tools: ensure the PR was not pushed before merging

aduh95 · targos · commit a3df50d81027 · 2021-11-08T15:18:38.000+01:00
When using Squash and Merge feature, it would allow to a malicious actor to push unreviewed code to their PR while the CQ is running and bypass the usual checks. This commit adds a check to refuse to land if the head of the PR branch is different from the one validated by ncu. PR-URL: #40747 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Voltrex <mohammadkeyvanzade94@gmail.com>
diff --git a/tools/actions/commit-queue.sh b/tools/actions/commit-queue.sh
@@ -110,7 +110,8 @@ for pr in "$@"; do
     jq -n \
       --arg title "$(git log -1 --pretty='format:%s')" \
       --arg body "$(git log -1 --pretty='format:%b')" \
-      '{merge_method:"squash",commit_title:$title,commit_message:$body}' > output.json
+      --arg head "$(grep 'Fetched commits as' output | cut -d. -f3 | xargs git rev-parse)" \
+      '{merge_method:"squash",commit_title:$title,commit_message:$body,sha:$head}' > output.json
     cat output.json
     gitHubCurl "$(mergeUrl "$pr")" PUT --data @output.json > output
     cat output
