OSSForks/node
1
0
Fork 0
mirror of https://github.com/zebrajr/node.git synced 2026-01-15 12:15:26 +00:00
Code Issues Actions 8 Packages Projects Releases Wiki Activity

tools: ensure the PR was not pushed before merging

Browse Source 
When using Squash and Merge feature, it would allow to a malicious
actor to push unreviewed code to their PR while the CQ is running and
bypass the usual checks.
This commit adds a check to refuse to land if the head of the PR
branch is different from the one validated by ncu.

PR-URL: https://github.com/nodejs/node/pull/40747
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Voltrex <mohammadkeyvanzade94@gmail.com>
This commit is contained in:
Antoine du Hamel
2021-11-07 12:08:22 +01:00
committed by GitHub
parent 549a4c9163
commit 96e00e03cf
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
tools/actions/commit-queue.sh
View File

@@ -110,7 +110,8 @@ for pr in "$@"; do
jq -n \
--arg title "$(git log -1 --pretty='format:%s')" \
--arg body "$(git log -1 --pretty='format:%b')" \
'{merge_method:"squash",commit_title:$title,commit_message:$body}' > output.json
--arg head "$(grep 'Fetched commits as' output | cut -d. -f3 | xargs git rev-parse)" \
'{merge_method:"squash",commit_title:$title,commit_message:$body,sha:$head}' > output.json
cat output.json
gitHubCurl "$(mergeUrl "$pr")" PUT --data @output.json > output
cat output