Cannot use Azure OpenAI deployment endpoints (no /models endpoint)
#10145
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow is triggered by a comment on PR with the text ".build-cli" | |
| # | |
| # SECURITY: This workflow checks out and builds code from PRs. To prevent | |
| # malicious code execution (GHSA-4h72-4h3w-4587, GHSA-mqm8-hhf6-wvjq), | |
| # we verify the commenter has write access before proceeding. | |
| on: | |
| issue_comment: | |
| types: [created] | |
| workflow_dispatch: | |
| inputs: | |
| pr_number: | |
| description: 'PR number to comment on' | |
| required: true | |
| type: string | |
| # permissions needed for reacting to IssueOps commands on PRs | |
| permissions: | |
| pull-requests: write | |
| checks: read | |
| name: Build CLI | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ (github.event.issue && github.event.issue.number) || github.event.inputs.pr_number }} | |
| cancel-in-progress: true | |
| jobs: | |
| trigger-on-command: | |
| if: > | |
| github.event_name == 'workflow_dispatch' || | |
| (github.event.issue.pull_request && contains(github.event.comment.body, '.build-cli')) | |
| name: Trigger on ".build-cli" PR comment | |
| runs-on: ubuntu-latest | |
| outputs: | |
| continue: ${{ steps.security_check.outputs.authorized }} | |
| pr_number: ${{ steps.command.outputs.issue_number || github.event.inputs.pr_number }} | |
| head_sha: ${{ steps.set_head_sha.outputs.head_sha || github.sha }} | |
| steps: | |
| # SECURITY: Verify commenter has write access BEFORE any checkout | |
| # This prevents attackers from triggering builds on their own malicious PRs | |
| - name: Verify commenter permissions | |
| id: security_check | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | |
| with: | |
| script: | | |
| // workflow_dispatch requires repo write access, so it's inherently safe | |
| if (context.eventName === 'workflow_dispatch') { | |
| core.setOutput('authorized', 'true'); | |
| console.log('✅ workflow_dispatch - authorized'); | |
| return; | |
| } | |
| const commenter = context.payload.comment.user.login; | |
| console.log(`Checking permissions for: ${commenter}`); | |
| try { | |
| const { data: permission } = await github.rest.repos.getCollaboratorPermissionLevel({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| username: commenter | |
| }); | |
| const allowed = ['admin', 'maintain', 'write'].includes(permission.permission); | |
| console.log(`Permission level: ${permission.permission}, Authorized: ${allowed}`); | |
| if (!allowed) { | |
| // Post a comment explaining the rejection | |
| await github.rest.issues.createComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.payload.issue.number, | |
| body: `⚠️ @${commenter} Only repository collaborators with write access can trigger builds.` | |
| }); | |
| core.setOutput('authorized', 'false'); | |
| } else { | |
| core.setOutput('authorized', 'true'); | |
| } | |
| } catch (error) { | |
| console.log(`Permission check failed: ${error.message}`); | |
| core.setOutput('authorized', 'false'); | |
| } | |
| - name: Run command action | |
| if: steps.security_check.outputs.authorized == 'true' | |
| uses: github/command@v2.0.3 | |
| id: command | |
| with: | |
| command: ".build-cli" | |
| skip_reviews: true | |
| reaction: "eyes" | |
| allowed_contexts: pull_request | |
| - name: Checkout code | |
| if: steps.security_check.outputs.authorized == 'true' | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| - name: Get PR head SHA with gh | |
| id: set_head_sha | |
| if: steps.security_check.outputs.authorized == 'true' | |
| run: | | |
| echo "Get PR head SHA with gh" | |
| HEAD_SHA=$(gh pr view "$ISSUE_NUMBER" --json headRefOid -q .headRefOid) | |
| echo "head_sha=$HEAD_SHA" >> $GITHUB_OUTPUT | |
| echo "head_sha=$HEAD_SHA" | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| ISSUE_NUMBER: ${{ steps.command.outputs.issue_number }} | |
| build-cli: | |
| needs: [trigger-on-command] | |
| if: ${{ needs.trigger-on-command.outputs.continue == 'true' }} | |
| uses: ./.github/workflows/build-cli.yml | |
| with: | |
| ref: ${{ needs.trigger-on-command.outputs.head_sha }} | |
| pr-comment-cli: | |
| name: PR Comment with CLI builds | |
| runs-on: ubuntu-latest | |
| needs: [trigger-on-command, build-cli] | |
| permissions: | |
| pull-requests: write | |
| steps: | |
| - name: Download CLI artifacts | |
| uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 | |
| with: | |
| pattern: goose-* | |
| path: cli-dist | |
| merge-multiple: true | |
| - name: Comment on PR with CLI download links | |
| uses: peter-evans/create-or-update-comment@v5 | |
| with: | |
| issue-number: ${{ needs.trigger-on-command.outputs.pr_number }} | |
| body: | | |
| ### CLI Builds | |
| Download CLI builds for different platforms: | |
| - [📦 Linux (x86_64)](https://nightly.link/${{ github.repository }}/actions/runs/${{ github.run_id }}/goose-x86_64-unknown-linux-gnu.zip) | |
| - [📦 Linux (aarch64)](https://nightly.link/${{ github.repository }}/actions/runs/${{ github.run_id }}/goose-aarch64-unknown-linux-gnu.zip) | |
| - [📦 macOS (x86_64)](https://nightly.link/${{ github.repository }}/actions/runs/${{ github.run_id }}/goose-x86_64-apple-darwin.zip) | |
| - [📦 macOS (aarch64)](https://nightly.link/${{ github.repository }}/actions/runs/${{ github.run_id }}/goose-aarch64-apple-darwin.zip) | |
| - [📦 Windows (x86_64)](https://nightly.link/${{ github.repository }}/actions/runs/${{ github.run_id }}/goose-x86_64-pc-windows-gnu.zip) | |
| These links are provided by nightly.link and will work even if you're not logged into GitHub. | |