forked from simpeg/simpeg
-
Notifications
You must be signed in to change notification settings - Fork 2
111 lines (98 loc) · 3.63 KB
/
pull_request.yml
File metadata and controls
111 lines (98 loc) · 3.63 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
name : Reviewdog PR Annotations
# =========
# IMPORTANT
# =========
#
# TL;DR:
# THIS ACTION SHOULD NOT RUN ANY CODE FROM THE PR BRANCH.
#
# This action is triggered after new events in Pull Requests (as the
# `pull_request` trigger does), but this ones provides the workflow writing
# permissions to the repo.
# The second checkout step in each job checks out code from the PR branch.
# Code from any PR branch should be treated as malicious!
# Therefore, these action **SHOULD NOT RUN ANY CODE** from the PR branch since
# the workflow has writting permisions.
# Doing so introduces a high severity vulnerability that could be exploited to
# gain access to secrets and/or introduce malicious code.
#
# For this particular workflow we need the writting permission in order for
# reviewdog to publish comments in the PR.
# zizmor will complain about the `pull_request_target` trigger, so we will
# ignore it.
#
# Worth noting that the runner will execute the steps specified in the version
# of this workflow file that lives in the **target branch** (usually `main`),
# not the one in the Pull Request branch. This means that even if a contributor
# opens a PR with a change to this file, the change won't be executed. This is
# intended to prevent third-party contributors from running custom code with high
# privileges on the repo.
#
# References:
# * https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
# * PR that added this action: https://github.com/simpeg/simpeg/pull/1424
# * PR that added this warning: https://github.com/simpeg/simpeg/pull/1592
#
on: [pull_request_target] # zizmor: ignore[dangerous-triggers]
jobs:
flake8:
runs-on: ubuntu-latest
name: Flake8 check
permissions:
contents: read
pull-requests: write
steps:
- name: Checkout target repository source
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Setup Python env
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install dependencies to run the flake8 checks
run: .ci/install_style.sh
# Checkout PR branch.
# TREAT THIS CODE AS MALICIOUS, DON'T RUN CODE FROM THIS BRANCH.
- name: checkout pull request source
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
path: pr_source
persist-credentials: false
- name: flake8 review
uses: reviewdog/action-flake8@b65981e158319f08cb7d0132f28bc0081e110adc # v3.15.2
with:
workdir: pr_source
github_token: ${{ secrets.GITHUB_TOKEN }}
reporter: github-pr-review
black:
name: Black check
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- name: Checkout target repository source
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Setup Python env
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install dependencies to run the black checks
run: .ci/install_style.sh
# Checkout PR branch.
# TREAT THIS CODE AS MALICIOUS, DON'T RUN CODE FROM THIS BRANCH.
- name: checkout pull request source
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
path: 'pr_source'
persist-credentials: false
- uses: reviewdog/action-black@644053a260402bc4278a865906107bd8aef7fae8 # v3.22.4
with:
workdir: 'pr_source'
github_token: ${{ secrets.GITHUB_TOKEN }}
reporter: github-pr-review