From fa615199443de76327568ca90be812a5df2a4101 Mon Sep 17 00:00:00 2001
From: Chris Werner Rau <cwr@teuto.net>
Date: Mon, 13 May 2024 15:50:59 +0200
Subject: [PATCH] fix(ci): disable pull_request_target for unsafe workflows
 (#950)

---
 .github/scripts/validate-pullrequest.sh       | 21 ---------------
 .github/workflows/get-changed-chart.yaml      |  9 ++++---
 .github/workflows/get-changed-charts.yaml     |  7 ++---
 .github/workflows/linter.yaml                 |  2 +-
 .github/workflows/pr-comment-diff.yaml        |  2 +-
 .../workflows/update-artifacthub-images.yaml  |  2 +-
 .github/workflows/validate-pullrequest.yaml   | 26 ++++++++++++-------
 7 files changed, 29 insertions(+), 40 deletions(-)
 delete mode 100755 .github/scripts/validate-pullrequest.sh

diff --git a/.github/scripts/validate-pullrequest.sh b/.github/scripts/validate-pullrequest.sh
deleted file mode 100755
index daa3c11c7..000000000
--- a/.github/scripts/validate-pullrequest.sh
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/usr/bin/env bash
-
-[[ "$RUNNER_DEBUG" == 1 ]] && set -x
-[[ -o xtrace ]] && export RUNNER_DEBUG=1
-
-set -eu
-set -o pipefail
-
-: "${PR_TITLE:?Environment variable must be set}"
-
-changed="${CHANGED_CHART?Environment variable must be set}"
-
-if ! cog verify "$PR_TITLE"; then
-	echo "PR title must be a conventional commit message" >&2
-	exit 1
-fi
-
-if [[ -n "$changed" ]] && ! cog verify "$PR_TITLE" 2>&1 | grep -Eq "^\s+Scope: $changed(/.+|)\$"; then
-	echo "PR title must have scope '$changed/\$subscope'" >&2
-	exit 1
-fi
diff --git a/.github/workflows/get-changed-chart.yaml b/.github/workflows/get-changed-chart.yaml
index 8a3de3837..e5c67444b 100644
--- a/.github/workflows/get-changed-chart.yaml
+++ b/.github/workflows/get-changed-chart.yaml
@@ -12,24 +12,25 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       chart: ${{ steps.getChangedChart.outputs.chart }}
-    env:
-      CT_TARGET_BRANCH: ${{ github.event.pull_request.base.ref || github.event.repository.default_branch }}
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - uses: helm/chart-testing-action@v2.6.1
 
       - id: getChangedChart
         name: Get changed chart in this commit
+        env:
+          CT_TARGET_BRANCH: ${{ github.event.pull_request.base.ref || github.event.repository.default_branch }}
         run: |
           set -x
           set -o pipefail
           changed="$(ct list-changed | cut -d / -f 2)"
 
           if [[ -z "$changed" ]]; then
-            echo chart= | tee "$GITHUB_OUTPUT"
+            echo chart= | tee -a "$GITHUB_OUTPUT"
             exit 0
           fi
 
@@ -40,4 +41,4 @@ jobs:
             exit 1
           fi
 
-          echo chart="$changed" | tee "$GITHUB_OUTPUT"
+          echo chart="$changed" | tee -a "$GITHUB_OUTPUT"
diff --git a/.github/workflows/get-changed-charts.yaml b/.github/workflows/get-changed-charts.yaml
index da1c922f8..1d41bda51 100644
--- a/.github/workflows/get-changed-charts.yaml
+++ b/.github/workflows/get-changed-charts.yaml
@@ -12,21 +12,22 @@ jobs:
     runs-on: ubuntu-22.04
     outputs:
       charts: ${{ steps.getCharts.outputs.charts }}
-    env:
-      CT_TARGET_BRANCH: ${{ github.event.pull_request.base.ref || github.event.repository.default_branch }}
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - uses: helm/chart-testing-action@v2.6.1
 
