Skip to content

Commit

Permalink
Use shallow checkout with github token for linting jobs
Browse files Browse the repository at this point in the history 
These jobs do not rely on versioned source, so they
can default to the pull request HEAD sha and fallback
to the github ref for other event types.

Using the github ref is not appropriate for pull_request_target
events where the ref/sha is always the base branch.

Change-type: minor
Signed-off-by: Kyle Harding <[email protected]>
  • Loading branch information
@klutchell
klutchell committed Jan 17, 2025
1 parent 954b36e commit 9fb5218
Show file tree
Hide file tree
Showing 2 changed files with 62 additions and 45 deletions.
16 changes: 10 additions & 6 deletions .github/workflows/flowzone.yml
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

91 changes: 52 additions & 39 deletions flowzone.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -185,6 +185,21 @@
ref: "${{ needs.versioned_source.outputs.sha || '¯\_(ツ)_/¯' }}"
<<: *checkoutAuth

- &shallowCheckout # https://github.com/actions/checkout
name: Checkout source
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
# Disable submodules and deep cloning.
fetch-depth: 1
submodules: false
# Do not persist credentials.
persist-credentials: false
# Use the automatic actions token with contents:read permissions
token: ${{ github.token }}
# Use the tip of the pull request branch for pull request (target) events.
# Use the event sha for other events.
ref: ${{ github.event.pull_request.head.sha || github.sha }}

- &resetGitHubDirectory
# checkout the tip of BASE if the PR is from a fork
# or the merge commit if the PR is internal
Expand Down Expand Up @@ -1168,7 +1183,6 @@ jobs:
<<: *gitHubCliEnvironment

steps:

- <<: *getGitHubAppToken
with:
<<: *getGitHubAppTokenWith
Expand Down Expand Up @@ -1675,16 +1689,13 @@ jobs:
# No need for the Flowzone Installation App token here as we are not cloning
# submodules so the automatic actions token scoped to the repo is fine.

# Disable submodules and deep cloning.
# Do not persist credentials.
# Use the automatic actions token with contents:read permissions.
# Use the tip of the pull request branch for pull request (target) events.
# Use the event sha for other events.
# https://github.com/actions/checkout
- name: Checkout event ref
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
# We only need to scan workflow files, so disable submodules and deep cloning
fetch-depth: 1
submodules: false
persist-credentials: false
# Use the automatic actions token with contents:read permissions
token: ${{ github.token }}
- *shallowCheckout

# https://github.com/actions/toolkit/blob/master/docs/problem-matchers.md
- name: Add problem matcher
Expand Down Expand Up @@ -1723,7 +1734,6 @@ jobs:
contents: read # required for checkout without submodules

steps:

- <<: *getGitHubAppToken
with:
<<: *getGitHubAppTokenWith
Expand All @@ -1735,16 +1745,13 @@ jobs:
"security_events": "write"
}
# Disable submodules and deep cloning.
# Do not persist credentials.
# Use the automatic actions token with contents:read permissions.
# Use the tip of the pull request branch for pull request (target) events.
# Use the event sha for other events.
# https://github.com/actions/checkout
- name: Checkout event ref
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
# We only need to scan workflow files, so disable submodules and deep cloning
fetch-depth: 1
submodules: false
persist-credentials: false
# Use the automatic actions token with contents:read permissions
token: ${{ github.token }}
- *shallowCheckout

# https://github.com/synacktiv/octoscan
# https://github.com/synacktiv/action-octoscan
Expand Down Expand Up @@ -1822,18 +1829,21 @@ jobs:
with:
github-token: ${{ github.token }}
result-encoding: json
# Use the tip of the pull request branch for pull request (target) events.
# Use the event sha for other events.
script: |
const { data } = await github.rest.repos.getContent({
owner: context.repo.owner,
repo: context.repo.repo,
ref: context.ref
ref: context.payload.pull_request.head.sha || context.ref
});
return data
.filter(item => item.type === 'file')
.map(item => item.name);
# Use GitHub REST API to safely get contents, limiting to one directory
# https://github.com/actions/github-script
# https://octokit.github.io/rest.js/v21/#repos-get-content
- name: List files in working directory
id: working-dir
Expand All @@ -1844,20 +1854,21 @@ jobs:
with:
github-token: ${{ github.token }}
result-encoding: json
# remove preceeding ./ from the working directory if it exists
# Use the tip of the pull request branch for pull request (target) events.
# Use the event sha for other events.
# Remove preceeding ./ from the working directory if it exists.
script: |
const { data } = await github.rest.repos.getContent({
owner: context.repo.owner,
repo: context.repo.repo,
ref: context.ref,
ref: context.payload.pull_request.head.sha || context.ref,
path: process.env.WORKING_DIRECTORY.startsWith('./') ? process.env.WORKING_DIRECTORY.slice(2) : process.env.WORKING_DIRECTORY
});
return data
.filter(item => item.type === 'file')
.map(item => item.name);
# Run pre-commit hooks if the config file exists in the project root.
# This step will fail if the hooks find any differences after running.
# Pre-commit hooks are useful projects for that don't use npm & husky.
Expand All @@ -1881,17 +1892,13 @@ jobs:
contents: read # Required to checkout source project, without submodules

steps:
# Disable submodules and deep cloning.
# Do not persist credentials.
# Use the automatic actions token with contents:read permissions.
# Use the tip of the pull request branch for pull request (target) events.
# Use the event sha for other events.
# https://github.com/actions/checkout
- &checkoutEventRef
name: Checkout event ref
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
# We only need to scan workflow files, so disable submodules and deep cloning
fetch-depth: 1
submodules: false
persist-credentials: false
# Use the automatic actions token with contents:read permissions
token: ${{ github.token }}
- *shallowCheckout

# https://github.com/actions/setup-python
- *setupPython
Expand Down Expand Up @@ -1922,7 +1929,7 @@ jobs:
contents: read # Required to checkout source project, without submodules

outputs:
npm: 'true'
npm: "true"
has_npm_lockfile: ${{ contains(needs.file_list.outputs.workdir, 'package-lock.json') || contains(needs.file_list.outputs.workdir, 'npm-shrinkwrap.json') }}
npm_private: ${{ steps.package_json.outputs.private }}
npm_docs: ${{ steps.package_json.outputs.docs }}
Expand All @@ -1932,11 +1939,17 @@ jobs:
max_node_version: ${{ steps.node_versions.outputs.max }}

env:
NODE_VERSIONS: '[]'
PACKAGE_JSON_PATH: '${{ inputs.working_directory }}/package.json'
NODE_VERSIONS: "[]"
PACKAGE_JSON_PATH: "${{ inputs.working_directory }}/package.json"

steps:
- *checkoutEventRef
# Disable submodules and deep cloning.
# Do not persist credentials.
# Use the automatic actions token with contents:read permissions.
# Use the tip of the pull request branch for pull request (target) events.
# Use the event sha for other events.
# https://github.com/actions/checkout
- *shallowCheckout

- name: Process package.json
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
Expand Down Expand Up @@ -1969,7 +1982,7 @@ jobs:

- <<: *setupNode
env:
# renovate: datasource=node-version depName=node packageName=node-18.x
# renovate: datasource=node-version depName=node packageName=node-18.x
NODE_VERSION: 18.20.5

# https://www.npmjs.com/package/check-engine
Expand Down

0 comments on commit 9fb5218

Please sign in to comment.