diaspora/diaspora_federation

View on GitHub
.github/workflows/lint.yml

Summary

Maintainability
Test Coverage
## SECURITY WARNING:
##
## Do not change this job unless you know what you're doing.
##
## This GitHub Action runs on: pull_request_target, which means the jobs run in
## a context where they have access to a Access Token with write access to the
## target repo, even if the PR is opened from an external contributor from their
## fork.
##
## This means that if we're not careful, we could be running third-party code
## within an authenticated scope, which isn't good. To mitigate this, this
## implementation does:
##
##   1. checkout the target branch (i.e. the project's original sources)
##   2. install the Gems from there, and install them into a directory that's
##      outside the repository contents.
##   3. checkout the PRs HEAD
##   4. restore a bunch of files that would allow code execution from the
##      project's upstream sources, namely:
##      - bin/bundle - we'll run that in our Job
##      - Gemfile/Gemfile.lock - to avoid loading a gem with an identical
##        version number from a in-repo vendored directory

name: Lint
on:
  pull_request_target:

permissions:
  contents: read
  statuses: write
  pull-requests: write

jobs:
  pronto:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Target branch
        uses: actions/checkout@v3
        with:
          ref: ${{ github.base_ref }}
          fetch-depth: 0
      - uses: ruby/setup-ruby@v1
        with:
          ruby-version: "3.1"
          bundler-cache: true
      - name: Checkout PR HEAD
        run: |
          git fetch -q origin +refs/pull/${{ github.event.pull_request.number }}/head:
          git checkout -qf FETCH_HEAD
      - name: Restore the bundle binstub and Gemfiles from the target branch
        run: |
          git restore -s ${{ github.base_ref }} -- bin/bundle
          git restore -s ${{ github.base_ref }} -- Gemfile
          git restore -s ${{ github.base_ref }} -- Gemfile.lock
      - name: Run Pronto
        run: bin/bundle exec pronto run -f github_status github_pr_review -c ${{ github.base_ref }}
        env:
          PRONTO_PULL_REQUEST_ID: ${{ github.event.pull_request.number }}
          PRONTO_GITHUB_ACCESS_TOKEN: ${{ github.token }}