From ad6c942a281b0b8eff33dc75897671c44a9196fe Mon Sep 17 00:00:00 2001 From: Stephan Vock Date: Tue, 21 Apr 2026 08:42:17 +0100 Subject: [PATCH 01/12] Apply automatic zizmor fixes --- action.yml | 36 ++++++++++++++++++++++++++++-------- 1 file changed, 28 insertions(+), 8 deletions(-) diff --git a/action.yml b/action.yml index 3dc5543..f083872 100644 --- a/action.yml +++ b/action.yml @@ -26,23 +26,35 @@ runs: - name: Set Conductor version shell: "bash" run: echo "CONDUCTOR_ACTION_VERSION=1.5.3" >> $GITHUB_ENV + - run: | CONDUCTOR_TOKEN=$(jq -r '.client_payload.composerAuthentication.token' $GITHUB_EVENT_PATH) echo "::add-mask::$CONDUCTOR_TOKEN" if: ${{ github.event.client_payload.composerAuthentication.type != 'none' }} shell: "bash" + - run: | + WEBHOOK_AUTHENTICATION_PASSWORD=$(jq -r '.client_payload.webhook.authentication.password' $GITHUB_EVENT_PATH) + echo "::add-mask::$WEBHOOK_AUTHENTICATION_PASSWORD" + shell: "bash" + - name: "Validate GitHub action version" shell: "bash" - run: "${GITHUB_ACTION_PATH}/bin/ci_version_check.sh ${{ github.event.client_payload.requirements.minimumCiActionVersion }} $CONDUCTOR_ACTION_VERSION" + run: "${GITHUB_ACTION_PATH}/bin/ci_version_check.sh ${GITHUB_EVENT_CLIENT_PAYLOAD_REQUIREMENTS_MINIMUMCIACTIONVERSION} $CONDUCTOR_ACTION_VERSION" + env: + GITHUB_EVENT_CLIENT_PAYLOAD_REQUIREMENTS_MINIMUMCIACTIONVERSION: ${{ github.event.client_payload.requirements.minimumCiActionVersion }} - name: "Validate PHP version" shell: "bash" - run: "${GITHUB_ACTION_PATH}/bin/php_version_check.sh ${{ github.event.client_payload.requirements.minimumPhpVersion }}" + run: "${GITHUB_ACTION_PATH}/bin/php_version_check.sh ${GITHUB_EVENT_CLIENT_PAYLOAD_REQUIREMENTS_MINIMUMPHPVERSION}" + env: + GITHUB_EVENT_CLIENT_PAYLOAD_REQUIREMENTS_MINIMUMPHPVERSION: ${{ github.event.client_payload.requirements.minimumPhpVersion }} - name: "Validate Composer version" shell: "bash" - run: "${GITHUB_ACTION_PATH}/bin/composer_version_check.sh ${{ github.event.client_payload.requirements.minimumComposerVersion }}" + run: "${GITHUB_ACTION_PATH}/bin/composer_version_check.sh ${GITHUB_EVENT_CLIENT_PAYLOAD_REQUIREMENTS_MINIMUMCOMPOSERVERSION}" + env: + GITHUB_EVENT_CLIENT_PAYLOAD_REQUIREMENTS_MINIMUMCOMPOSERVERSION: ${{ github.event.client_payload.requirements.minimumComposerVersion }} - name: Store base commit info id: base_commit_info @@ -55,7 +67,9 @@ runs: - name: Configure Composer authentication shell: "bash" if: ${{ github.event.client_payload.composerAuthentication.type == 'environment' }} - run: echo 'COMPOSER_AUTH=${{ github.event.client_payload.composerAuthentication.environment }}' >> "$GITHUB_ENV" + run: echo 'COMPOSER_AUTH=${GITHUB_EVENT_CLIENT_PAYLOAD_COMPOSERAUTHENTICATION_ENVIRONMENT}' >> "$GITHUB_ENV" + env: + GITHUB_EVENT_CLIENT_PAYLOAD_COMPOSERAUTHENTICATION_ENVIRONMENT: ${{ github.event.client_payload.composerAuthentication.environment }} - name: Install dependencies uses: ramsey/composer-install@a35c6ebd3d08125aaf8852dff361e686a1a67947 # 3.2.0 @@ -130,6 +144,9 @@ runs: CONDUCTOR_COMMIT_HASH: ${{ steps.conductor_commit_info.outputs.HASH }} CONDUCTOR_COMMIT_AUTHOR: ${{ steps.conductor_commit_info.outputs.AUTHOR }} CONDUCTOR_COMMIT_MESSAGE: ${{ steps.conductor_commit_info.outputs.MESSAGE }} + GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_AUTHENTICATION_USERNAME: ${{ github.event.client_payload.webhook.authentication.username }} + GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_AUTHENTICATION_PASSWORD: ${{ github.event.client_payload.webhook.authentication.password }} + GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_EXECUTEDURL: ${{ github.event.client_payload.webhook.executedUrl }} run: | jq -n '{ "runId": env.RUN_ID, @@ -150,10 +167,10 @@ runs: "ciScriptVersion": env.CONDUCTOR_ACTION_VERSION } }' | curl -fsSL -X POST \ - -u "${{ github.event.client_payload.webhook.authentication.username }}:${{ github.event.client_payload.webhook.authentication.password }}" \ + -u "${GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_AUTHENTICATION_USERNAME}:${GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_AUTHENTICATION_PASSWORD}" \ --header "Content-Type: application/json" \ --data @- \ - "${{ github.event.client_payload.webhook.executedUrl }}" + "${GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_EXECUTEDURL}" - name: Call webhook from Private Packagist to notify about build failure shell: bash @@ -162,6 +179,9 @@ runs: BASE_COMMIT_HASH: ${{ steps.base_commit_info.outputs.HASH }} BASE_COMMIT_AUTHOR: ${{ steps.base_commit_info.outputs.AUTHOR }} BASE_COMMIT_MESSAGE: ${{ steps.base_commit_info.outputs.MESSAGE }} + GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_AUTHENTICATION_USERNAME: ${{ github.event.client_payload.webhook.authentication.username }} + GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_AUTHENTICATION_PASSWORD: ${{ github.event.client_payload.webhook.authentication.password }} + GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_ERRORURL: ${{ github.event.client_payload.webhook.errorUrl }} if: ${{ failure() }} run: | jq -n '{ @@ -177,7 +197,7 @@ runs: "ciScriptVersion": env.CONDUCTOR_ACTION_VERSION } }' | curl -fsSL -X