From 8f1e23be8eee7a093ce7aca18476878deffe3b80 Mon Sep 17 00:00:00 2001
From: Antoine du Hamel <duhamelantoine1995@gmail.com>
Date: Sat, 6 Nov 2021 18:58:18 +0100
Subject: [PATCH] tools: ensure the PR was not pushed before merging

When using Squash and Merge feature, it would allow to a malicious
actor to push unreviewed code to their PR while the CQ is running and
bypass the usual checks.
This commit adds a check to refuse to land if the head of the PR
branch is different from the one validated by ncu.
---
 tools/actions/commit-queue.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tools/actions/commit-queue.sh b/tools/actions/commit-queue.sh
index a1c182f39015ac..37b8cdcfc0fb68 100755
--- a/tools/actions/commit-queue.sh
+++ b/tools/actions/commit-queue.sh
@@ -110,7 +110,8 @@ for pr in "$@"; do
     jq -n \
       --arg title "$(git log -1 --pretty='format:%s')" \
       --arg body "$(git log -1 --pretty='format:%b')" \
-      '{merge_method:"squash",commit_title:$title,commit_message:$body}' > output.json
+      --arg head "$(grep 'Fetched commits as' output | cut -d. -f3 | xargs git rev-parse)" \
+      '{merge_method:"squash",commit_title:$title,commit_message:$body,sha:$head}' > output.json
     cat output.json
     gitHubCurl "$(mergeUrl "$pr")" PUT --data @output.json > output
     cat output