Skip to content

tools: ensure the PR was not pushed before merging #40747

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
aduh95 merged 1 commit into from
Nov 7, 2021
Merged

tools: ensure the PR was not pushed before merging #40747

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
tools: ensure the PR was not pushed before merging 
When using Squash and Merge feature, it would allow to a malicious
actor to push unreviewed code to their PR while the CQ is running and
bypass the usual checks.
This commit adds a check to refuse to land if the head of the PR
branch is different from the one validated by ncu.
  • Loading branch information
@aduh95
aduh95 committed Nov 6, 2021
commit 8f1e23be8eee7a093ce7aca18476878deffe3b80
3 changes: 2 additions & 1 deletion tools/actions/commit-queue.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,8 @@ for pr in "$@"; do
jq -n \
--arg title "$(git log -1 --pretty='format:%s')" \
--arg body "$(git log -1 --pretty='format:%b')" \
'{merge_method:"squash",commit_title:$title,commit_message:$body}' > output.json
--arg head "$(grep 'Fetched commits as' output | cut -d. -f3 | xargs git rev-parse)" \
'{merge_method:"squash",commit_title:$title,commit_message:$body,sha:$head}' > output.json
cat output.json
gitHubCurl "$(mergeUrl "$pr")" PUT --data @output.json > output
cat output
Expand Down