Another Workflow Fix (#1208)

sublime-security · Dec 28, 2023 · 77f9378 · 77f9378
1 parent b3c8c29
commit 77f9378
Showing 1 changed file with 34 additions and 21 deletions.
diff --git a/.github/workflows/rule-validate.yml b/.github/workflows/rule-validate.yml
@@ -36,43 +36,56 @@ jobs:
         id: comment_branch
 
       - name: Get Refs
-        id: get_refs
+        id: get_head_ref
         run: |
+          # Accurate for push events, other events require changes.
           head_ref="${{ github.head_ref }}"
           repo="${{ github.repository }}"
-          # Either of these must be set in block below
-          run_all=""
-          base_ref=""
 
           if [[ "${{ github.event_name }}" == 'pull_request_target' ]]; then
-            # Detect changes based on whatever we're merging into.
-            base_ref="${{ github.base_ref }}"
             repo="${{ github.event.pull_request.head.repo.full_name }}"
-          elif [[ "${{ github.event_name }}" == 'push' ]]; then
-            # Detect changes based on the previous commit
-            base_ref="$(git rev-parse HEAD^)"
           elif [[ "${{ github.event_name }}" == 'workflow_dispatch' ]]; then
             # Run on a target, so run for all rules.
             run_all="true"
           elif [[ "${{ github.event_name }}" == 'issue_comment' ]]; then
             # Rely on comment_branch to figure out the head and base
-            base_ref="${{ steps.comment_branch.outputs.base_ref }}"
             head_ref="${{ steps.comment_branch.outputs.head_ref }}"
             repo="${{ steps.comment_branch.outputs.head_owner }}/${{ steps.comment_branch.outputs.head_repo }}"
           fi
           
           echo "##[set-output name=head_ref;]$head_ref"
           echo "##[set-output name=repo;]$repo"
-          echo "##[set-output name=run_all;]$run_all"
-          echo "##[set-output name=base_ref;]$base_ref"
 
       - name: Checkout
         uses: actions/checkout@v3
         with:
-          repository: ${{ steps.get_refs.outputs.repo }}
-          ref: ${{ steps.get_refs.outputs.head_ref }}
+          repository: ${{ steps.get_head_ref.outputs.repo }}
+          ref: ${{ steps.get_head_ref.outputs.head_ref }}
           fetch-depth: 0
 
+      - name: Get Refs
+        id: get_base_ref
+        run: |
+          run_all=""
+          base_ref=""
+
+          if [[ "${{ github.event_name }}" == 'pull_request_target' ]]; then
+            # Detect changes based on whatever we're merging into.
+            base_ref="${{ github.base_ref }}"
+          elif [[ "${{ github.event_name }}" == 'push' ]]; then
+            # Detect changes based on the previous commit
+            base_ref="$(git rev-parse HEAD^)"
+          elif [[ "${{ github.event_name }}" == 'workflow_dispatch' ]]; then
+            # Run on a target, so run for all rules.
+            run_all="true"
+          elif [[ "${{ github.event_name }}" == 'issue_comment' ]]; then
+            # Rely on comment_branch to figure out  base
+            base_ref="${{ steps.comment_branch.outputs.base_ref }}"
+          fi
+          
+          echo "##[set-output name=run_all;]$run_all"
+          echo "##[set-output name=base_ref;]$base_ref"
+
       - uses: actions/setup-python@v4
         with:
           python-version: '3.10'
@@ -136,7 +149,7 @@ jobs:
           git commit -m "Auto add rule ID"
           # This will only work when running for a pull_request_target, but rather than filter we'll let this expose
           # any issues.
-          git push origin ${{ steps.get_refs.outputs.head_ref }}
+          git push origin ${{ steps.get_head_ref.outputs.head_ref }}
 
       - name: Get the head SHA
         id: get_head
@@ -188,15 +201,15 @@ jobs:
 
       - name: Checkout base
         uses: actions/checkout@v4
-        if: ${{ steps.get_refs.outputs.run_all != 'true' }}
+        if: ${{ steps.get_base_ref.outputs.run_all != 'true' }}
         with:
-          ref: ${{ steps.get_refs.outputs.head_ref }}
+          ref: ${{ steps.get_base_ref.outputs.base_ref }}
           repository: sublime-security/sublime-rules
           depth: 0
           path: sr-main
 
       - name: Rename files in sr-main based on rule id
-        if: ${{ steps.get_refs.outputs.run_all != 'true' }}
+        if: ${{ steps.get_base_ref.outputs.run_all != 'true' }}
         run: |
           cd sr-main/detection-rules
 
@@ -213,7 +226,7 @@ jobs:
           for file in detection-rules/*.yml; do
             rule_id=$(yq '.id' $file)
           
-            if [[ "${{ steps.get_refs.outputs.run_all }}" == "true" ]]; then
+            if [[ "${{ steps.get_base_ref.outputs.run_all }}" == "true" ]]; then
               altered_rule_ids=$(echo "$rule_id"" ""$altered_rule_ids")
               continue
             fi
@@ -325,8 +338,8 @@ jobs:
       - name: "Trigger MQL Mimic Tests"
         env:
           trigger_url: '${{ secrets.MQL_MOCK_TRIGGER }}'
-          branch: '${{ steps.get_refs.outputs.head_ref }}'
-          repo: '${{ steps.get_refs.outputs.repo }}'
+          branch: '${{ steps.get_head_ref.outputs.head_ref }}'
+          repo: '${{ steps.get_head_ref.outputs.repo }}'
           token: '${{ secrets.GITHUB_TOKEN }}'
           sha: '${{ steps.get_head.outputs.HEAD }}'
           only_rule_ids: '${{ steps.find_ids.outputs.rule_ids }}'