aws/ci security fix: checkout both PR and target branches, run CI set…

…up from target branch (which is safe), run tests from PR branch (to evaluate the PR) Signed-off-by: George Almasi <[email protected]>
keylime · Feb 6, 2024 · 478c3ad · 478c3ad
1 parent dfe73ec
commit 478c3ad
Showing 1 changed file with 22 additions and 5 deletions.
diff --git a/.github/workflows/awstest.yml b/.github/workflows/awstest.yml
@@ -12,7 +12,24 @@ jobs:
   awstest:
     runs-on: ubuntu-latest
     steps:
+      # ---------------------------
+      # check out the PR branch
+      # we run tests against the code in the PR branch
+      # ---------------------------
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{github.event.pull_request.head.ref}}
+          repository: ${{github.event.pull_request.head.repo.full_name}}
+          token: ${{github.token}}
+          path: 'pr-branch'
+
+      # ---------------------------
+      # check out the target branch
+      # all CI scripts that use secrets come from the target branch
+      # ---------------------------
       - uses: actions/checkout@v3
+        with:
+          path: 'target-branch'
 
       # ---------------------------
       # update the operating system
@@ -27,7 +44,7 @@ jobs:
       # ---------------------------
       - name: install awscli and helm
         run: |
-          . ./ci/util/util_awscli.sh
+          . ./target-branch/ci/util/util_awscli.sh
           awscli_config
           helm_install
         env:
@@ -40,7 +57,7 @@ jobs:
       # ---------------------------
       - name: create EC2 VM
         run: |
-          . ./ci/util/util_awscli.sh
+          . ./target-branch/ci/util/util_awscli.sh
           instanceid=$(awscli_launch ao)
           echo "instanceid=${instanceid}" >> ${GITHUB_ENV}
           awscli_wait_run ${instanceid} || exit -1
@@ -51,7 +68,7 @@ jobs:
       # ---------------------------
       - name: install and start minikube
         run: |
-          . ./ci/util/util_awscli.sh
+          . ./target-branch/ci/util/util_awscli.sh
           awscli_start_minikube ${ipaddr} && \
           awscli_access_minikube ${ipaddr}
 
@@ -60,15 +77,15 @@ jobs:
       # ---------------------------
       - name: run test scenarios
         run: |
-          ./ci/tests/runtests.sh
+          ./pr-branch/ci/tests/runtests.sh
 
       # ---------------------------
       # terminate the VM
       # ---------------------------
       - name: finish
         if: success() || failure()
         run: |
-          . ./ci/util/util_awscli.sh
+          . ./target-branch/ci/util/util_awscli.sh
           if [[ ${instanceid} != "" ]]
           then
               awscli_terminate ${instanceid}