Asim GitHub workflow pipeline

.github/workflows/runAsimSchemaAndDataTesters.yaml

@@ -2,10 +2,11 @@
 # The script runs ASIM Schema and Data testers on the "eco-connector-test" workspace.
 name: Run ASIM tests on "ASIM-SchemaDataTester-GithubShared" workspace
 on:
-  pull_request:
-    types: [opened, edited, reopened, synchronize]
+  pull_request_target:
+    types: [opened, edited, reopened, synchronize, labeled]
     branches:
       - master
+      - asim-github-workflow
     paths:
     - 'Parsers/ASimDns/Parsers/**'
     - 'Parsers/ASimNetworkSession/Parsers/**'
@@ -26,9 +27,210 @@
   id-token: write
   contents: read
 
+concurrency:
+  group: asim-tests-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
 jobs: 
+  # Security gate: Fork PRs require manual approval via "safe to test" label
+  # Internal PRs (same repo) can proceed without labels
+  security-gate:
+    name: Security approval gate for fork PRs
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+    outputs:
+      approved: ${{ steps.check-approval.outputs.approved }}
+    steps:
+      - name: Check if PR needs approval
+        id: check-approval
+        run: |
+          echo "=========================================="
+          echo "Starting PR approval check..."
+          echo "=========================================="
+          
+          # Check if this is a fork PR
+          is_fork="${{ github.event.pull_request.head.repo.fork }}"
+          echo "🔍 Is this a fork PR? $is_fork"
+          
+          if [ "$is_fork" = "true" ]; then
+            echo "📌 FORK PR DETECTED - Proceeding with security checks"
+            
+            # Check if "safe to test" label is present
+            labels='${{ toJson(github.event.pull_request.labels.*.name) }}'
+            echo "📝 Available labels: $labels"
+            
+            if echo "$labels" | grep -q "safe to test"; then
+              echo "✅ 'safe to test' label FOUND - Checking for race conditions..."
+              
+              # SECURITY: Check for race condition - commits after label approval
+              # Get when the "safe to test" label was added (most recent time)
+              echo ""
+              echo "🔐 RACE CONDITION CHECK:"
+              echo "---"
+              
+              pr_number="${{ github.event.pull_request.number }}"
+              repo="${{ github.repository }}"
+              echo "📊 Fetching timeline for PR #$pr_number in $repo..."
+              
+              timeline_response=$(curl -s -H "Accept: application/vnd.github.v3+json" \
+                "https://api.github.com/repos/$repo/issues/$pr_number/timeline")
+              
+              echo "📥 Timeline API response received (showing labeled events):"
+              echo "$timeline_response" | jq '.[] | select(.event == "labeled" and .label.name == "safe to test") | {event, created_at}' || echo "   No labeled events found"
+              echo ""
+              
+              label_created=$(echo "$timeline_response" \
+                | jq -r '.[] | select(.event == "labeled" and .label.name == "safe to test") | .created_at' \
+                | tail -1)
+              
+              echo "🏷️  Most recent 'safe to test' label timestamp: $label_created"
+              
+              if [ -n "$label_created" ]; then
+                # Get the latest commit timestamp
+                latest_commit_date="${{ github.event.pull_request.head.repo.pushed_at }}"
+                echo "📌 Latest commit timestamp: $latest_commit_date"
+                echo ""
+                
+                # Convert to epoch time for comparison
+                echo "⏱️  Converting timestamps to epoch (seconds since 1970-01-01):"
+                label_epoch=$(date -d "$label_created" +%s 2>/dev/null || echo "0")
+                commit_epoch=$(date -d "$latest_commit_date" +%s 2>/dev/null || echo "0")
+                
+                echo "   Label timestamp: $label_created → epoch: $label_epoch"
+                echo "   Latest commit: $latest_commit_date → epoch: $commit_epoch"
+                echo ""
+                
+                # Allow 60 second grace period for GitHub timestamp variations
+                grace_period=60
+                commit_epoch_with_grace=$((commit_epoch + grace_period))
+                
+                echo "⏳ Grace period: $grace_period seconds"
+                echo "   Commit epoch with grace: $commit_epoch_with_grace"
+                echo "   Label epoch: $label_epoch"
+                echo ""
+                
+                if [ "$commit_epoch_with_grace" -gt "$label_epoch" ]; then
+                  echo "❌ RACE CONDITION DETECTED!"
+                  echo "   ⚠️  New commits were pushed AFTER the label was approved"
+                  echo "   Difference: $((commit_epoch_with_grace - label_epoch)) seconds"
+                  echo ""
+                  echo "⚠️  SECURITY ALERT: Commits may have been pushed after label approval!"
+                  echo "Label added: $label_created (epoch: $label_epoch)"
+                  echo "Latest commit: $latest_commit_date (epoch: $commit_epoch)"
