Skip to content

fix: Prevent a possible security issue when resolving a relay node wi… #1948

fix: Prevent a possible security issue when resolving a relay node wi…

fix: Prevent a possible security issue when resolving a relay node wi… #1948

Workflow file for this run

name: 🆙 Release
concurrency: release
on:
push:
branches:
- main
jobs:
release-file-check:
name: Get information about release
runs-on: ubuntu-latest
outputs:
changelog: ${{ steps.release-check.outputs.changelog }}
status: ${{ steps.release-check.outputs.release_status }}
change_type: ${{ steps.release-check.outputs.change_type }}
steps:
- uses: actions/checkout@v1
- name: Release file check
uses: ./.github/release-check-action
id: release-check
release:
name: Release
runs-on: ubuntu-latest
needs: release-file-check
if: ${{ needs.release-file-check.outputs.status == 'OK' }}
outputs:
version: ${{ steps.get-version.outputs.version }}
steps:
- uses: actions/checkout@v2
with:
persist-credentials: false
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: "3.10"
- name: Install deps
run: |
python -m pip install pip --upgrade
pip install poetry
pip install githubrelease
pip install autopub
pip install httpx
- name: Check if we should release
id: check_release
run: |
set +e
echo ::set-output name=release::$(autopub check)
- name: Publish
if: steps.check_release.outputs.release == ''
env:
GITHUB_TOKEN: ${{ secrets.BOT_TOKEN }}
POETRY_PYPI_TOKEN_PYPI: ${{ secrets.PYPI_TOKEN }}
run: |
git remote set-url origin https://${{ secrets.BOT_TOKEN }}@github.com/${{ github.repository }}
autopub prepare
poetry build
autopub commit
autopub githubrelease
poetry publish --username __token__
- name: Get project version
id: get-version
shell: python
run: |
import os
from pathlib import Path
from autopub.base import get_project_version
with Path(os.environ["GITHUB_OUTPUT"]).open('a') as f:
f.write(f"version={get_project_version()}\n")
get-contributor-info:
name: Get PR info
runs-on: ubuntu-latest
needs: release-file-check
if: ${{ needs.release-file-check.outputs.status == 'OK' }}
outputs:
contributor-name: ${{ steps.get-info.outputs.contributor-name }}
contributor-username: ${{ steps.get-info.outputs.contributor-username }}
contributor-twitter-username: ${{ steps.get-info.outputs.contributor-twitter-username }}
pr-number: ${{ steps.get-info.outputs.pr-number }}
steps:
- name: Get PR info
id: get-info
uses: strawberry-graphql/get-pr-info-action@v6
update-release-on-github:
name: Update release on GitHub
runs-on: ubuntu-latest
needs: [release-file-check, get-contributor-info, release]
if: ${{ needs.release-file-check.outputs.status == 'OK' }}
steps:
- uses: actions/setup-python@v4
with:
python-version: "3.9"
- name: Install dependencies
run: pip install httpx
- name: Update release on GitHub
shell: python
run: |
import os
import httpx
tag = os.environ["TAG"]
contributor_username = os.environ["CONTRIBUTOR_USERNAME"]
pr_number = os.environ["PR_NUMBER"]
response = httpx.get(
url=f"https://api.github.com/repos/strawberry-graphql/strawberry/releases/tags/{tag}",
headers={
"Accept": "application/vnd.github.v3+json",
},
)
response.raise_for_status()
data = response.json()
release_id = data["id"]
release_body = data["body"].strip()
release_footer = f"""
Releases contributed by @{contributor_username} via #{pr_number}
