Use a service account PAT for format workflow #58
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Format pull request | |
on: | |
workflow_dispatch: | |
issue_comment: | |
types: [created] | |
permissions: {} | |
jobs: | |
# Handling workflow_dispatch is simple. Just checkout whatever branch it was run on. | |
# The workflow will run in that repository's context and thus can safely get write permissions. | |
manual-dispatch: | |
runs-on: ubuntu-latest | |
if: github.event_name == 'workflow_dispatch' | |
permissions: | |
contents: write | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | |
with: | |
# Credentials needed for pushing changes at the end. | |
# This is already the default, but for safety we are being explicit about this. | |
persist-credentials: true | |
# Commits made by workflow_dispatch trigger will trigger new workflows to run, | |
# so don't need to use SSH deploy key. | |
- name: Install Node.js | |
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af | |
with: | |
node-version: 20.x | |
- name: Install dependencies | |
run: npm ci | |
- name: Format | |
run: npm run format | |
- name: Commit | |
run: | | |
git config --global user.name "$GITHUB_ACTOR" | |
git config --global user.email "[email protected]" | |
git stage . | |
git commit --author "DangoCat[bot] <[email protected]>" -m "[Automated] Format code" || echo "No changes to commit" | |
- name: Push | |
run: git push | |
# Comments are more complicated because the action runs in the context of TurboWarp/extensions but | |
# we are processing content from the possibly malicious pull request. We break this into two | |
# separate jobs. | |
# The first job downloads the pull request, formats it, and uploads the new files to an artifact. | |
# Important to have no permissions for this because the code can't be trusted. | |
comment-format-untrusted: | |
runs-on: ubuntu-latest | |
if: | | |
github.event_name == 'issue_comment' && | |
github.event.issue.pull_request && | |
contains(github.event.comment.body, '!format') && | |
( | |
github.event.comment.author_association == 'MEMBER' || | |
github.event.comment.user.id == github.event.issue.user.id | |
) | |
steps: | |
- name: Checkout upstream | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | |
with: | |
repository: TurboWarp/extensions | |
persist-credentials: false | |
- name: Checkout pull request | |
run: gh pr checkout "$PR_NUM" | |
env: | |
PR_NUM: "${{ github.event.issue.number }}" | |
GH_TOKEN: "${{ github.token }}" | |
- name: Install Node.js | |
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af | |
with: | |
node-version: 20.x | |
- name: Install dependencies | |
run: npm ci | |
- name: Format | |
run: npm run format | |
- name: Upload formatted code | |
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b | |
with: | |
name: comment-format-untrusted-artifact | |
path: extensions/ | |
if-no-files-found: error | |
retention-days: 7 | |
# Second job downloads the artifact, extracts it, and pushes it. | |
comment-push: | |
runs-on: ubuntu-latest | |
needs: comment-format-untrusted | |
steps: | |
- name: Checkout upstream | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | |
with: | |
repository: TurboWarp/extensions | |
# Commits made using the default token in an issue_comment trigger won't cause more | |
# workflows to run, so any commits it pushes will be stuck in limbo forever waiting | |
# for workflows to run that will never run. To workaround this, we use an SSH key | |
# instead. It's a GitHub deploy key so it's scoped only to this repository. | |
ssh-key: "${{ secrets.FORMAT_PR_DEPLOY_KEY }}" | |
# Credentials needed for pushing changes at the end. | |
# This is already the default, but for safety we are being explicit about this. | |
persist-credentials: true | |
- name: Checkout pull request | |
run: gh pr checkout "$PR_NUM" | |
env: | |
PR_NUM: "${{ github.event.issue.number }}" | |
GH_TOKEN: "${{ github.token }}" | |
- name: Download formatted code | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 | |
with: | |
name: comment-format-untrusted-artifact | |
path: extensions | |
- name: Commit | |
run: | | |
git config --global user.name "$GITHUB_ACTOR" | |
git config --global user.email "[email protected]" | |
git stage . | |
git commit --author "DangoCat[bot] <[email protected]>" -m "[Automated] Format code" || echo "No changes to commit" | |
- name: Push | |
# Explicitly set push.default to upstream, otherwise by default git might complain about us being on a | |
# branch called "DangoCat/master" but the corresponding branch on remote "DangoCat" is just "master". | |
run: | | |
git config --global push.default upstream | |
git push |