+                  echo "❌ For security, this requires re-approval. Please:"
+                  echo "1. Review the latest commits carefully"
+                  echo "2. Remove and re-add the 'safe to test' label if commits are safe"
+                  echo "approved=false" >> $GITHUB_OUTPUT
+                  echo "needs_reapproval=true" >> $GITHUB_OUTPUT
+                  exit 1
+                else
+                  echo "✅ RACE CONDITION CHECK PASSED!"
+                  echo "   No new commits detected after label approval"
+                  echo "   Safe to proceed with testing"
+                  echo "approved=true" >> $GITHUB_OUTPUT
+                fi
+              else
+                echo "❌ ERROR: Could not determine label timestamp"
+                echo "⚠️  Could not determine when label was added - manual review recommended"
+                echo "For maximum security, please remove and re-add the 'safe to test' label"
+                echo "approved=false" >> $GITHUB_OUTPUT
+                echo "needs_reapproval=true" >> $GITHUB_OUTPUT
+                exit 1
+              fi
+            else
+              echo "❌ 'safe to test' label NOT FOUND"
+              echo "Fork PR requires manual approval from a maintainer"
+              echo "approved=false" >> $GITHUB_OUTPUT
+              echo "needs_approval=true" >> $GITHUB_OUTPUT
+            fi
+          else
+            echo "✅ INTERNAL PR DETECTED (not a fork)"
+            echo "Internal PRs are auto-approved - skipping security checks"
+            echo "approved=true" >> $GITHUB_OUTPUT
+          fi
+          
+          echo ""
+          echo "=========================================="
+          echo "Approval check complete"
+          echo "=========================================="
+      
+      - name: Comment on fork PR for approval guidance
+        if: github.event.pull_request.head.repo.fork == true && failure()
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410
+        with:
+          script: |
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+            });
+            
+            // Check if we already have a guidance comment to avoid spam
+            const existingComment = comments.find(comment => 
+              comment.body.includes('🔒 **Security Approval Required**') && 
+              comment.user.type === 'Bot'
+            );
+            
+            let commentBody = '';
+            
+            // Check what type of approval is needed based on the step outputs
+            if ('${{ steps.check-approval.outputs.needs_reapproval }}' === 'true') {
+              commentBody = `🔒 **Security Re-approval Required**
+            
+            ⚠️ **Race condition detected**: New commits were pushed after the \`safe to test\` label was added.
+            
+            **For security, a maintainer must:**
+            1. 📝 Review the latest commits carefully for any security concerns
+            2. 🏷️ Remove the \`safe to test\` label
+            3. 🏷️ Re-add the \`safe to test\` label if the new commits are safe
+            
+            This ensures that all commits have been properly reviewed before testing with repository secrets.
+            
+            ---
+            *This is an automated security check to prevent malicious code execution. Learn more about [GitHub Security Lab recommendations](https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/).*`;
+            } else {
+              commentBody = `🔒 **Security Approval Required**
+            
+            This fork PR requires manual approval before automated testing can run.
+            
+            **For security, a maintainer must:**
+            1. 📝 Review the code changes carefully
+            2. 🏷️ Add the \`safe to test\` label if the changes are safe to execute
+            
+            This protects against malicious code execution in fork contributions.
+            
+            ---
+            *This is an automated security check to prevent malicious code execution. Learn more about [GitHub Security Lab recommendations](https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/).*`;
+            }
+            
+            if (existingComment) {
+              // Update existing comment
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: existingComment.id,
+                body: commentBody
+              });
+              console.log('Updated existing security guidance comment');
+            } else {
+              // Create new comment
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.issue.number,
+                body: commentBody
+              });
+              console.log('Created new security guidance comment');
+            }
+
   Run-ASim-TemplateValidation:
     name: Run ASim Template Validation tests
+    needs: security-gate
+    if: needs.security-gate.outputs.approved == 'true'
     runs-on: ubuntu-latest
     steps:
       - name: Checkout pull request branch
@@ -246,4 +448,4 @@
           echo "Downloading script from the master: $url"
           curl -o "$filePath" "$url"
           # Execute the script
-          python "$filePath"
+          python "$filePath"