[release-20.0] Security improvements to GitHub Actions (#17520) #3546
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Assign Milestone | |
| on: | |
| pull_request_target: | |
| types: [opened] | |
| permissions: | |
| pull-requests: write | |
| contents: read | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| jobs: | |
| build: | |
| name: Assign Milestone | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| <<<<<<< HEAD | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: 1.22.10 | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| ======= | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| # We must explicitly checkout the base's SHA to avoid executing any code coming from | |
| # the PR's SHA - Which would be executed in the base branch's context. | |
| # This is really important to limit any sort of pwn requests. | |
| ref: ${{ github.base_ref }} | |
| persist-credentials: 'false' | |
| >>>>>>> cbf146b5eb (Security improvements to GitHub Actions (#17520)) | |
| - name: Assign Milestone | |
| run: | | |
| # Ensure the content we sed from version.go is sanitized and match the correct format | |
| VERSION=$(sed -n 's/.*versionName.*\"\([[:digit:]\.]*\).*\"/\1/p' ./go/vt/servenv/version.go) | |
| if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | |
| echo "Invalid version format: $VERSION" | |
| exit 1 | |
| fi | |
| gh pr edit ${{ github.event.number }} --milestone "v$VERSION" |