diff --git a/.github/workflows/auto-merge-windows-version-definitions.yml b/.github/workflows/auto-merge-windows-version-definitions.yml deleted file mode 100644 index dbd7530..0000000 --- a/.github/workflows/auto-merge-windows-version-definitions.yml +++ /dev/null @@ -1,70 +0,0 @@ -name: Auto-merge Windows Version Definition Updates - -on: - workflow_run: - workflows: ["PR-tests"] - types: [completed] - -permissions: - contents: write - pull-requests: write - -jobs: - auto-merge: - if: ${{ github.event.workflow_run.conclusion == 'success' }} - runs-on: ubuntu-latest - steps: - - name: Resolve matching pull request - id: pr - env: - GH_TOKEN: ${{ github.token }} - PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }} - HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }} - EXPECTED_TITLE: "chore(winpeas): update windows version vulnerability definitions" - run: | - pr_number="$PR_NUMBER" - if [ -z "$pr_number" ] && [ -n "$HEAD_BRANCH" ]; then - pr_number="$(gh pr list --state open --head "$HEAD_BRANCH" --json number --jq '.[0].number')" - fi - if [ -z "$pr_number" ]; then - echo "No pull request found for this workflow_run; skipping." - echo "should_merge=false" >> "$GITHUB_OUTPUT" - exit 0 - fi - - title="$(gh pr view "$pr_number" --json title --jq .title)" - base_ref="$(gh pr view "$pr_number" --json baseRefName --jq .baseRefName)" - head_ref="$(gh pr view "$pr_number" --json headRefName --jq .headRefName)" - author="$(gh pr view "$pr_number" --json author --jq .author.login)" - - if [ "$title" != "$EXPECTED_TITLE" ]; then - echo "PR #$pr_number title does not match; skipping." - echo "should_merge=false" >> "$GITHUB_OUTPUT" - exit 0 - fi - if [ "$base_ref" != "master" ] || [ "$head_ref" != "bot/update-windows-version-definitions" ]; then - echo "PR #$pr_number is not the expected branch pair; skipping." - echo "should_merge=false" >> "$GITHUB_OUTPUT" - exit 0 - fi - if [ "$author" != "github-actions" ] && [ "$author" != "github-actions[bot]" ]; then - echo "PR #$pr_number author is $author; skipping." - echo "should_merge=false" >> "$GITHUB_OUTPUT" - exit 0 - fi - - echo "should_merge=true" >> "$GITHUB_OUTPUT" - echo "pr_number=$pr_number" >> "$GITHUB_OUTPUT" - - - name: Merge matching pull request - if: ${{ steps.pr.outputs.should_merge == 'true' }} - env: - GH_TOKEN: ${{ github.token }} - PR_NUMBER: ${{ steps.pr.outputs.pr_number }} - run: | - gh api \ - -X PUT \ - -H "Accept: application/vnd.github+json" \ - /repos/${{ github.repository }}/pulls/${PR_NUMBER}/merge \ - -f merge_method=squash \ - -f commit_title="chore(winpeas): update windows version vulnerability definitions" diff --git a/.github/workflows/update_windows_version_definitions.yml b/.github/workflows/update_windows_version_definitions.yml index f1be6e0..e5f3ac6 100644 --- a/.github/workflows/update_windows_version_definitions.yml +++ b/.github/workflows/update_windows_version_definitions.yml @@ -35,7 +35,7 @@ jobs: - name: Validate windows version definitions run: python3 build_lists/validate_windows_version_defs.py - - name: Create update pull request + - name: Create and merge validated update pull request env: GH_TOKEN: ${{ github.token }} run: | @@ -66,3 +66,31 @@ jobs: --title "$title" \ --body "Automated update of \`build_lists/windows_version_exploits.json\`. The generated JSON passed \`build_lists/validate_windows_version_defs.py\` before this PR was updated." fi + + pr_number="$(gh pr list --state open --head "$branch" --base master --json number --jq '.[0].number')" + pr_json="$(gh pr view "$pr_number" --json title,baseRefName,headRefName,author,mergeable)" + pr_title="$(jq -r .title <<<"$pr_json")" + base_ref="$(jq -r .baseRefName <<<"$pr_json")" + head_ref="$(jq -r .headRefName <<<"$pr_json")" + author="$(jq -r .author.login <<<"$pr_json")" + mergeable="$(jq -r .mergeable <<<"$pr_json")" + + if [ "$pr_title" != "$title" ] || [ "$base_ref" != "master" ] || [ "$head_ref" != "$branch" ]; then + echo "Refusing to merge unexpected PR #$pr_number: title=$pr_title base=$base_ref head=$head_ref" + exit 1 + fi + if [ "$author" != "app/github-actions" ] && [ "$author" != "github-actions" ] && [ "$author" != "github-actions[bot]" ]; then + echo "Refusing to merge PR #$pr_number from unexpected author: $author" + exit 1 + fi + if [ "$mergeable" != "MERGEABLE" ]; then + echo "Refusing to merge PR #$pr_number because mergeable=$mergeable" + exit 1 + fi + + gh api \ + -X PUT \ + -H "Accept: application/vnd.github+json" \ + "/repos/${{ github.repository }}/pulls/${pr_number}/merge" \ + -f merge_method=squash \ + -f commit_title="$title"