From da0fac20bf903afbaa64798583738d8ed16d713e Mon Sep 17 00:00:00 2001
From: Abin Simon <abinsimon10@gmail.com>
Date: Tue, 31 Jan 2023 07:12:04 +0530
Subject: [PATCH] Bump slash-command-dispatch and avoid running unverified
 commit in ok-to-test (#1756)

## Description

Bumps ok-to-test to v3. Plus fix the issue where someone might  have been able to run unverified code if they push between commenting `/ok-to-test` and the job starting.

## Type of change

<!--- Please check the type of change your PR introduces: --->
- [ ] :sunflower: Feature
- [ ] :bug: Bugfix
- [ ] :world_map: Documentation
- [ ] :robot: Test
- [x] :computer: CI/Deployment
- [ ] :hamster: Trivial/Minor

## Issue(s)

<!-- Can reference multiple issues. Use one of the following "magic words" - "closes, fixes" to auto-close the Github issue. -->
* https://github.com/alcionai/corso/pull/1651

## Test Plan

<!-- How will this be tested prior to merging.-->
- [x] :muscle: Manual
- [ ] :zap: Unit test
- [ ] :green_heart: E2E
---
 .github/workflows/ci.yml         | 16 ++++++++++++++--
 .github/workflows/ok-to-test.yml |  3 +--
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index acc1b68eb..170a63357 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -239,17 +239,29 @@ jobs:
       run:
         working-directory: src
     steps:
-      - name: Fail check
+      - name: Fail check if not repository_dispatch
         if: github.event_name != 'repository_dispatch'
         run: |
           echo "Workflow requires approval from a maintainer to run. It will be automatically rerun on approval."
           exit 1
 
+      - uses: marocchino/sticky-pull-request-comment@v2
+        if: github.event.client_payload.slash_command.args.named.sha != '' && contains(github.event.client_payload.pull_request.head.sha, github.event.client_payload.slash_command.args.named.sha)
+        with:
+          message: |
+            Workflow run sha specified via `ok-to-test` is not the latest commit on PR. Run canceled.
+
+      - name: Fail check if not head of PR
+        if: github.event.client_payload.slash_command.args.named.sha != '' && contains(github.event.client_payload.pull_request.head.sha, github.event.client_payload.slash_command.args.named.sha)
+        run: |
+          echo "Workflow run sha specified is not the latest commit on PR. Exiting."
+          exit 1
+
       # add comment to PR with link to workflow run
       - uses: marocchino/sticky-pull-request-comment@v2
         with:
           message: |
-            https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID
+            Test suite run will be available at https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID
 
       # Check out merge commit
       - name: Fork based /ok-to-test checkout
diff --git a/.github/workflows/ok-to-test.yml b/.github/workflows/ok-to-test.yml
index bd6a7db67..f48e49129 100644
--- a/.github/workflows/ok-to-test.yml
+++ b/.github/workflows/ok-to-test.yml
@@ -19,7 +19,7 @@ jobs:
           private_key: ${{ secrets.PRIVATE_KEY }}
 
       - name: Slash Command Dispatch
-        uses: peter-evans/slash-command-dispatch@v1
+        uses: peter-evans/slash-command-dispatch@v3
         env:
           TOKEN: ${{ steps.generate_token.outputs.token }}
         with:
@@ -27,5 +27,4 @@ jobs:
           reaction-token: ${{ secrets.GITHUB_TOKEN }}
           issue-type: pull-request
           commands: ok-to-test
-          named-args: true
           permission: write