ci: POC of untrsuted code exec on PR action #432
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: pr-check | |
| # Note: If you need to make changes to this file, please use a branch off the main branch instead of a fork. | |
| # The pull_request target from a forked repo will not have access to the secrets needed for this workflow. | |
| on: | |
| pull_request_target: | |
| pull_request: | |
| paths: | |
| - '.github/workflows/pr-check.yml' | |
| permissions: | |
| id-token: write # This is needed for Azure login with OIDC | |
| jobs: | |
| deploy: | |
| environment: Automation test # this environment requires approval before running the action | |
| runs-on: ${{ matrix.os }} | |
| permissions: | |
| checks: write | |
| id-token: write | |
| continue-on-error: true | |
| strategy: | |
| matrix: | |
| os: [windows-latest, ubuntu-latest] | |
| env: | |
| TEST_DB: 'SqlActionTest-${{ matrix.os }}' | |
| steps: | |
| - name: Checkout from PR branch | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: ${{ github.event.pull_request.head.repo.full_name }} | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - name: Installing node_modules | |
| run: npm install | |
| - name: Build GitHub Action | |
| run: npm run build | |
| - name: Azure Login | |
| uses: azure/login@v2 | |
| with: | |
| client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| # Deploy a DACPAC with only a table to server | |
| - name: Test DACPAC Action | |
| uses: ./ | |
| with: | |
| connection-string: 'Server=${{ secrets.TEST_SERVER }};Initial Catalog=${{ env.TEST_DB }};Authentication=Active Directory Default;' | |
| path: ./__testdata__/sql-action.dacpac | |
| action: 'publish' | |
| # Build and publish sqlproj that should create a new view | |
| - name: Test Build and Publish | |
| uses: ./ | |
| with: | |
| connection-string: 'Server=${{ secrets.TEST_SERVER }};Initial Catalog=${{ env.TEST_DB }};Authentication=Active Directory Default;' | |
| path: ./__testdata__/TestProject/sql-action.sqlproj | |
| action: 'publish' | |
| # Execute testsql.sql via script action on server | |
| - name: Test SQL Action | |
| uses: ./ | |
| with: | |
| connection-string: 'Server=${{ secrets.TEST_SERVER }};Initial Catalog=${{ env.TEST_DB }};Authentication=Active Directory Default;' | |
| path: ./__testdata__/testsql.sql | |
| - name: Cleanup Test Database | |
| if: always() | |
| uses: ./ | |
| with: | |
| connection-string: 'Server=${{ secrets.TEST_SERVER }};Initial Catalog=master;Authentication=Active Directory Default;' | |
| path: ./__testdata__/cleanup.sql | |
| arguments: '-v DbName="${{ env.TEST_DB }}"' |