cascading-runs: do verify that the sender is trusted

dscho · dscho · commit 5c35d7d6ce29 · 2025-11-18T21:33:08.000+01:00
The cascading runs feature of GitForWindows' GitHub App basically
listens for Check Runs to be completed, and upon their completion, other
automation is triggered. There are currently two such cascades:

- When the `tag-git` Check Run in a regular Git for Windows PR has
  completed (which is expected to be triggered via the `/git-artifacts`
  slash command by a trusted user), the corresponding `git-artifacts`
  workflow runs have been triggered, one per supported CPU architecture.

- When the `git-artifacts` Check Runs complete on a commit on
  git-for-windows/git's `main` branch that does _not_ correspond to a
  release, the `upload-snapshot` workflow needs to be triggered.

In both instances, we need to validate that the source of these Check
Runs is the intended one. We need that because Check Runs are also
created for regular workflow jobs, and so far the validation goes by
Check Run name, which is easily faked in a crafted PR.

So let's verify that the Check Run events in question were sent by a
trusted actor (and most notably _not_ by GitHub Actions implicit Check
Runs corresponding to PR workflow runs).

Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
diff --git a/GitForWindowsHelper/cascading-runs.js b/GitForWindowsHelper/cascading-runs.js
@@ -11,6 +11,14 @@ const getToken = (() => {
     return async (context, owner, repo) => tokens[[owner, repo]] || (tokens[[owner, repo]] = await get(context, owner, repo))
 })()
 
+const isAllowed = async (login) => {
+    if (login === 'gitforwindowshelper[bot]') return true
+    const getCollaboratorPermissions = require('./get-collaborator-permissions')
+    const token = await getToken()
+    const permission = await getCollaboratorPermissions(context, token, owner, repo, login)
+    return ['ADMIN', 'MAINTAIN', 'WRITE'].includes(permission.toString())
+}
+
 const triggerGitArtifactsRuns = async (context, checkRunOwner, checkRunRepo, tagGitCheckRun) => {
     const commitSHA = tagGitCheckRun.head_sha
     const conclusion = tagGitCheckRun.conclusion
@@ -107,13 +115,16 @@ const cascadingRuns = async (context, req) => {
     const checkRunRepo = req.body.repository.name
     const checkRun = req.body.check_run
     const name = checkRun.name
+    const sender = req.body.sender.login
 
     if (action === 'completed') {
         if (name === 'tag-git') {
             if (checkRunOwner !== 'git-for-windows' || checkRunRepo !== 'git') {
                 throw new Error(`Refusing to handle cascading run in ${checkRunOwner}/${checkRunRepo}`)
             }
 
+            if (!await isAllowed(sender)) throw new Error(`${sender} is not allowed to do that`)
+
             const comment = await triggerGitArtifactsRuns(context, checkRunOwner, checkRunRepo, checkRun)
 
             const token = await getToken(context, checkRunOwner, checkRunRepo)
@@ -136,6 +147,8 @@ const cascadingRuns = async (context, req) => {
         if (checkRunOwner === 'git-for-windows'
             && checkRunRepo === 'git'
             && name.startsWith('git-artifacts-')) {
+            if (!await isAllowed(sender)) throw new Error(`${sender} is not allowed to do that`)
+
             const output = req.body.check_run.output
             const match = output.summary.match(
                 /Build Git (\S+) artifacts from commit (\S+) \(tag-git run #(\d+)\)/
