Skip to content

Commit

Permalink
🐛 also check releases/v2 branch for github/codeql-action (#518)
Browse files Browse the repository at this point in the history
* check v2 branch too

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
  • Loading branch information
spencerschrock authored Dec 18, 2023
1 parent 18ba55b commit efeceb7
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 3 deletions.
10 changes: 8 additions & 2 deletions app/server/verify_workflow.go
Original file line number Diff line number Diff line change
Expand Up @@ -263,10 +263,16 @@ func (g *githubVerifier) contains(owner, repo, hash string) (bool, error) {
if contains {
return true, nil
}
// github/codeql-action has commits from their v1 release branch that don't show up in the default branch
// github/codeql-action has commits from their v1 and v2 release branch that don't show up in the default branch
// this isn't the best approach for now, but theres no universal "does this commit belong to this repo" call
if owner == "github" && repo == "codeql-action" {
contains, err = g.branchContains("releases/v1", owner, repo, hash)
contains, err = g.branchContains("releases/v2", owner, repo, hash)
if err != nil {
return false, err
}
if !contains {
contains, err = g.branchContains("releases/v1", owner, repo, hash)
}
}
return contains, err
}
Expand Down
28 changes: 27 additions & 1 deletion app/server/verify_workflow_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -115,13 +115,14 @@ func (s suffixStubTripper) RoundTrip(r *http.Request) (*http.Response, error) {
}, nil
}

func Test_githubVerifier_contains(t *testing.T) {
func Test_githubVerifier_contains_codeql_v1(t *testing.T) {
t.Parallel()
httpClient := http.Client{
Transport: suffixStubTripper{
responsePaths: map[string]string{
"codeql-action": "./testdata/api/github/repository.json", // api call which finds the default branch
"main...somehash": "./testdata/api/github/divergent.json", // doesnt belong to default branch
"v2...somehash": "./testdata/api/github/divergent.json", // doesnt belong to releases/v2 branch
"v1...somehash": "./testdata/api/github/containsCommit.json", // belongs to releases/v1 branch
},
},
Expand All @@ -140,6 +141,31 @@ func Test_githubVerifier_contains(t *testing.T) {
}
}

func Test_githubVerifier_contains_codeql_v2(t *testing.T) {
t.Parallel()
httpClient := http.Client{
Transport: suffixStubTripper{
responsePaths: map[string]string{
"codeql-action": "./testdata/api/github/repository.json", // api call which finds the default branch
"main...somehash": "./testdata/api/github/divergent.json", // doesnt belong to default branch
"v2...somehash": "./testdata/api/github/containsCommit.json", // belongs to releases/v2 branch
},
},
}
client := github.NewClient(&httpClient)
gv := githubVerifier{
ctx: context.Background(),
client: client,
}
got, err := gv.contains("github", "codeql-action", "somehash")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if got != true {
t.Errorf("expected to contain hash, but it didnt")
}
}

func FuzzVerifyWorkflow(f *testing.F) {
testfiles := []string{
"testdata/workflow-valid.yml",
Expand Down

0 comments on commit efeceb7

Please sign in to comment.