Rust: Query for cleartext logging of sensitive information #2658
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This workflow checks for any changes in .qhelp files in pull requests. | |
# For any changed files, it renders them to markdown in a file called `comment_body.txt`. | |
# It then checks if there's an existing comment on the pull request generated by | |
# this workflow, and writes the comment ID to `comment_id.txt`. | |
# It also writes the PR number to `pr_number.txt`. | |
# These three files are uploaded as an artifact. | |
# When this workflow completes, the workflow "Post PR comment" runs. | |
# It downloads the artifact and adds a comment to the PR with the rendered | |
# QHelp. | |
# The task is split like this because creating PR comments requires extra | |
# permissions that we don't want to expose to PRs from external forks. | |
# For more info see: | |
# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run | |
# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token | |
name: Render QHelp changes | |
permissions: | |
contents: read | |
pull-requests: read | |
on: | |
pull_request: | |
branches: | |
- main | |
- "rc/*" | |
paths: | |
- "**/*.qhelp" | |
jobs: | |
qhelp: | |
runs-on: ubuntu-latest | |
steps: | |
- run: echo "${PR_NUMBER}" > pr_number.txt | |
env: | |
PR_NUMBER: ${{ github.event.number }} | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: comment-pr-number | |
path: pr_number.txt | |
if-no-files-found: error | |
retention-days: 1 | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 2 | |
persist-credentials: false | |
- uses: ./.github/actions/fetch-codeql | |
- name: Determine changed files | |
id: changes | |
run: | | |
(git diff -z --name-only --diff-filter=ACMRT HEAD~1 HEAD | grep -z '.qhelp$' | grep -z -v '.inc.qhelp'; | |
git diff -z --name-only --diff-filter=ACMRT HEAD~1 HEAD | grep -z '.inc.qhelp$' | xargs --null -rn1 basename -z | xargs --null -rn1 git grep -z -l) | | |
grep -z '.qhelp$' | grep -z -v '^-' | sort -z -u > "${RUNNER_TEMP}/paths.txt" | |
- name: QHelp preview | |
run: | | |
EXIT_CODE=0 | |
echo "QHelp previews:" > comment_body.txt | |
while read -r -d $'\0' path; do | |
if [ ! -f "${path}" ]; then | |
exit 1 | |
fi | |
echo "<details> <summary>${path}</summary>" | |
echo | |
codeql generate query-help --format=markdown -- "./${path}" 2> errors.txt || EXIT_CODE="$?" | |
if [ -s errors.txt ]; then | |
echo "# errors/warnings:" | |
echo '```' | |
cat errors.txt | |
cat errors.txt 1>&2 | |
echo '```' | |
fi | |
echo "</details>" | |
done < "${RUNNER_TEMP}/paths.txt" >> comment_body.txt | |
exit "${EXIT_CODE}" | |
- if: ${{ !cancelled() }} | |
uses: actions/upload-artifact@v4 | |
with: | |
name: comment-body | |
path: comment_body.txt | |
if-no-files-found: error | |
retention-days: 1 | |
- name: Save ID of existing QHelp comment (if it exists) | |
run: | | |
# Find the latest comment starting with "QHelp previews" | |
COMMENT_PREFIX="QHelp previews" | |
gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" --paginate | jq --arg prefix "${COMMENT_PREFIX}" '[.[] | select(.body|startswith($prefix)) | .id] | max' > comment_id.txt | |
env: | |
GITHUB_TOKEN: ${{ github.token }} | |
PR_NUMBER: ${{ github.event.number }} | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: comment-id | |
path: comment_id.txt | |
if-no-files-found: error | |
retention-days: 1 |