POST \ - -u "${{ github.event.client_payload.webhook.authentication.username }}:${{ github.event.client_payload.webhook.authentication.password }}" \ + -u "${GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_AUTHENTICATION_USERNAME}:${GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_AUTHENTICATION_PASSWORD}" \ --header "Content-Type: application/json" \ --data @- \ - "${{ github.event.client_payload.webhook.errorUrl }}" + "${GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_ERRORURL}" From 31a1a65a779465d2cd0fdf2a128f109c8bb7d884 Mon Sep 17 00:00:00 2001 From: Stephan Vock Date: Tue, 21 Apr 2026 10:17:29 +0100 Subject: [PATCH 02/12] Validate webhook URLs and Composer commands from the incoming payload --- README.md | 15 ++++++++++++++ action.yml | 16 +++++++++++++-- bin/run_composer_command.sh | 41 +++++++++++++++++++++++++++++++++++++ bin/validate_webhook_url.sh | 32 +++++++++++++++++++++++++++++ 4 files changed, 102 insertions(+), 2 deletions(-) create mode 100755 bin/run_composer_command.sh create mode 100755 bin/validate_webhook_url.sh diff --git a/README.md b/README.md index d6cdbe7..3bb400f 100644 --- a/README.md +++ b/README.md @@ -81,6 +81,21 @@ For example: skip_git_hooks: "true" ``` +#### packagist_url + +The `packagist_url` input parameter sets the base URL of the Private Packagist instance that dispatches this action. +Webhook callbacks in the dispatched payload must point at a URL under this prefix; any other host is refused before +the action makes the HTTP request, preventing a hostile payload from redirecting the webhook (and its credentials) +to an attacker-controlled server. + +The default is `https://packagist.com`. Override it only when running a Private Packagist Self-Hosted installation: + +```yaml +- uses: packagist/conductor-github-action + with: + packagist_url: "https://packagist.example.com" +``` + ## Copyright and License The GitHub Action is licensed under the MIT License. diff --git a/action.yml b/action.yml index f083872..c2eb722 100644 --- a/action.yml +++ b/action.yml @@ -12,6 +12,10 @@ inputs: description: Skip any git hooks that get installed as part of the GitHub Action e.g. during composer install or update. default: 'false' required: false + packagist_url: + description: Base URL of the Private Packagist instance that dispatches this action. Webhook URLs in the payload must be under this prefix; requests to any other host are refused. Override this for self-hosted installations. + default: 'https://packagist.com' + required: false runs: using: "composite" @@ -78,15 +82,19 @@ runs: composer-options: "${{ github.event.client_payload.settings.debug == true && '-vvv' || '' }}" - name: Modify requirements in the composer.json - run: "${{ github.event.client_payload.settings.debug == true && github.event.client_payload.requireCommand.debug || github.event.client_payload.requireCommand.plain }}" if: ${{ github.event.client_payload.requireCommand }} shell: bash working-directory: "${{ github.event.client_payload.workingDirectory }}" + env: + COMPOSER_COMMAND_STRING: ${{ github.event.client_payload.settings.debug == true && github.event.client_payload.requireCommand.debug || github.event.client_payload.requireCommand.plain }} + run: '"${GITHUB_ACTION_PATH}/bin/run_composer_command.sh" require' - name: Composer update - run: "${{ github.event.client_payload.settings.debug == true && github.event.client_payload.updateCommand.debug || github.event.client_payload.updateCommand.plain }}" shell: bash working-directory: "${{ github.event.client_payload.workingDirectory }}" + env: + COMPOSER_COMMAND_STRING: ${{ github.event.client_payload.settings.debug == true && github.event.client_payload.updateCommand.debug || github.event.client_payload.updateCommand.plain }} + run: '"${GITHUB_ACTION_PATH}/bin/run_composer_command.sh" update' - name: Uninstall git hooks if: ${{ inputs.skip_git_hooks != 'false' }} @@ -147,7 +155,9 @@ runs: GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_AUTHENTICATION_USERNAME: ${{ github.event.client_payload.webhook.authentication.username }} GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_AUTHENTICATION_PASSWORD: ${{ github.event.client_payload.webhook.authentication.password }} GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_EXECUTEDURL: ${{ github.event.client_payload.webhook.executedUrl }} + PACKAGIST_URL: ${{ inputs.packagist_url }} run: | + "${GITHUB_ACTION_PATH}/bin/validate_webhook_url.sh" "${PACKAGIST_URL}" "${GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_EXECUTEDURL}" jq -n '{ "runId": env.RUN_ID, "numberOfChangedFiles": env.CHANGED_FILES, @@ -182,8 +192,10 @@ runs: GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_AUTHENTICATION_USERNAME: ${{ github.event.client_payload.webhook.authentication.username }} GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_AUTHENTICATION_PASSWORD: ${{ github.event.client_payload.webhook.authentication.password }} GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_ERRORURL: ${{ github.event.client_payload.webhook.errorUrl }} + PACKAGIST_URL: ${{ inputs.packagist_url }} if: ${{ failure() }} run: | + "${GITHUB_ACTION_PATH}/bin/validate_webhook_url.sh" "${PACKAGIST_URL}" "${GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_ERRORURL}" jq -n '{ "runId": env.RUN_ID, "gitInfo": { diff --git a/bin/run_composer_command.sh b/bin/run_composer_command.sh new file mode 100755 index 0000000..ae158be --- /dev/null +++ b/bin/run_composer_command.sh @@ -0,0 +1,41 @@ +#!