Change the workflow process to check file integrity and forks #115
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Installation Check | |
| on: | |
| pull_request: | |
| branches: | |
| - master | |
| push: | |
| branches: | |
| - master | |
| permissions: | |
| contents: read | |
| jobs: | |
| secure-install-check: | |
| name: Secure Install Check | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| matrix: | |
| os: [ubuntu-latest, windows-latest, macos-latest] | |
| steps: | |
| - name: Checkout PR branch with full history | |
| uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: Add upstream remote and fetch base branch | |
| shell: bash | |
| run: | | |
| git remote add upstream https://github.com/${{ github.repository }}.git | |
| git fetch upstream master | |
| - name: Detect fork | |
| id: forkcheck | |
| shell: pwsh | |
| run: | | |
| if ("${{ github.repository }}" -ne "${{ github.event.pull_request.head.repo.full_name }}") { | |
| "is_fork=true" >> $env:GITHUB_OUTPUT | |
| } else { | |
| "is_fork=false" >> $env:GITHUB_OUTPUT | |
| } | |
| - name: Check if install scripts were modified | |
| id: filecheck | |
| shell: bash | |
| run: | | |
| MODIFIED=$(git diff --name-only upstream/master HEAD) | |
| echo "$MODIFIED" | |
| if echo "$MODIFIED" | grep -qE '^install-atomicredteam\.ps1$|^install-atomicsfolder\.ps1$'; then | |
| echo "scripts_modified=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "scripts_modified=false" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Decide whether to run scripts | |
| id: safecheck | |
| shell: pwsh | |
| run: | | |
| if ("${{ steps.filecheck.outputs.scripts_modified }}" -eq "false") { | |
| "safe=true" >> $env:GITHUB_OUTPUT | |
| } elseif ("${{ github.event_name }}" -eq "push") { | |
| "safe=true" >> $env:GITHUB_OUTPUT | |
| } elseif ("${{ steps.forkcheck.outputs.is_fork }}" -eq "false") { | |
| "safe=true" >> $env:GITHUB_OUTPUT | |
| } else { | |
| "safe=false" >> $env:GITHUB_OUTPUT | |
| } | |
| - name: Execute install scripts | |
| if: steps.safecheck.outputs.safe == 'true' | |
| shell: pwsh | |
| run: | | |
| Write-Output "Running install scripts from trusted context" | |
| ./install-atomicredteam.ps1 | |
| ./install-atomicsfolder.ps1 | |
| - name: Skip script execution | |
| if: steps.safecheck.outputs.safe != 'true' | |
| run: | | |
| echo "::warning:: install scripts were modified in a forked PR. Skipping execution until merge." |