chore: secure hermetic_library_generation workflow (#2317)

* chore: secure hermetic_library_generation workflow Thanks to @diogoteles08 for the inspection on our repos. This PR inlines environment variables to avoid overriding script injections. * fix github object reference * Update hermetic_library_generation.yaml * Update hermetic_library_generation.yaml * fix env reference * use vars instead of env * workaround for indirectly referencing env in jobs.if * rename job * test job without steps * cleaner no-op step * rewording * 🦉 Updates from OwlBot post-processor See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md * simplify conditional generation --------- Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
googleapis · Sep 3, 2024 · 1e9c8ab · 1e9c8ab
1 parent 78a19f0
commit 1e9c8ab
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml
@@ -19,11 +19,11 @@ on:
 
 env:
   HEAD_REF: ${{ github.head_ref }}
+  REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }}
+  GITHUB_REPOSITORY: ${{ github.repository }}
 
 jobs:
   library_generation:
-    # skip pull requests come from a forked repository
-    if: github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
@@ -34,6 +34,10 @@ jobs:
       shell: bash
       run: |
         set -ex
+        if [[ "${GITHUB_REPOSITORY}" != "${REPO_FULL_NAME}" ]]; then
+          echo "This PR comes from a fork. Generation will be skipped"
+          exit 0
+        fi
         [ -z "$(git config user.email)" ] && git config --global user.email "[email protected]"
         [ -z "$(git config user.name)" ] && git config --global user.name "cloud-java-bot"
         bash .github/scripts/hermetic_library_generation.sh \