|
1 | 1 | # Workflow derived from https://github.com/posit-dev/setup-air/tree/main/examples |
| 2 | + |
2 | 3 | on: |
3 | | - pull_request: |
| 4 | + # Using `pull_request_target` over `pull_request` for elevated `GITHUB_TOKEN` |
| 5 | + # privileges, otherwise we can't set `pull-requests: write` when the pull |
| 6 | + # request comes from a fork, which is our main use case (external contributors). |
| 7 | + # |
| 8 | + # `pull_request_target` runs in the context of the target branch (`main`, usually), |
| 9 | + # rather than in the context of the pull request like `pull_request` does. Due |
| 10 | + # to this, we must explicitly checkout `ref: ${{ github.event.pull_request.head.sha }}`. |
| 11 | + # This is typically frowned upon by GitHub, as it exposes you to potentially running |
| 12 | + # untrusted code in a context where you have elevated privileges, but they explicitly |
| 13 | + # call out the use case of reformatting and committing back / commenting on the PR |
| 14 | + # as a situation that should be safe (because we aren't actually running the untrusted |
| 15 | + # code, we are just treating it as passive data). |
| 16 | + # https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/ |
| 17 | + pull_request_target: |
4 | 18 |
|
5 | 19 | name: format-suggest.yaml |
6 | 20 |
|
7 | | -permissions: read-all |
8 | | - |
9 | 21 | jobs: |
10 | 22 | format-suggest: |
11 | 23 | name: format-suggest |
12 | 24 | runs-on: ubuntu-latest |
| 25 | + |
13 | 26 | permissions: |
| 27 | + # Required to push suggestion comments to the PR |
14 | 28 | pull-requests: write |
| 29 | + |
15 | 30 | steps: |
16 | | - - uses: actions/checkout@v4 |
| 31 | + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 |
| 32 | + with: |
| 33 | + ref: ${{ github.event.pull_request.head.sha }} |
17 | 34 |
|
18 | 35 | - name: Install |
19 | | - uses: posit-dev/setup-air@v1 |
| 36 | + uses: posit-dev/setup-air@63e80dedb6d275c94a3841e15e5ff8691e1ab237 # v1 |
20 | 37 |
|
21 | 38 | - name: Format |
22 | 39 | run: air format . |
23 | 40 |
|
24 | 41 | - name: Suggest |
25 | | - uses: reviewdog/action-suggester@v1 |
| 42 | + uses: reviewdog/action-suggester@4747dbc9f9e37adba0943e681cc20db466642158 # v1 |
26 | 43 | with: |
27 | 44 | level: error |
28 | 45 | fail_level: error |
|
0 commit comments