splitting the apk generation from the commenting to prevent action attacks when specifying the checkout target

2022-03-17 23:42:18 +00:00 · 2022-03-17 23:42:18 +00:00 · 2ab2253e7a
parent d2891cac69
commit 2ab2253e7a
2 changed files with 50 additions and 26 deletions
--- a/.github/workflows/check_size.yml
+++ b/.github/workflows/check_size.yml
@ -1,14 +1,7 @@
 name: Check Size

-## Workaround for allow size checks on external PRs/dependabot
 on:
-  pull_request_target:
-    types:
-      - opened
-      - synchronize
-      - reopened
-permissions:
-  pull-requests: write
+  pull_request:

 jobs:
  check-size:
@ -44,23 +37,12 @@ jobs:
          chmod +x bin/bundletool
          echo "$(pwd)/bin" >> $GITHUB_PATH

-      - name: Check release size
+      - name: Save Size
        run: |
-          echo "::set-output name=APK_SIZE::$(./tools/check-size.sh | tail -1 | cut -d ',' -f2-)"
-        id: size
-
-      - name: Find Comment
-        uses: peter-evans/find-comment@v1
-        id: fc
+          mkdir -p ./apk_size
+          echo $(./tools/check-size.sh | tail -1 | cut -d ',' -f2-) > ./apk_size/size.txt
+      - uses: actions/upload-artifact@v3
        with:
-          issue-number: ${{ github.event.pull_request.number }}
-          comment-author: 'github-actions[bot]'
-          body-includes: APK Size
-      - name: Publish size to PR
-        uses: peter-evans/create-or-update-comment@v1
-        with:
-          comment-id: ${{ steps.fc.outputs.comment-id }}
-          issue-number: ${{ github.event.pull_request.number }}
-          body: |
-            APK Size: ${{ steps.size.outputs.APK_SIZE }}
-          edit-mode: replace
+          name: apk-size
+          path: apk_size/size.txt
+          retention-days: 5
--- a/.github/workflows/comment_size.yml
+++ b/.github/workflows/comment_size.yml
@ -0,0 +1,42 @@
+name: Comment APK Size
+
+on:
+  workflow_run:
+    workflows: [ "Check Size" ]
+    types:
+      - completed
+
+jobs:
+  comment-size:
+    name: Comment Size
+    runs-on: ubuntu-latest
+    if: >
+      ${{ github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success' }}
+
+    steps:
+      - uses: actions/download-artifact@v3
+        with:
+          name: apk-size
+          path: ~/apk-size.txt
+
+      - name: Check release size
+        run: |
+          echo "::set-output name=APK_SIZE::$(cat ~/apk-size.txt)"
+        id: size
+
+      - name: Find Comment
+        uses: peter-evans/find-comment@v1
+        id: fc
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          comment-author: 'github-actions[bot]'
+          body-includes: APK Size
+      - name: Publish size to PR
+        uses: peter-evans/create-or-update-comment@v1
+        with:
+          comment-id: ${{ steps.fc.outputs.comment-id }}
+          issue-number: ${{ github.event.pull_request.number }}
+          body: |
+            APK Size: ${{ steps.size.outputs.APK_SIZE }}
+          edit-mode: replace