DEV Community

Mark Tse
Mark Tse

Posted on

Run arbitrary commands via a comment and commit the changes

DISCLAIMER: the Run terminal command GitHub Action allows for arbtrary code execution by any user allowed to comment on your issues or pull requests. You should probably never use this except to explore what GitHub Actions could do.

To avoid security issues, replace the use of the Run terminal command GitHub Action with something that validates input or with something that always runs the same command.

My Workflow

This workflow allows you to run any command and commit the changes back into a pull request. For example, you can run /terminal npm version patch --no-git-tag-version to bump the patch version of your Node package.

This workflow:

  • Only runs on new pull request comments and only if the comment starts with /terminal
  • Acknowledges comments that start with /terminal by reacting with a +1
  • Determines what pull request the comment came from and gets the corresponding branch name
  • Checks out the code at that branch
  • Runs the command, commits the changes, and pushes it back to the branch

Submission Category:

Maintainer Must-Haves

Yaml File or Link to Code

on:
  issue_comment:
    types: [created]

jobs:
  run-and-update:
    if: contains(github.event.comment.html_url, '/pull/') && startsWith( github.event.comment.body, '/terminal ' )
    runs-on: ubuntu-latest
    steps:
      - name: Acknowledge command
        uses: actions/github-script@v3
        with:
          script: |
            github.reactions.createForIssueComment({
              comment_id: context.payload.comment.id,
              owner: context.repo.owner,
              repo: context.repo.repo,
              content: '+1',
            });
      - id: get-ref
        name: Get branch name
        uses: actions/github-script@v3
        with:
          result-encoding: string
          script: |
            const response = await github.pulls.get({
              owner: context.repo.owner,
              repo: context.repo.repo,
              pull_number: context.payload.issue.number
            });

            return response.data.head.ref;
      - uses: actions/checkout@v2
        with:
          ref: ${{ steps.get-ref.outputs.result }}
      - uses: actions/setup-node@v1
        with:
          node-version: '12'
      - id: terminal
        uses: neverendingqs/gh-action-terminal@main
      - run: |
          git config user.name github-actions[bot]
          git config user.email 41898282+github-actions[bot]@users.noreply.github.com

          git commit -am "chore: update after '${COMMAND}'."
          git push
        env:
          COMMAND: ${{ steps.terminal.outputs.command }}

Additional Resources / Info

Top comments (0)