database/doris
2
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
034aa20b0aaba53fef8ceca5a75fa65188d93bc9
doris/.github/workflows/shellcheck.yml
Adonis Ling 72b909b5e8 [enhancement](workflow) Enable the shellcheck workflow to comment the PRs (#12633) 
> Due to the dangers inherent to automatic processing of PRs, GitHub’s standard pull_request workflow trigger by 
default prevents write permissions and secrets access to the target repository. However, in some scenarios such 
access is needed to properly process the PR. To this end the pull_request_target workflow trigger was introduced.

According to the article [Keeping your GitHub Actions and workflows secure](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) , the trigger condition in 
`shellcheck.yml` which is `pull_request` can't comment the PR due to the lack of write permissions of the workflow.

Despite the `ShellCheck` workflow checkouts the source, but it doesn't build and test the source code. I think it is safe 
to change the trigger condition from `pull_request` to `pull_request_target` which can make the workflow have write 
permissions to comment the PR.
2022-09-27 09:08:12 +08:00

53 lines
1.9 KiB
YAML
Raw Blame History

# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
name: ShellCheck
on: [push, pull_request_target]
jobs:
shellcheck:
name: ShellCheck
runs-on: ubuntu-latest
steps:
- name: Checkout ${{ github.ref }} ( ${{ github.sha }} )
if: ${{ github.event_name != 'pull_request_target' }}
uses: actions/checkout@v3
with:
submodules: recursive
- name: Checkout ${{ github.ref }} ( ${{ github.event.pull_request.head.sha }} )
if: ${{ github.event_name == 'pull_request_target' }}
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }}
submodules: recursive
- name: Patch
run: |
pushd .github/actions/action-sh-checker >/dev/null
git apply ../patches/action-sh-checker.patch
popd >/dev/null
- name: Run ShellCheck
uses: ./.github/actions/action-sh-checker
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
sh_checker_comment: true
sh_checker_exclude: .git .github ^thirdparty/src ^thirdparty/installed ^ui ^docs/node_modules ^tools/clickbench-tools ^extension ^output ^fs_brokers/apache_hdfs_broker/output
Reference in New Issue View Git Blame Copy Permalink