/usr/bin/env bash +set -euo pipefail + +EXPECTED_SUBCOMMAND="${1:?expected subcommand required}" +: "${COMPOSER_COMMAND_STRING:?COMPOSER_COMMAND_STRING not set}" + +# `read -ra` splits on $IFS only; it does not expand $vars, run command +# substitutions, honour quoting, or perform globbing. Every shell metacharacter +# in the payload therefore stays as a literal byte inside its token. +read -ra TOKENS <<< "${COMPOSER_COMMAND_STRING}" + +if [[ "${#TOKENS[@]}" -lt 2 ]]; then + echo "::error ::composer command must contain at least a binary and a subcommand" + exit 1 +fi + +if [[ "${TOKENS[0]}" != "composer" ]]; then + echo "::error ::composer command must start with 'composer', got '${TOKENS[0]}'" + exit 1 +fi + +if [[ "${TOKENS[1]}" != "${EXPECTED_SUBCOMMAND}" ]]; then + echo "::error ::composer subcommand must be '${EXPECTED_SUBCOMMAND}', got '${TOKENS[1]}'" + exit 1 +fi + +# Reject tokens containing characters that have no business +# appearing in a Composer package name, version constraint, or flag. +SAFE_TOKEN_RE='^[A-Za-z0-9._:/@^+|=~*,<>!-]+$' +for token in "${TOKENS[@]}"; do + if [[ ! "${token}" =~ ${SAFE_TOKEN_RE} ]]; then + echo "::error ::composer command token '${token}' contains disallowed characters" + exit 1 + fi +done + +set -x +# Argv-form execution: bash passes each array element as one argv entry with +# no further parsing, so metacharacters inside a token reach composer as +# literal string data rather than as shell syntax. +exec composer "${TOKENS[@]:1}" diff --git a/bin/validate_webhook_url.sh b/bin/validate_webhook_url.sh new file mode 100755 index 0000000..97afe6a --- /dev/null +++ b/bin/validate_webhook_url.sh @@ -0,0 +1,32 @@ +#!/usr/bin/env bash +set -euo pipefail + +TRUSTED_BASE="${1:?trusted base URL required}" +URL="${2:?webhook URL required}" + +# Strip a single trailing slash from the base so the prefix check below can +# always append "/". Requiring the URL to start with "/" prevents a host +# like "packagist.com.evil.example" from sneaking past "packagist.com". +TRUSTED_BASE="${TRUSTED_BASE%/}" + +case "${TRUSTED_BASE}" in + https://*) ;; + *) echo "::error ::packagist_url must use https://, got '${TRUSTED_BASE}'"; exit 1 ;; +esac + +case "${URL}" in + "${TRUSTED_BASE}/"*) ;; + *) echo "::error ::webhook URL '${URL}' is not under the trusted base '${TRUSTED_BASE}/'"; exit 1 ;; +esac + +# Restrict the path portion after the trusted base to alphanumerics, dashes, +# and forward slashes. This blocks query strings, fragments, percent-encoding, +# and any other characters that have no business appearing in a Conductor +# webhook callback path. +SUFFIX="${URL#"${TRUSTED_BASE}/"}" +case "${SUFFIX}" in + *[!A-Za-z0-9/-]*) + echo "::error ::webhook URL path '${SUFFIX}' must contain only alphanumerics, '-' and '/'" + exit 1 + ;; +esac From b15d7dcfd0d2e567bd6e543d33e07914699c16a1 Mon Sep 17 00:00:00 2001 From: Stephan Vock Date: Tue, 21 Apr 2026 10:21:22 +0100 Subject: [PATCH 03/12] Fix potential code injection via template expansion with payload.branch --- action.yml | 36 +++++++++++++++++++++++++----------- bin/branch_name_check.sh | 13 +++++++++++++ 2 files changed, 38 insertions(+), 11 deletions(-) create mode 100755 bin/branch_name_check.sh diff --git a/action.yml b/action.yml index c2eb722..4ff6ff4 100644 --- a/action.yml +++ b/action.yml @@ -20,17 +20,6 @@ inputs: runs: using: "composite" steps: - # Temporary workaround to make sure you can set up Conductor for - # the first time. The CI verification job runs "composer update nothing" - # which fails if your composer.lock contains any versions with - # known security issues in Composer >=2.9.0 - - name: Set security blocking environment variable - shell: "bash" - run: echo "COMPOSER_NO_SECURITY_BLOCKING=${{ github.event.client_payload.branch == 'conductor-nothing' && 1 || 0 }}" >> $GITHUB_ENV - - name: Set Conductor version - shell: "bash" - run: echo "CONDUCTOR_ACTION_VERSION=1.5.3" >> $GITHUB_ENV - - run: | CONDUCTOR_TOKEN=$(jq -r '.client_payload.composerAuthentication.token' $GITHUB_EVENT_PATH) echo "::add-mask::$CONDUCTOR_TOKEN" @@ -42,6 +31,16 @@ runs: echo "::add-mask::$WEBHOOK_AUTHENTICATION_PASSWORD" shell: "bash" + - name: Set Conductor version + shell: "bash" + run: echo "CONDUCTOR_ACTION_VERSION=1.5.3" >> $GITHUB_ENV + + - name: Validate Conductor branch name + shell: "bash" + env: + BRANCH: ${{ github.event.client_payload.branch }} + run: '"${GITHUB_ACTION_PATH}/bin/validate_branch_name.sh" "${BRANCH}"' + - name: "Validate GitHub action version" shell: "bash" run: "${GITHUB_ACTION_PATH}/bin/ci_version_check.sh ${GITHUB_EVENT_CLIENT_PAYLOAD_REQUIREMENTS_MINIMUMCIACTIONVERSION} $CONDUCTOR_ACTION_VERSION" @@ -60,6 +59,21 @@ runs: env: GITHUB_EVENT_CLIENT_PAYLOAD_REQUIREMENTS_MINIMUMCOMPOSERVERSION: ${{ github.event.client_payload.requirements.minimumComposerVersion }} + # Temporary workaround to make sure you can set up Conductor for + # the first time. The CI verification job runs "composer update nothing" + # which fails if your composer.lock contains any versions with + # known security issues in Composer >=2.9.0 + - name: Set security blocking environment variable + shell: "bash" + env: + BRANCH: ${{ github.event.client_payload.branch }} + run: | + if [[ "${BRANCH}" == "conductor-nothing" ]]; then + echo "COMPOSER_NO_SECURITY_BLOCKING=1" >> "$GITHUB_ENV" + else + echo "COMPOSER_NO_SECURITY_BLOCKING=0" >> "$GITHUB_ENV" + fi + - name: Store base commit info id: base_commit_info run: | diff --git a/bin/branch_name_check.sh b/bin/branch_name_check.sh new file mode 100755 index 0000000..42ec794 --- /dev/null +++ b/bin/branch_name_check.