""".strip()
updated_release_body = f"{release_body}\n\n{release_footer}"
response = httpx.patch(
url=f"https://api.github.com/repos/strawberry-graphql/strawberry/releases/{release_id}",
json={"body": updated_release_body},
headers={
"Accept": "application/vnd.github.v3+json",
"Authorization": f"token {os.environ['GITHUB_TOKEN']}",
},
)
response.raise_for_status()
env:
GITHUB_TOKEN: ${{ secrets.BOT_TOKEN }}
TAG: ${{ needs.release.outputs.version }}
CONTRIBUTOR_USERNAME: ${{ needs.get-contributor-info.outputs.contributor-username }}
PR_NUMBER: ${{ needs.get-contributor-info.outputs.pr-number }}
read-tweet-md:
name: Read TWEET.md
runs-on: ubuntu-latest
needs: [release, get-contributor-info, release-file-check]
if: ${{ needs.release-file-check.outputs.status == 'OK' && needs.get-contributor-info.outputs.contributor-name }}
outputs:
tweet: ${{ steps.extract.outputs.tweet }}
has-tweet-file: ${{ steps.extract.outputs.has-tweet-file }}
steps:
- uses: actions/checkout@v1
- name: Extract tweet message and changelog
id: extract
uses: strawberry-graphql/tweet-actions/read-tweet@v6
with:
changelog: ${{ needs.release-file-check.outputs.changelog }}
version: ${{ needs.release.outputs.version }}
contributor_name: ${{ needs.get-contributor-info.outputs.contributor-name }}
contributor_twitter_username: ${{ needs.get-contributor-info.outputs.contributor-twitter-username }}
send-tweet:
name: Send tweet
runs-on: ubuntu-latest
needs: [release, read-tweet-md, get-contributor-info]
if: ${{ needs.release-file-check.outputs.status == 'OK' }}
steps:
- uses: actions/setup-python@v4
with:
python-version: "3.9"
- name: Install dependencies
run: pip install tweepy==4.14.0
- name: Send tweet
shell: python
run: |
import base64
import os
import tweepy
TWITTER_CONSUMER_KEY = os.environ["TWITTER_API_KEY"]
TWITTER_CONSUMER_SECRET = os.environ["TWITTER_API_SECRET"]
TWITTER_ACCESS_TOKEN = os.environ["TWITTER_ACCESS_TOKEN"]
TWITTER_ACCESS_TOKEN_SECRET = os.environ["TWITTER_ACCESS_TOKEN_SECRET"]
TWITTER_BEARER_TOKEN = os.environ["TWITTER_BEARER_TOKEN"]
tweepy_v2 = tweepy.Client(
TWITTER_BEARER_TOKEN,
consumer_key=TWITTER_CONSUMER_KEY,
consumer_secret=TWITTER_CONSUMER_SECRET,
access_token=TWITTER_ACCESS_TOKEN,
access_token_secret=TWITTER_ACCESS_TOKEN_SECRET,
)
def post_tweet() -> None:
text = base64.b64decode(os.environ["TWEET"]).decode("utf-8")
tweepy_v2.create_tweet(text=text)
post_tweet()
env:
TWEET: ${{ needs.read-tweet-md.outputs.tweet }}
TWITTER_API_KEY: ${{ secrets.TWITTER_API_KEY }}
TWITTER_API_SECRET: ${{ secrets.TWITTER_API_SECRET }}
TWITTER_ACCESS_TOKEN: ${{ secrets.TWITTER_ACCESS_TOKEN }}
TWITTER_ACCESS_TOKEN_SECRET: ${{ secrets.TWITTER_ACCESS_TOKEN_SECRET }}
TWITTER_BEARER_TOKEN: ${{ secrets.TWITTER_BEARER_TOKEN }}
remove-tweet-file:
name: Remove TWEET.md
if: always() && needs.read-tweet-md.outputs.has-tweet-file == 'true'
needs: [send-tweet, read-tweet-md]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
persist-credentials: false
- name: Remove TWEET.md and commit
env:
GITHUB_TOKEN: ${{ secrets.BOT_TOKEN }}
run: |
git config --global user.name 'Strawberry GraphQL Bot'
git config --global user.email '[email protected]'
git remote set-url origin https://${{ secrets.BOT_TOKEN }}@github.com/${{ github.repository }}
git pull
git rm TWEET.md
git commit -m "Remove TWEET.md"
git push