[Fix](GA)Add sha check for auto-pick-script (#42500)

## Proposed changes - Use pull_request_target to prevent unauthorized execution. - Add SHA checks to ensure that the file has not been tampered with, thus addressing security concerns.
apache · Oct 25, 2024 · 864f359 · 864f359
1 parent 25552e5
commit 864f359
Showing 1 changed file with 11 additions and 3 deletions.
diff --git a/.github/workflows/auto-cherry-pick.yml b/.github/workflows/auto-cherry-pick.yml
@@ -18,7 +18,7 @@
 name: Auto Cherry-Pick to Branch
 
 on:
-  pull_request:
+  pull_request_target:
     types:
       - closed
     branches:
@@ -27,7 +27,6 @@ permissions:
   checks: write
   contents: write
   pull-requests: write
-  repository-projects: write
 jobs:
   auto_cherry_pick:
     runs-on: ubuntu-latest
@@ -44,7 +43,16 @@ jobs:
       - name: Install dependencies
         run: |
           pip install PyGithub
-
+      - name: Check SHA
+        run: |
+            expected_sha="1941de05514e15c216067778e0287b4c3ebcd6f6042ee189a12257bfd0cdd9f764e18c7dae5de868e9b7128ce3be98dc8f78252932cee7d55552fc0cf8b69496"
+            calculated_sha=$(sha512sum tools/auto-pick-script.py | awk '{ print $1 }')
+            if [ "$calculated_sha" != "$expected_sha" ]; then
+              echo "SHA mismatch! Expected: $expected_sha, but got: $calculated_sha"
+              exit 1
+            else
+              echo "SHA matches: $calculated_sha"
+            fi
       - name: Auto cherry-pick
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}