runner, so can only be used
# in parts of the job which are on the runner. :/
if: github.repository != env.EE_REPO
uses: actions/checkout@v4
with:
# fetch-depth: 1 # we only need the default branch
fetch-depth: 0
token: ${{ secrets.DETERMINED_TOKEN }}
repository: ${{ env.EE_REPO }}
- name: add OSS repository remote and get candidate branch
if: github.repository != env.EE_REPO
run: |
# ssh checkout of additional remotes fails :/
git remote add OSS https://github.com/${{ env.OSS_REPO }}
git fetch OSS "$REF":proposed_base
git config --global user.email "[email protected]"
git config --global user.name "Automatic rebase check"
- name: attempt rebase
id: rebase
if: github.repository != env.EE_REPO
continue-on-error: true
run: |
set +e # GHA runs `bash -e` if shell is undefined or 'bash'
git rebase proposed_base 1>&2
printf 'rebase_exit=%s\n' $? >> "$GITHUB_OUTPUT"
exit $?
check-rebaseable:
runs-on: ubuntu-latest
needs: pre-check-rebaseable
if: ${{ needs.pre-check-rebaseable.outputs.rebase_exit == 0 }}
steps:
- name: get EE
# the env context is only available on the runner, so can only be used
# in parts of the job which are on the runner. :/
if: github.repository != env.EE_REPO
uses: actions/checkout@v4
with:
# fetch-depth: 1 # we only need the default branch
fetch-depth: 0
token: ${{ secrets.DETERMINED_TOKEN }}
repository: ${{ env.EE_REPO }}
# pull_request_target sets ref to default branch, not PR :/
# We use /merge because that's what the merge target will look like if
# the PR merge was to be completed
- name: identify branch ref
if: github.repository != env.EE_REPO
run: |
if [[ "${{ github.event_name }}" == "push" ]]
then
REF="${{ github.ref }}"
else
REF="refs/pull/${{ github.event.number }}/merge"
fi
printf "REF=%s\n" "$REF" >> ${{ github.env }}
- name: add OSS repository remote and get candidate branch
if: github.repository != env.EE_REPO
run: |
# ssh checkout of additional remotes fails :/
git remote add OSS https://github.com/${{ env.OSS_REPO }}
git fetch OSS "$REF":proposed_base
git config --global user.email "[email protected]"
git config --global user.name "Automatic rebase check"
- name: attempt rebase
if: github.repository != env.EE_REPO
run: |
git rebase proposed_base || (cat <<"EOF" 1>&2
********
This branch failed to rebase onto the "determined-ee" repo!
This may or may not be an issue with your branch that
you need to resolve.
For more information, please consult this confluence page:
https://hpe-aiatscale.atlassian.net/wiki/spaces/ENGINEERIN/pages/1295450385/GitHub+Check+Rebaseable+Test
********
EOF
exit 1
)