Making the bot more secure by using the pull_request_target event. (#2133)

* Making the bot more secure by using the pull_request_target event.

Co-authored-by: Sean Morgan <seanmorgan@outlook.com>

Author: gabrieldemarmiesse

.github/workflows/ci_test.yml

@@ -94,7 +94,9 @@ jobs:
           python-version: 3.7
       - run: pip install pygithub click
       - name: Check that the CODEOWNERS is valid
-        run: python .github/workflows/notify_codeowners.py .github/CODEOWNERS
+        env:
+          BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
+        run: python .github/workflows/notify_codeowners.py
   nbfmt:
     name: Notebook format
     runs-on: ubuntu-latest

.github/workflows/notify_codeowners.py

@@ -1,6 +1,6 @@
 import github
 import click
-import urllib.request
+
 from pathlib import Path
 from typing import List, Tuple
 import re
@@ -23,22 +23,18 @@
 ]
 
 
-def xor_strings(a, b):
-    result = int(a, 16) ^ int(b, 16)
-    return "{:x}".format(result)
-
-
 def get_github_client():
-    bot_token = "1353d990cdb8b8ceb1b73d301dce83cc0da3db29"
-    bot_token_key = "a1b2c3d47311f8e29e204f85a81b4df4a44e252c"
-
-    return github.Github(xor_strings(bot_token, bot_token_key))
+    return github.Github(os.environ["BOT_TOKEN"])
 
 
 CLIENT = get_github_client()
 
+# faster checks
+valid_users_cache = set()
+
 
 def check_user(user: str, line_idx: int):
+    print(f"Checking that {user} actually exists")
     if user[0] != "@":
         raise ValueError(
             f"User '{user}' at line {line_idx} of CODEOWNERS "
@@ -49,7 +45,10 @@ def check_user(user: str, line_idx: int):
     if user in WRITE_ACCESS_LIST:
         return None
     try:
+        if user in valid_users_cache:
+            return user
         CLIENT.get_user(user)
+        valid_users_cache.add(user)
     except github.UnknownObjectException:
         raise KeyError(
             f"User '{user}' line {line_idx} does not exist. Did you make a typo?"
@@ -158,12 +157,8 @@ def get_pull_request_id_from_gh_actions():
 @click.command()
 @click.option("--pull-request-id")
 @click.option("--no-dry-run", is_flag=True)
-@click.argument("file")
-def notify_codeowners(pull_request_id, no_dry_run, file):
-    if file.startswith("http"):
-        text = urllib.request.urlopen(file).read().decode("utf-8")
-    else:
-        text = Path(file).read_text()
+def notify_codeowners(pull_request_id, no_dry_run):
+    text = (Path(__file__).parents[1] / "CODEOWNERS").read_text()
     codeowners = parse_codeowners(text)
 
     if pull_request_id is not None:

.github/workflows/notify_codeowners.yml

@@ -1,7 +1,7 @@
 name: Notify codeowners
 
 on:
-  pull_request:
+  pull_request_target:
     types: [opened]
 
 
@@ -18,8 +18,8 @@ jobs:
       - name: Drop a message for codeowners
         env:
           PR: ${{ steps.findPr.outputs.pr }}
+          BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
         run: |
           python .github/workflows/notify_codeowners.py \
               --pull-request-id=auto \
-              --no-dry-run \
-              https://raw.githubusercontent.com/tensorflow/addons/master/.github/CODEOWNERS
+              --no-dry-run