ci: harden CI/CD security #4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PR Tarball | |
| on: | |
| pull_request_target: | |
| branches: [main] | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| jobs: | |
| authorize: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| is_authorized: ${{ steps.check.outputs.is_authorized }} | |
| steps: | |
| - name: Check authorization | |
| id: check | |
| env: | |
| AUTHORIZED_USERS: ${{ secrets.AUTHORIZED_USERS }} | |
| ACTOR: ${{ github.actor }} | |
| run: | | |
| if [[ ",$AUTHORIZED_USERS," == *",$ACTOR,"* ]]; then | |
| echo "✅ User $ACTOR is authorized" | |
| echo "is_authorized=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "⏭️ User $ACTOR is not in AUTHORIZED_USERS — skipping." | |
| echo "is_authorized=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| pr-tarball: | |
| needs: authorize | |
| if: needs.authorize.outputs.is_authorized == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| persist-credentials: false | |
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 | |
| with: | |
| node-version: '20.x' | |
| cache: 'npm' | |
| - name: Configure git | |
| run: | | |
| git config --global user.email "bedrock-agentcore-npm+ci@amazon.com" | |
| git config --global user.name "CI" | |
| - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7 | |
| - run: npm ci | |
| - run: npm run build --if-present | |
| - run: npm pack | |
| - name: Get tarball info | |
| id: tarball | |
| run: | | |
| TARBALL_NAME=$(ls *.tgz | head -1 | xargs basename) | |
| echo "name=$TARBALL_NAME" >> $GITHUB_OUTPUT | |
| - name: Create or update PR release | |
| id: release | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| TARBALL_NAME: ${{ steps.tarball.outputs.name }} | |
| run: | | |
| TAG="pr-${PR_NUMBER}-tarball" | |
| # Delete existing release if it exists (to update the tarball) | |
| gh release delete "$TAG" --yes --cleanup-tag 2>/dev/null || true | |
| # Create a new pre-release with the tarball | |
| gh release create "$TAG" \ | |
| "${TARBALL_NAME}" \ | |
| --title "PR #${PR_NUMBER} Tarball" \ | |
| --notes "Auto-generated tarball for PR #${PR_NUMBER}." \ | |
| --draft \ | |
| --target "${{ github.event.pull_request.head.sha }}" | |
| DOWNLOAD_URL="https://github.com/${{ github.repository }}/releases/download/${TAG}/${TARBALL_NAME}" | |
| echo "url=$DOWNLOAD_URL" >> $GITHUB_OUTPUT | |
| - name: Comment on PR | |
| uses: marocchino/sticky-pull-request-comment@0ea0beb66eb9baf113663a64ec522f60e49231c0 # v3 | |
| with: | |
| header: tarball | |
| message: | | |
| ## Package Tarball | |
| **[${{ steps.tarball.outputs.name }}](${{ steps.release.outputs.url }})** | |
| ### How to install | |
| ```bash | |
| npm install ${{ steps.release.outputs.url }} | |
| ``` |