chore: Revoke Access Tokens when a User is Deactivated #25709
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: "Check Rebaseable" | |
############################################################ | |
# Understand this security concern before you edit this file: | |
# https://securitylab.github.com/research/github-actions-preventing-pwn-requests | |
############################################################ | |
on: # yamllint disable-line rule:truthy | |
push: | |
branches: | |
- 'main' | |
- 'master' | |
pull_request_target: {} | |
env: | |
EE_REPO: determined-ai/determined-ee | |
OSS_REPO: determined-ai/determined | |
permissions: | |
pull-requests: read | |
contents: read | |
jobs: | |
pre-check-rebaseable: | |
runs-on: ubuntu-latest | |
outputs: | |
rebase_exit: ${{ steps.rebase.outputs.rebase_exit }} | |
steps: | |
- name: get EE | |
# https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability | |
# the env context is only available on the runner, so can only be used | |
# in parts of the job which are on the runner. :/ | |
if: github.repository != env.EE_REPO | |
uses: actions/checkout@v4 | |
with: | |
# fetch-depth: 1 # we only need the default branch | |
fetch-depth: 0 | |
token: ${{ secrets.DETERMINED_TOKEN }} | |
repository: ${{ env.EE_REPO }} | |
- name: add OSS repository remote and get candidate branch | |
if: github.repository != env.EE_REPO | |
run: | | |
# ssh checkout of additional remotes fails :/ | |
git remote add OSS https://github.com/${{ env.OSS_REPO }} | |
git fetch OSS "$REF":proposed_base | |
git config --global user.email "[email protected]" | |
git config --global user.name "Automatic rebase check" | |
- name: attempt rebase | |
id: rebase | |
if: github.repository != env.EE_REPO | |
continue-on-error: true | |
run: | | |
set +e # GHA runs `bash -e` if shell is undefined or 'bash' | |
git rebase proposed_base 1>&2 | |
printf 'rebase_exit=%s\n' $? >> "$GITHUB_OUTPUT" | |
exit $? | |
check-rebaseable: | |
runs-on: ubuntu-latest | |
needs: pre-check-rebaseable | |
if: ${{ needs.pre-check-rebaseable.outputs.rebase_exit == 0 }} | |
steps: | |
- name: get EE | |
# the env context is only available on the runner, so can only be used | |
# in parts of the job which are on the runner. :/ | |
if: github.repository != env.EE_REPO | |
uses: actions/checkout@v4 | |
with: | |
# fetch-depth: 1 # we only need the default branch | |
fetch-depth: 0 | |
token: ${{ secrets.DETERMINED_TOKEN }} | |
repository: ${{ env.EE_REPO }} | |
# pull_request_target sets ref to default branch, not PR :/ | |
# We use /merge because that's what the merge target will look like if | |
# the PR merge was to be completed | |
- name: identify branch ref | |
if: github.repository != env.EE_REPO | |
run: | | |
if [[ "${{ github.event_name }}" == "push" ]] | |
then | |
REF="${{ github.ref }}" | |
else | |
REF="refs/pull/${{ github.event.number }}/merge" | |
fi | |
printf "REF=%s\n" "$REF" >> ${{ github.env }} | |
- name: add OSS repository remote and get candidate branch | |
if: github.repository != env.EE_REPO | |
run: | | |
# ssh checkout of additional remotes fails :/ | |
git remote add OSS https://github.com/${{ env.OSS_REPO }} | |
git fetch OSS "$REF":proposed_base | |
git config --global user.email "[email protected]" | |
git config --global user.name "Automatic rebase check" | |
- name: attempt rebase | |
if: github.repository != env.EE_REPO | |
run: | | |
git rebase proposed_base || (cat <<"EOF" 1>&2 | |
******** | |
This branch failed to rebase onto the "determined-ee" repo! | |
This may or may not be an issue with your branch that | |
you need to resolve. | |
For more information, please consult this confluence page: | |
https://hpe-aiatscale.atlassian.net/wiki/spaces/ENGINEERIN/pages/1295450385/GitHub+Check+Rebaseable+Test | |
******** | |
EOF | |
exit 1 | |
) |