From f55e66894594440dcf6521572078b30f05bb0c59 Mon Sep 17 00:00:00 2001 From: Thomas Carmet <8408330+tcarmet@users.noreply.github.com> Date: Wed, 1 Nov 2023 00:03:40 +0000 Subject: [PATCH] PTFE-1063 reusable workflow to disallow the merge of large files --- .github/workflows/file-check.yaml | 38 ++++++++++++++++++ .github/workflows/tests.yaml | 5 ++- scripts/file-check.sh | 66 +++++++++++++++++++++++++++++++ 3 files changed, 108 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/file-check.yaml create mode 100755 scripts/file-check.sh diff --git a/.github/workflows/file-check.yaml b/.github/workflows/file-check.yaml new file mode 100644 index 0000000..be5eb09 --- /dev/null +++ b/.github/workflows/file-check.yaml @@ -0,0 +1,38 @@ +--- + +# This workflow is a reusable workflow meant to be called on pull_request events. +# The goal is to check the files in the pull request to make sure they have the appropriate size and type. +# - We shouldn't allow files larger than 1MB. +# - We shouldn't allow merging binaries, tarballs, or other non-text files. + +name: file check + +on: + workflow_call: + inputs: + fetch-depth: + description: 'The number of commits included in the refspec for fetch' + required: false + default: 20 + type: number + +permissions: + pull-requests: read + contents: read + +jobs: + check: + runs-on: ubuntu-latest + steps: + - name: Get changed files + id: changed-files + uses: tj-actions/changed-files@v40 + - name: Check files + run: ./scripts/file-check.sh "${{ steps.changed-files.outputs.all_changed_files }}" + + + + + + + diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index e12485a..daf1362 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -1,4 +1,4 @@ -on: push +on: pull_request permissions: packages: write @@ -17,3 +17,6 @@ jobs: uses: ./.github/workflows/trivy.yaml with: name: '/test' + + file-check: + uses: ./.github/workflows/file-check.yaml \ No newline at end of file diff --git a/scripts/file-check.sh b/scripts/file-check.sh new file mode 100755 index 0000000..31aec82 --- /dev/null +++ b/scripts/file-check.sh @@ -0,0 +1,66 @@ +#!/bin/bash + +FILES=${1:-} +# File size limit, defaults to 1MB +LIMIT=${2:-1000000} +FORBIDDEN_FILE_EXTENSIONS=".tar.gz .gzip .deb .rpm .dnf" + +function is_lfs() { + # Check if file is a git lfs object or a regular git file + # Returns 0 if file is a git lfs object, 1 otherwise + git check-attr filter "$1" | grep -q "filter: lfs" && return 1 || return 1 + +} + +function check_file_extension() { + # Check the extension of a file and if it matches the forbidden extensions + # return 1, otherwise return true + + # Get the file extension + extension=$(echo "$1" | rev | cut -d'.' -f1 | rev) + # Check if the extension is in the forbidden extensions list + if [[ $FORBIDDEN_FILE_EXTENSIONS =~ $extension ]]; then + return 1 + else + return 0 + fi +} + +function check_file_size() { + # Check if the file size is greater than the limit + # Returns 0 if file size is less than the limit, 1 otherwise + size=$(wc -c <"$1") + if [[ $size -gt $LIMIT ]]; then + return 1 + else + return 0 + fi +} + +function log_error { + # log a GitHub Actions workflow command for errors. + message=$1 + file=$2 + echo "::error file=$file,line=1::${message}" +} + +for file in $FILES; do + is_lfs "$file" + IS_LFS=$? + # Check if the file is a git lfs object + if [[ ${IS_LFS} -eq 1 ]]; then + check_file_extension "$file" + FILE_EXTENSION=$? + check_file_size "$file" + FILE_SIZE=$? + + if [[ $size -gt $LIMIT ]]; then + log_error "File $file exceeds the size limit of $LIMIT bytes" $file + exit 1 + elif [[ ${FILE_EXTENSION} -eq 1 ]]; then + log_error "File $file is not a valid file type" $file + exit 1 + fi + fi + echo "File $file is valid" +done