Improve security of github action #232
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Create translations patch | |
| on: | |
| pull_request: | |
| types: | |
| - opened | |
| branches: | |
| - main | |
| jobs: | |
| create-translations-patch: | |
| if: github.actor == 'bc-svc-local' | |
| runs-on: ubuntu-latest | |
| # Add permissions block to limit token scope | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 2 | |
| - name: Validate inputs | |
| id: validate | |
| run: | | |
| # Validate ref name against allowed pattern (alphanumeric, dash, underscore, and forward slash only) | |
| if ! [[ "${{ github.event.pull_request.head.ref }}" =~ ^[a-zA-Z0-9/_-]+$ ]]; then | |
| echo "Error: Invalid branch name format" | |
| exit 1 | |
| fi | |
| echo "ref=${{ github.event.pull_request.head.ref }}" >> $GITHUB_OUTPUT | |
| - name: Use commit SHA for filename | |
| id: generate-sha | |
| run: | | |
| short_sha=$(echo "${GITHUB_SHA}" | cut -c1-8) | |
| echo "SHORT_SHA=$short_sha" >> $GITHUB_OUTPUT | |
| - name: Create a translations changeset | |
| env: | |
| SHORT_SHA: ${{ steps.generate-sha.outputs.SHORT_SHA }} | |
| run: | | |
| mkdir -p .changeset | |
| echo "--- | |
| \"@bigcommerce/catalyst-core\": patch | |
| --- | |
| Update translations." > .changeset/translations-patch-$SHORT_SHA.md | |
| - name: Commit changeset | |
| env: | |
| SHORT_SHA: ${{ steps.generate-sha.outputs.SHORT_SHA }} | |
| run: | | |
| git config --global user.name 'bc-svc-local' | |
| git config --global user.email '[email protected]' | |
| git add .changeset/translations-patch-$SHORT_SHA.md | |
| git commit -m "chore(core): create translations patch" | |
| - name: Push changes | |
| uses: actions/github-script@v7 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| script: | | |
| const { repo, owner } = context.repo; | |
| const ref = '${{ steps.validate.outputs.ref }}'; | |
| await exec.exec('git', [ | |
| 'push', | |
| `https://x-access-token:${process.env.GITHUB_TOKEN}@github.com/${owner}/${repo}`, | |
| `HEAD:${ref}` | |
| ]); |