ci: Fix Development Freeze Automation

Due to the limitation of `GITHUB_TOKEN` when running workflows from forks,
it's required to split the `development_freeze` workflow in two.

* First workflow will run on the `pull_request` trigger and save the PR
number in the artifact. This workflow is running with read-only permissions
on `GITHUB_TOKEN`.
* Second workflow will get triggered on `workflow_run`. It will be run
directly in the `systemd/systemd` context and can get permission to be
able to create comments on PR.

GITHUB_TOKEN limitations:

* https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

GitHub Security Labs Article - How to correctly and safely overcome GITHUB_TOKEN limitations:

* https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

diff --git a/.github/workflows/development_freeze.yml b/.github/workflows/development_freeze.yml
index 42889f9f7511fd8024a54ab123b97d661b826979..0d54bc262c5a44e8fc27a74de09cc41350ee4ac4 100644 (file)
--- a/.github/workflows/development_freeze.yml
+++ b/.github/workflows/development_freeze.yml
@@ -3,27 +3,72 @@
 
 name: Development Freeze
 on:
-  pull_request:
-    types: [ opened, reopened, synchronize ]
-    branches: [ main ]
+  workflow_run:
+    workflows: [ Gather Pull Request Metadata ]
+    types:
+      - completed
+
+env:
+  PULL_REQUEST_METADATA_DIR: pull_request
+  PULL_REQUEST_METADATA_FILE: metadata
 
 permissions:
   contents: read
 
 jobs:
   freezer:
+    if: >
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success' &&
+      github.repository == 'systemd/systemd'
     runs-on: ubuntu-22.04
-    if: github.repository == 'systemd/systemd'
 
     permissions:
       pull-requests: write
 
     steps:
-      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+      - name: Download Pull Request Metadata artifact
+        uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975
+        with:
+          script: |
+            const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: ${{ github.event.workflow_run.id }},
+            });
+
+            const matchArtifact = artifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "${{ env.PULL_REQUEST_METADATA_FILE }}"
+            })[0];
+
+            const download = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+
+            const fs = require('fs');
+            fs.writeFileSync('${{ github.workspace }}/${{ env.PULL_REQUEST_METADATA_FILE }}.zip', Buffer.from(download.data));
+
+      - run: unzip ${{ env.PULL_REQUEST_METADATA_FILE }}.zip
+
+      - name: 'Get Pull Request number'
+        uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const fs = require('fs');
+            const pr_number = Number(fs.readFileSync('./${{ env.PULL_REQUEST_METADATA_FILE }}'));
+            core.exportVariable('pr_number', pr_number);
+
+      - name: Repository checkout
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
         with:
           fetch-depth: 0
 
       - name: Development Freezer
-        uses: redhat-plumbers-in-action/devel-freezer@1bce2d1d64db1a22f13cd6e4bff0b4f3847236c7
+        uses: redhat-plumbers-in-action/devel-freezer@13b6551f19ade74ca79be4cab06b815a4ffffa64
         with:
+          pr-number: ${{ env.pr_number }}
           token: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.github/workflows/gather-pr-metadata.yml b/.github/workflows/gather-pr-metadata.yml
new file mode 100644 (file)
index 0000000..5f0a5ab
--- /dev/null
+++ b/.github/workflows/gather-pr-metadata.yml
@@ -0,0 +1,37 @@
+---
+
+name: Gather Pull Request Metadata
+
+on:
+  pull_request:
+    branches: [ main ]
+
+env:
+  PULL_REQUEST_METADATA_DIR: pull_request
+  PULL_REQUEST_METADATA_FILE: metadata
+
+permissions:
+  contents: read
+
+jobs:
+  gather-metadata:
+    if: github.repository == 'systemd/systemd'
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Repository checkout
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+        with:
+          fetch-depth: 0
+
+      - name: Store PR number in file
+        run: |
+          mkdir -p ./${{ env.PULL_REQUEST_METADATA_DIR }}
+          echo ${{ github.event.number }} > ./${{ env.PULL_REQUEST_METADATA_DIR }}/${{ env.PULL_REQUEST_METADATA_FILE }}
+
+      - name: Upload Pull Request Metadata artifact
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
+        with:
+          name: ${{ env.PULL_REQUEST_METADATA_FILE }}
+          path: ${{ env.PULL_REQUEST_METADATA_DIR }}
+          retention-days: 1