       - name: Get all charts
         id: getCharts
+        env:
+          CT_TARGET_BRANCH: ${{ github.event.pull_request.base.ref || github.event.repository.default_branch }}
         run: |
           set -ex
           set -o pipefail
           (
             echo -n charts=
             ct list-changed | cut -d / -f 2 | jq -c -Rn '[inputs]'
-          ) | tee "$GITHUB_OUTPUT"
+          ) | tee -a "$GITHUB_OUTPUT"
diff --git a/.github/workflows/linter.yaml b/.github/workflows/linter.yaml
index aa9162d9c..237f1f743 100644
--- a/.github/workflows/linter.yaml
+++ b/.github/workflows/linter.yaml
@@ -36,7 +36,7 @@ jobs:
             echo -n "repos="
             yq -r '.dependencies[] | .repository' "charts/$CHART/Chart.yaml" | sort -u | grep https:// | awk '{printf (NR>1 ? "," : "") NR "=" $1}'
             echo
-          ) | tee "$GITHUB_OUTPUT"
+          ) | tee -a "$GITHUB_OUTPUT"
 
       - uses: actions/setup-python@v5
         with:
diff --git a/.github/workflows/pr-comment-diff.yaml b/.github/workflows/pr-comment-diff.yaml
index efd9c712e..bf1e94abb 100644
--- a/.github/workflows/pr-comment-diff.yaml
+++ b/.github/workflows/pr-comment-diff.yaml
@@ -4,7 +4,7 @@ concurrency:
   cancel-in-progress: true
 
 on:
-  pull_request_target:
+  pull_request:
     paths:
       - charts/**
     branches-ignore:
diff --git a/.github/workflows/update-artifacthub-images.yaml b/.github/workflows/update-artifacthub-images.yaml
index 85d51d5e4..a970657dd 100644
--- a/.github/workflows/update-artifacthub-images.yaml
+++ b/.github/workflows/update-artifacthub-images.yaml
@@ -25,7 +25,7 @@ jobs:
                 echo "$chart"
               fi
             done | cut -d / -f 2 | jq -c -Rn '[inputs]'
-          ) | tee "$GITHUB_OUTPUT"
+          ) | tee -a "$GITHUB_OUTPUT"
 
   extractImagesForMultipleCharts:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/validate-pullrequest.yaml b/.github/workflows/validate-pullrequest.yaml
index ffb8b859e..7b827645f 100644
--- a/.github/workflows/validate-pullrequest.yaml
+++ b/.github/workflows/validate-pullrequest.yaml
@@ -29,20 +29,28 @@ jobs:
     name: Validate and label PR
     runs-on: ubuntu-latest
     needs: getChangedChart
-    env:
-      CT_TARGET_BRANCH: ${{ github.event.pull_request.base.ref || github.event.repository.default_branch }}
     steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - uses: helm/chart-testing-action@v2.6.1
       - name: Conventional commit check
         uses: cocogitto/cocogitto-action@v3
         with:
           check: false
-      - run: .github/scripts/validate-pullrequest.sh
+      - run: |
+          set -u
+          set -o pipefail
+
+          : "${PR_TITLE:?Environment variable must be set}"
+
+          changed="${CHANGED_CHART?Environment variable must be set}"
+
+          if ! cog verify "$PR_TITLE"; then
+            echo "PR title must be a conventional commit message" >&2
+            exit 1
+          fi
+
+          if [[ -n "$changed" ]] && ! cog verify "$PR_TITLE" 2>&1 | grep -Eq "^\s+Scope: $changed(/.+|)\$"; then
+            echo "PR title must have scope '$changed/\$subscope'" >&2
+            exit 1
+          fi
         env:
           PR_TITLE: ${{ github.event.pull_request.title }}
           GITHUB_TOKEN: ${{ github.token }}