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash +set -euo pipefail + +BRANCH="${1:?branch name required}" + +# Require every Conductor-managed branch to start with the literal prefix +# "conductor" and contain only characters that are safe inside a git refspec. +BRANCH_RE='^conductor[A-Za-z0-9._/-]*$' + +if [[ ! "${BRANCH}" =~ ${BRANCH_RE} ]]; then + echo "::error ::branch '${BRANCH}' is not allowed; must start with 'conductor' and contain only [A-Za-z0-9._/-]" + exit 1 +fi From efd8d731db71a5c66cf6751492b4d3b2bcb2977f Mon Sep 17 00:00:00 2001 From: Stephan Vock Date: Tue, 21 Apr 2026 10:34:57 +0100 Subject: [PATCH 04/12] Fix stray semicolon --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 4ff6ff4..e21d51d 100644 --- a/action.yml +++ b/action.yml @@ -158,7 +158,7 @@ runs: - name: Call webhook from Private Packagist to create the pull request shell: bash env: - RUN_ID: ${{ github.run_id }}; + RUN_ID: ${{ github.run_id }} CHANGED_FILES: ${{ steps.number_of_changed_files.outputs.COUNT }} BASE_COMMIT_HASH: ${{ steps.base_commit_info.outputs.HASH }} BASE_COMMIT_AUTHOR: ${{ steps.base_commit_info.outputs.AUTHOR }} From 91295e1a93b7f644a62d1e7c18c4dfad780a008f Mon Sep 17 00:00:00 2001 From: Stephan Vock Date: Tue, 21 Apr 2026 10:43:27 +0100 Subject: [PATCH 05/12] GitHub Actions: configure zizmor to run on every PR/main --- .github/workflows/zizmor.yml | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..09f35c9 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,35 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: # zizmor: ignore[concurrency-limits] + push: + branches: + - main + paths: + - '.github/workflows/*.yml' + - 'action.yml' + pull_request: + paths: + - '.github/workflows/*.yml' + - 'action.yml' + +permissions: {} + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + with: + advanced-security: false + annotations: true + online-audits: false + persona: 'pedantic' From 4523e1c20876cf4d544e96590526bb3f5e9d66a0 Mon Sep 17 00:00:00 2001 From: Stephan Vock Date: Tue, 21 Apr 2026 11:09:21 +0100 Subject: [PATCH 06/12] Fix action.yml input description --- action.yml | 2 +- bin/run_composer_command.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index e21d51d..99830c1 100644 --- a/action.yml +++ b/action.yml @@ -13,7 +13,7 @@ inputs: default: 'false' required: false packagist_url: - description: Base URL of the Private Packagist instance that dispatches this action. Webhook URLs in the payload must be under this prefix; requests to any other host are refused. Override this for self-hosted installations. + description: Base URL of the Private Packagist instance that dispatches this action. Webhook URLs in the payload must be under this prefix. Requests to any other host are refused. Override this for Self-Hosted installations. default: 'https://packagist.com' required: false diff --git a/bin/run_composer_command.sh b/bin/run_composer_command.sh index ae158be..baaa049 100755 --- a/bin/run_composer_command.sh +++ b/bin/run_composer_command.sh @@ -36,6 +36,6 @@ done set -x # Argv-form execution: bash passes each array element as one argv entry with -# no further parsing, so metacharacters inside a token reach composer as +# no further parsing, so metacharacters inside a token reach Composer as # literal string data rather than as shell syntax. exec composer "${TOKENS[@]:1}" From f6690b6bf0a86e8a5688f7e449aaf230dacb0825 Mon Sep 17 00:00:00 2001 From: Stephan Vock Date: Tue, 21 Apr 2026 11:20:35 +0100 Subject: [PATCH 07/12] Fix check file names --- action.yml | 6 +++--- bin/{validate_webhook_url.sh => webhook_url_check.sh} | 0 2 files changed, 3 insertions(+), 3 deletions(-) rename bin/{validate_webhook_url.sh => webhook_url_check.sh} (100%) diff --git a/action.yml b/action.yml index 99830c1..f9e497a 100644 --- a/action.yml +++ b/action.yml @@ -39,7 +39,7 @@ runs: shell: "bash" env: BRANCH: ${{ github.event.client_payload.branch }} - run: '"${GITHUB_ACTION_PATH}/bin/validate_branch_name.sh" "${BRANCH}"' + run: '"${GITHUB_ACTION_PATH}/bin/branch_name_check.sh" "${BRANCH}"' - name: "Validate GitHub action version" shell: "bash" @@ -171,7 +171,7 @@ runs: GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_EXECUTEDURL: ${{ github.event.client_payload.webhook.executedUrl }} PACKAGIST_URL: ${{ inputs.packagist_url }} run: | - "${GITHUB_ACTION_PATH}/bin/validate_webhook_url.sh" "${PACKAGIST_URL}" "${GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_EXECUTEDURL}" + "${GITHUB_ACTION_PATH}/bin/webhook_url_check.sh" "${PACKAGIST_URL}" "${GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_EXECUTEDURL}" jq -n '{ "runId": env.RUN_ID, "numberOfChangedFiles": env.CHANGED_FILES, @@ -209,7 +209,7 @@ runs: PACKAGIST_URL: ${{ inputs.packagist_url }} if: ${{ failure() }} run: | - "${GITHUB_ACTION_PATH}/bin/validate_webhook_url.sh" "${PACKAGIST_URL}" "${GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_ERRORURL}" + "${GITHUB_ACTION_PATH}/bin/webhook_url_check.sh" "${PACKAGIST_URL}" "${GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_ERRORURL}" jq -n '{ "runId": env.RUN_ID, "gitInfo": { diff --git a/bin/validate_webhook_url.sh b/bin/webhook_url_check.sh similarity index 100% rename from bin/validate_webhook_url.sh rename to bin/webhook_url_check.sh From 6ac2914e235389cbbf45ddad1d2ef0e2ee29a6c7 Mon Sep 17 00:00:00 2001 From: Stephan Vock Date: Tue, 21 Apr 2026 13:23:58 +0100 Subject: [PATCH 08/12] Attempts at fixinig COMPOSER_AUTH --- action.yml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/action.yml b/action.yml index f9e497a..63e82f9 100644 --- a/action.yml +++ b/action.yml @@ -82,15 +82,10 @@ runs: git log -1 --format="MESSAGE=%s" >> $GITHUB_OUTPUT shell: bash - - name: Configure Composer authentication - shell: "bash" - if: ${{ github.event.client_payload.composerAuthentication.type == 'environment' }} - run: echo 'COMPOSER_AUTH=${GITHUB_EVENT_CLIENT_PAYLOAD_COMPOSERAUTHENTICATION_ENVIRONMENT}' >> "$GITHUB_ENV" - env: - GITHUB_EVENT_CLIENT_PAYLOAD_COMPOSERAUTHENTICATION_ENVIRONMENT: ${{ github.event.client_payload.composerAuthentication.environment }} - - name: Install dependencies uses: ramsey/composer-install@a35c6ebd3d08125aaf8852dff361e686a1a67947 # 3.2.0 + env: + COMPOSER_AUTH: ${{ github.event.client_payload.composerAuthentication.type == 'environment' && github.event.client_payload.composerAuthentication.environment || env.COMPOSER_AUTH }} with: working-directory: "${{ github.event.client_payload.workingDirectory }}" composer-options: "${{ github.event.client_payload.settings.debug == true && '-vvv' || '' }}" @@ -101,6 +96,7 @@ runs: working-directory: "${{ github.event.client_payload.workingDirectory }}" env: COMPOSER_COMMAND_STRING: ${{ github.event.client_payload.settings.debug == true && github.event.client_payload.requireCommand.debug || github.event.client_payload.requireCommand.plain }} + COMPOSER_AUTH: ${{ github.event.client_payload.composerAuthentication.type == 'environment' && github.event.client_payload.composerAuthentication.environment || env.COMPOSER_AUTH }} run: '"${GITHUB_ACTION_PATH}/bin/run_composer_command.sh" require' - name: Composer update @@ -108,6 +104,7 @@ runs: working-directory: "${{ github.event.client_payload.workingDirectory }}" env: COMPOSER_COMMAND_STRING: ${{ github.event.client_payload.settings.debug == true && github.event.client_payload.updateCommand.debug || github.event.client_payload.updateCommand.plain }} + COMPOSER_AUTH: ${{ github.event.client_payload.composerAuthentication.type == 'environment' && github.event.client_payload.composerAuthentication.environment || env.COMPOSER_AUTH }} run: '"${GITHUB_ACTION_PATH}/bin/run_composer_command.sh" update' - name: Uninstall git hooks From 281d4effde4d706fcc177894ef7fd12ff0ad447b Mon Sep 17 00:00:00 2001 From: Stephan Vock Date: Tue, 21 Apr 2026 14:23:39 +0100 Subject: [PATCH 09/12] Document masking + CONDUCTOR_ACTION_VERSION steps --- action.yml | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/action.yml b/action.yml index 63e82f9..2684ac1 100644 --- a/action.yml +++ b/action.yml @@ -20,17 +20,21 @@ inputs: runs: using: "composite" steps: - - run: | + # Set local environment variables using jq instead of passing the values via env: to not leak secrets before maksing them + - name: Mask Composer authentication token + shell: "bash" + run: | CONDUCTOR_TOKEN=$(jq -r '.client_payload.composerAuthentication.token' $GITHUB_EVENT_PATH) echo "::add-mask::$CONDUCTOR_TOKEN" if: ${{ github.event.client_payload.composerAuthentication.type != 'none' }} - shell: "bash" - - run: | + - name: Mask webhook authentication token + shell: "bash" + run: | WEBHOOK_AUTHENTICATION_PASSWORD=$(jq -r '.client_payload.webhook.authentication.password' $GITHUB_EVENT_PATH) echo "::add-mask::$WEBHOOK_AUTHENTICATION_PASSWORD" - shell: "bash" + # This is the version that needs to be increased for each release of the GitHub Action - name: Set Conductor version shell: "bash" run: echo "CONDUCTOR_ACTION_VERSION=1.5.3" >> $GITHUB_ENV @@ -59,10 +63,10 @@ runs: env: GITHUB_EVENT_CLIENT_PAYLOAD_REQUIREMENTS_MINIMUMCOMPOSERVERSION: ${{ github.event.client_payload.requirements.minimumComposerVersion }} - # Temporary workaround to make sure you can set up Conductor for - # the first time. The CI verification job runs "composer update nothing" - # which fails if your composer.lock contains any versions with - # known security issues in Composer >=2.9.0 + # Temporary workaround to make sure you can set up Conductor for + # the first time. The CI verification job runs "composer update nothing" + # which fails if