Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: enforce semantic PR title #11779

Merged
merged 3 commits into from
Dec 21, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions .github/workflows/pr-title-check.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
name: "Lint PR"

on:
pull_request_target:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I have to be honest. I feel a bit uneasy on using pull_request_target due to the possible security implications. This needs to be handled with careful considerations in the future. We should add comments in line 1 about future changes to this file, carefully review updates to amannn/action-semantic-pull-request@01d5fd8a8ebb9aafe902c40c53f0f4744f7381eb .

No checkout actions, scripts, or builds should be added to this workflow. Permissions should always be used with extreme caution.

https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target

This is not a blocker, it just made my tin foil hat activate.

types:
- opened
- edited
- synchronize
crenshaw-dev marked this conversation as resolved.
Show resolved Hide resolved

permissions:
contents: read

# PR updates can happen in quick succession leading to this
# workflow being trigger a number of times. This limits it
# to one run per PR.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}

jobs:
main:
permissions:
pull-requests: read # for amannn/action-semantic-pull-request to analyze PRs
statuses: write # for amannn/action-semantic-pull-request to mark status of analyzed PR
name: Validate PR title
runs-on: ubuntu-latest
steps:
- uses: amannn/action-semantic-pull-request@01d5fd8a8ebb9aafe902c40c53f0f4744f7381eb # v5.0.2
with:
types: |
feat
fix
docs
test
ci
chore
[Bot] docs
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
2 changes: 1 addition & 1 deletion .github/workflows/update-snyk.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,6 @@ jobs:
git config --global user.email 'ci@argoproj.com'
git config --global user.name 'CI'
git add docs/snyk
git commit -m "[Bot] Update Snyk reports" --signoff
git commit -m "[Bot] docs: Update Snyk reports" --signoff
git push --set-upstream origin "$pr_branch"
gh pr create -B master -H "$pr_branch" --title '[Bot] docs: Update Snyk report' --body ''