forked from FerretDB/FerretDB
-
Notifications
You must be signed in to change notification settings - Fork 0
87 lines (78 loc) · 3.32 KB
/
conform-pr.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
---
# This and other workflows that use `pull_request_target` event are dangerous
# and should be handled with a lot of care to avoid security problems.
# We use this event to give pull requests access to secrets with permissions to query projects,
# login into Docker registry, etc.
# But rogue PR authors could try to steal our secrets.
# We prevent that with the following:
#
# * We require approval for PRs from first-time contributors. That's a built-in feature for all actions.
# * For workflows that checkout source code,
# we require the `trust` label to be assigned to PRs by FerretDB maintainers after reviewing changes.
# Only a few trusted people have permission to do that.
# * Thanks to the way `pull_request_target` trigger works,
# PR changes in the workflow itself are not run until they are merged.
# * We use short-lived automatic `GITHUB_TOKEN`s instead of a long-living personal access tokens (PAT) where possible.
# * Both `GITHUB_TOKEN`s and PATs have minimal permissions.
# * We publish Docker images from PRs as separate packages that should not be run by users.
# * We limit what third-party actions can be used.
#
# Relevant GitHub documentation is a bit scattered. The first article gives a good overview:
# * https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
# * https://docs.github.com/en/actions/security-guides/automatic-token-authentication
# * https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
name: Conform PR
on:
pull_request_target:
# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
# List all types to make it easier to enable new ones when they are needed.
types:
- assigned
- unassigned
- labeled
- unlabeled
- opened
- edited
# - closed
- reopened
- synchronize
- converted_to_draft
- ready_for_review
# - locked
- unlocked
- review_requested
- review_request_removed
- auto_merge_enabled
- auto_merge_disabled
# Do not run this workflow in parallel for any PR change.
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }}
cancel-in-progress: false
env:
GOPATH: /home/runner/go
GOCACHE: /home/runner/go/cache
GOLANGCI_LINT_CACHE: /home/runner/go/cache/lint
GOMODCACHE: /home/runner/go/mod
GOPROXY: https://proxy.golang.org
GOTOOLCHAIN: local
CONFORM_TOKEN: ${{ secrets.CONFORM_TOKEN }} # repo-scoped GITHUB_TOKEN is not enough to query org-level projects
jobs:
conform-pr:
name: Conform PR
runs-on: ubuntu-22.04
timeout-minutes: 5
# No `trust` label check because we don't checkout PR's code.
# No `not ready` label to prevent accidental auto-merges: jobs skipped with `if` conditional are considered successful.
if: github.event_name == 'pull_request_target'
steps:
# Do not add a source code checkout step because we don't check the `trust` label.
# See the warning at the top of the file.
- name: Setup permissions monitoring
uses: GitHubSecurityLab/actions-permissions/monitor@v1
if: false
- name: Setup Go
uses: FerretDB/github-actions/setup-go@main
with:
cache-key: conform-pr
- name: Conform PR
uses: FerretDB/github-actions/conform-pr@main