Commit messages for sync-wiki cannot have backticks about lichess-bot HOT 7 CLOSED

@TheYoBots I understand the action didn't complete due to there being no edits to the wiki. The actions can still run despite the command line errors.

However, even if the backticks don't cause a problem with running the actions, it's still trying to execute arbitrary code. For an extreme example, a commit message could contain Fix documentation (`git branch --delete master`), which would be rather catastrophic. Or maybe something like Sneaky commit to reveal secrets (`echo ${{ github.secrets }} > mail.eml; send_email mail.eml` nothing to see here).

I think it's better not to include the commit message at all. Requiring inspection by people or complicated post-processing seems to unreliable. Wouldn't the commit before the Auto action contain all the necessary information in the commit message?

@AttackingOrDefending Any thoughts?

from lichess-bot.

I don't think that error had anything to do with using ``. This is in fact an expected bug with that commit. I spoke about it in the pull request itself:
#810 (comment)

The first workflow will give an error since there are no changes to the wiki dir as compared to the wiki page, but afterwards any changes made to the wiki dir will directly be reflected in the wiki.

If you don't want this error on first run then either I can make a change to the wiki dir now or I can add the tag --allow-empty-commit before commiting changes like this: git commit --allow-empty-commit "Update wiki".

This occurs because when the wiki/ dir was created, as per github the files in the wiki/ path were updated and this means that it should run the sync-wiki workflow. Now when the workflow runs it sees that there is a change to the wiki/Home.md file, when in fact there was no change the file was just created. So it copies the contents in the Home.md file to the README.md. But, there is no difference, so when the workflow comes to the stage where it needs to commit it tried to commit, but github says there isn't any change so you cannot make a commit and send an error.

I tried to explain it as best as I could. Sorry if I just made it more confusing.

from lichess-bot.

But the wiki does also run the commit messages which have ``. But that has nothing to do with the error:

On branch master
Your branch is up to date with 'origin/master'.

Untracked files:
  (use "git add <file>..." to include in what will be committed)
	lichess-bot.wiki/

nothing added to commit but untracked files present (use "git add" to track)
Error: Process completed with exit code 1.

from lichess-bot.

Here's a test run in my repository with the same commit message and the files were edited: https://github.com/TheYoBots/lichess-bot/actions/runs/5950420455/job/16138179065
While this is persistant:

/home/runner/work/_temp/b0aa0f7f-0a32-485a-848e-4fef14763ef7.sh: line 3: bullet_requires_increment: command not found
/home/runner/work/_temp/b0aa0f7f-0a32-485a-848e-4fef14763ef7.sh: line 3: py: command not found
/home/runner/work/_temp/b0aa0f7f-0a32-485a-848e-4fef14763ef7.sh: line 3: py: command not found
/home/runner/work/_temp/b0aa0f7f-0a32-485a-848e-4fef14763ef7.sh: line 3: py: command not found
/home/runner/work/_temp/b0aa0f7f-0a32-485a-848e-4fef14763ef7.sh: line 3: wiki/Home.md: Permission denied
/home/runner/work/_temp/b0aa0f7f-0a32-485a-848e-4fef14763ef7.sh: line 3: README.md: command not found
/home/runner/work/_temp/b0aa0f7f-0a32-485a-848e-4fef14763ef7.sh: line 3: wiki/Home.md: Permission denied
/home/runner/work/_temp/b0aa0f7f-0a32-485a-848e-4fef14763ef7.sh: line 3: README.md: command not found

This is how the commit message looks: TheYoBots@b702be1

from lichess-bot.

I think a fix would be that the owners of the repository can edit the message before squash and merging into the repository. Instead of all commits add a short description on what the PR does and the merge. And sometimes even edit the pull request name (commit message) if it has nothing to do with the pull request. This way even others who check a commit will get a gist of what the commit does.

from lichess-bot.

I agree that removing the commit message is probably the best and simplest solution. The reason that I suggested including the commit message is so that when someone looks at the wiki history they don't just see Auto update wiki which doesn't provide any meaningful information but I didn't think about arbitrary code execution.

We should also probably create branch protection rules to avoid such senarios.

from lichess-bot.

Fixed by #817

from lichess-bot.