fix: incorrect workflow checkout ref #62165
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
we have a litte linter/reviewer workflow that's supposed to test the incoming code and spit out a review if there are easy to fix errors say whitespace, indentation etc it can't do that at the moment cause pull_request_target will make the checkout action checkout master; master is always linted so we aren't doing anything force it to check the incoming code, a little trick references: https://semgrep.dev/r?q=yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout
github-actions
bot
added
Code: Tooling
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
None
Purpose of change
we have a little linter/reviewer workflow that's supposed to test the incoming code and spit out a review if there are easy to fix errors say whitespace, indentation etc
it can't do that at the moment cause pull_request_target will make the checkout action checkout cleverraven's master; master is always linted so we aren't doing anything
force it to check the incoming code, a little trick (see references) - a hack
very much a dirty hack this get us the pr's head ref, something we can run actual tests on and still spit a review because we are using both data from the
pull_requestevent and permissions from thepull_request_targeteventthe ugly downside of this is that running on both events, we'll have duplicated workflows, I don't know at this moment if I can somehow remove that, I can however skip the workflow if it isn't running on
pull_request_targetif this works it would 100% be worth the ugly bit, automatic reviews are a dream I don't think anyone on github has
references:
https://semgrep.dev/r?q=yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout
Describe the solution
Describe alternatives you've considered
Testing
casswedson#91 see here the workflows skipping on
pull_requestand the other failing because it finds a style error, after that it sends a review with correctionsAdditional context
I was like: why isn't the linter working? it was checking out master all along, I didn't realize in #62060 that
pr_targetforces running workflows on the master filesduh. you didn't know that
one quick look at the workflow after this will determine if this dream is possible or not, I'll just remove it if it doesn't work