your composer.lock contains any versions with + # known security issues in Composer >=2.9.0 - name: Set security blocking environment variable shell: "bash" env: From a71d345489d362f1062587eeaeee81b6c7fce936 Mon Sep 17 00:00:00 2001 From: Stephan Vock Date: Tue, 21 Apr 2026 15:06:50 +0100 Subject: [PATCH 10/12] Fix env variable names by dropping the GITHUB_EVENT_CLIENT_PAYLOAD_ --- action.yml | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/action.yml b/action.yml index 2684ac1..f3eef08 100644 --- a/action.yml +++ b/action.yml @@ -41,27 +41,27 @@ runs: - name: Validate Conductor branch name shell: "bash" + run: '"${GITHUB_ACTION_PATH}/bin/branch_name_check.sh" "${BRANCH}"' env: BRANCH: ${{ github.event.client_payload.branch }} - run: '"${GITHUB_ACTION_PATH}/bin/branch_name_check.sh" "${BRANCH}"' - name: "Validate GitHub action version" shell: "bash" - run: "${GITHUB_ACTION_PATH}/bin/ci_version_check.sh ${GITHUB_EVENT_CLIENT_PAYLOAD_REQUIREMENTS_MINIMUMCIACTIONVERSION} $CONDUCTOR_ACTION_VERSION" + run: "${GITHUB_ACTION_PATH}/bin/ci_version_check.sh ${MINIMUM_CI_ACTION_VERSION} $CONDUCTOR_ACTION_VERSION" env: - GITHUB_EVENT_CLIENT_PAYLOAD_REQUIREMENTS_MINIMUMCIACTIONVERSION: ${{ github.event.client_payload.requirements.minimumCiActionVersion }} + MINIMUM_CI_ACTION_VERSION: ${{ github.event.client_payload.requirements.minimumCiActionVersion }} - name: "Validate PHP version" shell: "bash" - run: "${GITHUB_ACTION_PATH}/bin/php_version_check.sh ${GITHUB_EVENT_CLIENT_PAYLOAD_REQUIREMENTS_MINIMUMPHPVERSION}" + run: "${GITHUB_ACTION_PATH}/bin/php_version_check.sh ${MINIMUM_PHP_VERSION}" env: - GITHUB_EVENT_CLIENT_PAYLOAD_REQUIREMENTS_MINIMUMPHPVERSION: ${{ github.event.client_payload.requirements.minimumPhpVersion }} + MINIMUM_PHP_VERSION: ${{ github.event.client_payload.requirements.minimumPhpVersion }} - name: "Validate Composer version" shell: "bash" - run: "${GITHUB_ACTION_PATH}/bin/composer_version_check.sh ${GITHUB_EVENT_CLIENT_PAYLOAD_REQUIREMENTS_MINIMUMCOMPOSERVERSION}" + run: "${GITHUB_ACTION_PATH}/bin/composer_version_check.sh ${MINIMUM_COMPOSER_VERSION}" env: - GITHUB_EVENT_CLIENT_PAYLOAD_REQUIREMENTS_MINIMUMCOMPOSERVERSION: ${{ github.event.client_payload.requirements.minimumComposerVersion }} + MINIMUM_COMPOSER_VERSION: ${{ github.event.client_payload.requirements.minimumComposerVersion }} # Temporary workaround to make sure you can set up Conductor for # the first time. The CI verification job runs "composer update nothing" @@ -167,12 +167,12 @@ runs: CONDUCTOR_COMMIT_HASH: ${{ steps.conductor_commit_info.outputs.HASH }} CONDUCTOR_COMMIT_AUTHOR: ${{ steps.conductor_commit_info.outputs.AUTHOR }} CONDUCTOR_COMMIT_MESSAGE: ${{ steps.conductor_commit_info.outputs.MESSAGE }} - GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_AUTHENTICATION_USERNAME: ${{ github.event.client_payload.webhook.authentication.username }} - GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_AUTHENTICATION_PASSWORD: ${{ github.event.client_payload.webhook.authentication.password }} - GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_EXECUTEDURL: ${{ github.event.client_payload.webhook.executedUrl }} + WEBHOOK_AUTHENTICATION_USERNAME: ${{ github.event.client_payload.webhook.authentication.username }} + WEBHOOK_AUTHENTICATION_PASSWORD: ${{ github.event.client_payload.webhook.authentication.password }} + WEBHOOK_EXECUTEDURL: ${{ github.event.client_payload.webhook.executedUrl }} PACKAGIST_URL: ${{ inputs.packagist_url }} run: | - "${GITHUB_ACTION_PATH}/bin/webhook_url_check.sh" "${PACKAGIST_URL}" "${GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_EXECUTEDURL}" + "${GITHUB_ACTION_PATH}/bin/webhook_url_check.sh" "${PACKAGIST_URL}" "${WEBHOOK_EXECUTEDURL}" jq -n '{ "runId": env.RUN_ID, "numberOfChangedFiles": env.CHANGED_FILES, @@ -192,10 +192,10 @@ runs: "ciScriptVersion": env.CONDUCTOR_ACTION_VERSION } }' | curl -fsSL -X POST \ - -u "${GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_AUTHENTICATION_USERNAME}:${GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_AUTHENTICATION_PASSWORD}" \ + -u "${WEBHOOK_AUTHENTICATION_USERNAME}:${WEBHOOK_AUTHENTICATION_PASSWORD}" \ --header "Content-Type: application/json" \ --data @- \ - "${GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_EXECUTEDURL}" + "${WEBHOOK_EXECUTEDURL}" - name: Call webhook from Private Packagist to notify about build failure shell: bash @@ -204,13 +204,13 @@ runs: BASE_COMMIT_HASH: ${{ steps.base_commit_info.outputs.HASH }} BASE_COMMIT_AUTHOR: ${{ steps.base_commit_info.outputs.AUTHOR }} BASE_COMMIT_MESSAGE: ${{ steps.base_commit_info.outputs.MESSAGE }} - GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_AUTHENTICATION_USERNAME: ${{ github.event.client_payload.webhook.authentication.username }} - GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_AUTHENTICATION_PASSWORD: ${{ github.event.client_payload.webhook.authentication.password }} - GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_ERRORURL: ${{ github.event.client_payload.webhook.errorUrl }} + WEBHOOK_AUTHENTICATION_USERNAME: ${{ github.event.client_payload.webhook.authentication.username }} + WEBHOOK_AUTHENTICATION_PASSWORD: ${{ github.event.client_payload.webhook.authentication.password }} + WEBHOOK_ERRORURL: ${{ github.event.client_payload.webhook.errorUrl }} PACKAGIST_URL: ${{ inputs.packagist_url }} if: ${{ failure() }} run: | - "${GITHUB_ACTION_PATH}/bin/webhook_url_check.sh" "${PACKAGIST_URL}" "${GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_ERRORURL}" + "${GITHUB_ACTION_PATH}/bin/webhook_url_check.sh" "${PACKAGIST_URL}" "${WEBHOOK_ERRORURL}" jq -n '{ "runId": env.RUN_ID, "gitInfo": { @@ -224,7 +224,7 @@ runs: "ciScriptVersion": env.CONDUCTOR_ACTION_VERSION } }' | curl -fsSL -X POST \ - -u "${GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_AUTHENTICATION_USERNAME}:${GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_AUTHENTICATION_PASSWORD}" \ + -u "${WEBHOOK_AUTHENTICATION_USERNAME}:${WEBHOOK_AUTHENTICATION_PASSWORD}" \ --header "Content-Type: application/json" \ --data @- \ - "${GITHUB_EVENT_CLIENT_PAYLOAD_WEBHOOK_ERRORURL}" + "${WEBHOOK_ERRORURL}" From b86d17b4e41fd90e019a34c3a3153bce2acc7ccd Mon Sep 17 00:00:00 2001 From: Stephan Vock Date: Tue, 21 Apr 2026 15:14:58 +0100 Subject: [PATCH 11/12] Sort GitHub action step properties to be consistent accross the action --- action.yml | 72 +++++++++++++++++++++++++++--------------------------- 1 file changed, 36 insertions(+), 36 deletions(-) diff --git a/action.yml b/action.yml index f3eef08..24155c4 100644 --- a/action.yml +++ b/action.yml @@ -22,43 +22,43 @@ runs: steps: # Set local environment variables using jq instead of passing the values via env: to not leak secrets before maksing them - name: Mask Composer authentication token - shell: "bash" + shell: bash run: | CONDUCTOR_TOKEN=$(jq -r '.client_payload.composerAuthentication.token' $GITHUB_EVENT_PATH) echo "::add-mask::$CONDUCTOR_TOKEN" if: ${{ github.event.client_payload.composerAuthentication.type != 'none' }} - name: Mask webhook authentication token - shell: "bash" + shell: bash run: | WEBHOOK_AUTHENTICATION_PASSWORD=$(jq -r '.client_payload.webhook.authentication.password' $GITHUB_EVENT_PATH) echo "::add-mask::$WEBHOOK_AUTHENTICATION_PASSWORD" # This is the version that needs to be increased for each release of the GitHub Action - name: Set Conductor version - shell: "bash" + shell: bash run: echo "CONDUCTOR_ACTION_VERSION=1.5.3" >> $GITHUB_ENV - name: Validate Conductor branch name - shell: "bash" + shell: bash run: '"${GITHUB_ACTION_PATH}/bin/branch_name_check.sh" "${BRANCH}"' env: BRANCH: ${{ github.event.client_payload.branch }} - name: "Validate GitHub action version" - shell: "bash" + shell: bash run: "${GITHUB_ACTION_PATH}/bin/ci_version_check.sh ${MINIMUM_CI_ACTION_VERSION} $CONDUCTOR_ACTION_VERSION" env: MINIMUM_CI_ACTION_VERSION: ${{ github.event.client_payload.requirements.minimumCiActionVersion }} - name: "Validate PHP version" - shell: "bash" + shell: bash run: "${GITHUB_ACTION_PATH}/bin/php_version_check.sh ${MINIMUM_PHP_VERSION}" env: MINIMUM_PHP_VERSION: ${{ github.event.client_payload.requirements.minimumPhpVersion }} - name: "Validate Composer version" - shell: "bash" + shell: bash run: "${GITHUB_ACTION_PATH}/bin/composer_version_check.sh ${MINIMUM_COMPOSER_VERSION}" env: MINIMUM_COMPOSER_VERSION: ${{ github.event.client_payload.requirements.minimumComposerVersion }} @@ -68,23 +68,23 @@ runs: # which fails if your composer.lock contains any versions with # known security issues in Composer >=2.9.0 - name: Set security blocking environment variable - shell: "bash" - env: - BRANCH: ${{ github.event.client_payload.branch }} + shell: bash run: | if [[ "${BRANCH}" == "conductor-nothing" ]]; then echo "COMPOSER_NO_SECURITY_BLOCKING=1" >> "$GITHUB_ENV" else echo "COMPOSER_NO_SECURITY_BLOCKING=0" >> "$GITHUB_ENV" fi + env: + BRANCH: ${{ github.event.client_payload.branch }} - name: Store base commit info + shell: bash id: base_commit_info run: | git log -1 --format="HASH=%H" >> $GITHUB_OUTPUT git log -1 --format="AUTHOR=%an" >> $GITHUB_OUTPUT git log -1 --format="MESSAGE=%s" >> $GITHUB_OUTPUT - shell: bash - name: Install dependencies uses: ramsey/composer-install@a35c6ebd3d08125aaf8852dff361e686a1a67947 # 3.2.0 @@ -97,36 +97,36 @@ runs: - name: Modify requirements in the composer.json if: ${{ github.event.client_payload.requireCommand }} shell: bash + run: '"${GITHUB_ACTION_PATH}/bin/run_composer_command.sh" require' working-directory: "${{ github.event.client_payload.workingDirectory }}" env: COMPOSER_COMMAND_STRING: ${{ github.event.client_payload.settings.debug == true && github.event.client_payload.requireCommand.debug || github.event.client_payload.requireCommand.plain }} COMPOSER_AUTH: ${{ github.event.client_payload.composerAuthentication.type == 'environment' && github.event.client_payload.composerAuthentication.environment || env.COMPOSER_AUTH }} - run: '"${GITHUB_ACTION_PATH}/bin/run_composer_command.sh" require' - name: Composer update shell: bash + run: '"${GITHUB_ACTION_PATH}/bin/run_composer_command.sh" update' working-directory: "${{ github.event.client_payload.workingDirectory }}" env: COMPOSER_COMMAND_STRING: ${{ github.event.client_payload.settings.debug == true && github.event.client_payload.updateCommand.debug || github.event.client_payload.updateCommand.plain }} COMPOSER_AUTH: ${{ github.event.client_payload.composerAuthentication.type == 'environment' && github.event.client_payload.composerAuthentication.environment || env.COMPOSER_AUTH }} - run: '"${GITHUB_ACTION_PATH}/bin/run_composer_command.sh" update' - name: Uninstall git hooks + shell: bash if: ${{ inputs.skip_git_hooks != 'false' }} run: "rm -rf .git/hooks" - shell: "bash" - name: Create branch - run: git checkout -b $BRANCH shell: bash + run: git checkout -b $BRANCH env: BRANCH: ${{ github.event.client_payload.branch }} - name: Add files + shell: bash run: | read -r -a PATTERN_EXPANDED <<< "$FILE_PATTERN"; git add ${FILE_PATTERN:+"${PATTERN_EXPANDED[@]}"}; - shell: bash env: FILE_PATTERN: ${{ inputs.file_pattern }} @@ -137,40 +137,27 @@ runs: skip-empty: true - name: Store number of changed files + shell: bash id: number_of_changed_files run: echo "COUNT=$(git --no-pager diff --name-only $GITHUB_SHA | wc -l | tr -d ' ')" >> $GITHUB_OUTPUT - shell: bash - name: Store Conductor commit info + shell: bash id: conductor_commit_info run: | git log -1 --format="HASH=%H" >> $GITHUB_OUTPUT git log -1 --format="AUTHOR=%an" >> $GITHUB_OUTPUT git log -1 --format="MESSAGE=%s" >> $GITHUB_OUTPUT - shell: bash - name: Push branch - run: git push origin $BRANCH --force shell: bash + run: git push origin $BRANCH --force if: ${{ steps.number_of_changed_files.outputs.COUNT != 0 }} env: BRANCH: ${{ github.event.client_payload.branch }} - name: Call webhook from Private Packagist to create the pull request shell: bash - env: - RUN_ID: ${{ github.run_id }} - CHANGED_FILES: ${{ steps.number_of_changed_files.outputs.COUNT }} - BASE_COMMIT_HASH: ${{ steps.base_commit_info.outputs.HASH }} - BASE_COMMIT_AUTHOR: ${{ steps.base_commit_info.outputs.AUTHOR }} - BASE_COMMIT_MESSAGE: ${{ steps.base_commit_info.outputs.MESSAGE }} - CONDUCTOR_COMMIT_HASH: ${{ steps.conductor_commit_info.outputs.HASH }} - CONDUCTOR_COMMIT_AUTHOR: ${{ steps.conductor_commit_info.outputs.AUTHOR }} - CONDUCTOR_COMMIT_MESSAGE: ${{ steps.conductor_commit_info.outputs.MESSAGE }} - WEBHOOK_AUTHENTICATION_USERNAME: ${{ github.event.client_payload.webhook.authentication.username }} - WEBHOOK_AUTHENTICATION_PASSWORD: ${{ github.event.client_payload.webhook.authentication.password }} - WEBHOOK_EXECUTEDURL: ${{ github.event.client_payload.webhook.executedUrl }} - PACKAGIST_URL: ${{ inputs.packagist_url }} run: | "${GITHUB_ACTION_PATH}/bin/webhook_url_check.sh" "${PACKAGIST_URL}" "${WEBHOOK_EXECUTEDURL}" jq -n '{ @@ -196,18 +183,22 @@ runs: --header "Content-Type: application/json" \ --data @- \ "${WEBHOOK_EXECUTEDURL}" - - - name: Call webhook from Private Packagist to notify about build failure - shell: bash env: RUN_ID: ${{ github.run_id }} + CHANGED_FILES: ${{ steps.number_of_changed_files.outputs.COUNT }} BASE_COMMIT_HASH: ${{ steps.base_commit_info.outputs.HASH }} BASE_COMMIT_AUTHOR: ${{ steps.base_commit_info.outputs.AUTHOR }} BASE_COMMIT_MESSAGE: ${{ steps.base_commit_info.outputs.MESSAGE }} + CONDUCTOR_COMMIT_HASH: ${{ steps.conductor_commit_info.outputs.HASH }} + CONDUCTOR_COMMIT_AUTHOR: ${{ steps.conductor_commit_info.outputs.AUTHOR }} + CONDUCTOR_COMMIT_MESSAGE: ${{ steps.conductor_commit_info.outputs.MESSAGE }} WEBHOOK_AUTHENTICATION_USERNAME: ${{ github.event.client_payload.webhook.authentication.username }} WEBHOOK_AUTHENTICATION_PASSWORD: ${{ github.event.client_payload.webhook.authentication.password }} - WEBHOOK_ERRORURL: ${{ github.event.client_payload.webhook.errorUrl }} + WEBHOOK_EXECUTEDURL: ${{ github.event.client_payload.webhook.executedUrl }} PACKAGIST_URL: ${{ inputs.packagist_url }} + + - name: Call webhook from Private Packagist to notify about build failure + shell: bash if: ${{ failure() }} run: | "${GITHUB_ACTION_PATH}/bin/webhook_url_check.sh" "${PACKAGIST_URL}" "${WEBHOOK_ERRORURL}" @@ -228,3 +219,12 @@ runs: --header "Content-Type: application/json" \ --data @- \ "${WEBHOOK_ERRORURL}" + env: + RUN_ID: ${{ github.run_id }} + BASE_COMMIT_HASH: ${{ steps.base_commit_info.outputs.HASH }} + BASE_COMMIT_AUTHOR: ${{ steps.base_commit_info.outputs.AUTHOR }} + BASE_COMMIT_MESSAGE: ${{ steps.base_commit_info.outputs.MESSAGE }} + WEBHOOK_AUTHENTICATION_USERNAME: ${{ github.event.client_payload.webhook.authentication.username }} + WEBHOOK_AUTHENTICATION_PASSWORD: ${{ github.event.client_payload.webhook.authentication.password }} + WEBHOOK_ERRORURL: ${{ github.event.client_payload.webhook.errorUrl }} + PACKAGIST_URL: ${{ inputs.packagist_url }} From 4406dc10d551d093405f75f3b8cdea6dd0b57013 Mon Sep 17 00:00:00 2001 From: Stephan Date: Tue, 21 Apr 2026 15:21:32 +0100 Subject: [PATCH 12/12] Update action.yml Co-authored-by: Igor Benko --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 24155c4..c36b5da 100644 --- a/action.yml +++ b/action.yml @@ -20,7 +20,7 @@ inputs: runs: using: "composite" steps: - # Set local environment variables using jq instead of passing the values via env: to not leak secrets before maksing them + # Set local environment variables using jq instead of passing the values via env: to not leak secrets before masking them - name: Mask Composer authentication token shell: bash run: |