-
Notifications
You must be signed in to change notification settings - Fork 4
Add verifyPeerReview.yml feature workflow #80
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
17 commits
Select commit
Hold shift + click to select a range
1e4e2b3
Add verifyPeerReview.yml feature workflow (wired to no-op skeleton)
roryabraham 31ffec5
Bump actions/setup-node to v6.4.0 to match rest of repo
roryabraham 8d01608
Trim verifyPeerReview README to minimal description
roryabraham b6798e1
Remove verifyPeerReview-specific ruleset rollout note
roryabraham 7b56944
Merge branch 'main' into rory-peer-review-02e-workflow
roryabraham f1bb7cb
Run oxfmt
roryabraham 428c110
Update verifyPeerReview workflow per #636197 design
roryabraham be5c834
Remove workflow_dispatch from verifyPeerReview
roryabraham 6e6026e
Simplify comments
roryabraham 2621e11
Simplify verifyPeerReview README entry
roryabraham 7f79a76
Quote verify-peer-review CLI args via env vars
roryabraham a65c84c
Update .github/workflows/verifyPeerReview.yml
roryabraham fc7073f
Update .github/workflows/verifyPeerReview.yml
roryabraham 07ea077
Get rid of overly-verbose env
roryabraham f076089
Drop redundant comment
roryabraham 06ba5d2
Use single quotes to prevent bash injection
roryabraham bc612f2
Fix broken quoting
roryabraham File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,72 @@ | ||
| # This workflow is intended to be triggered by Rulesets for all PRs in the Expensify org to enforce that all code against protected branches is peer-reviewed. | ||
| # | ||
| # Security model: | ||
| # - pull_request_target runs this workflow file from the base branch, not the PR head. | ||
| # - Only GitHub-Actions@main is checked out for scripts. | ||
| # - Never checkout the repo where the PR lives. | ||
| # | ||
| # Thus, all code we run for the check is itself peer-reviewed, and the check can't be hacked, bypassed, or used to leak secrets. | ||
| # | ||
| # Ruleset caveats (branch/path filters in `on:` are ignored; default activity types only - `opened`, `synchronize`, `reopened`): | ||
| # https://docs.github.com/en/enterprise-cloud@latest/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets#supported-event-triggers | ||
| name: Verify peer review | ||
| run-name: Verify peer review for ${{ github.repository }}#${{ github.event.pull_request.number }} | ||
|
|
||
| on: | ||
| pull_request_target: | ||
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: read | ||
|
|
||
| jobs: | ||
| verifyPeerReview: | ||
| name: Check independent approval | ||
| runs-on: blacksmith-2vcpu-ubuntu-2404 | ||
| steps: | ||
| # v3.2.0 | ||
| - name: Generate a GitHub App token | ||
| id: generateAppToken | ||
| uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 | ||
| with: | ||
| client-id: '3877737' | ||
| private-key: ${{ secrets.PEER_REVIEW_CHECKER_PRIVATE_KEY }} | ||
| owner: ${{ github.event.pull_request.base.repo.owner.login }} | ||
| repositories: | | ||
| ${{ github.event.pull_request.base.repo.name }} | ||
| GitHub-Actions | ||
| permission-administration: read | ||
| permission-contents: read | ||
| permission-members: read | ||
| permission-metadata: read | ||
| permission-pull-requests: read | ||
|
|
||
| # v7.0.0 | ||
| - name: Checkout GitHub-Actions | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 | ||
| with: | ||
| repository: Expensify/GitHub-Actions | ||
| path: GitHub-Actions | ||
|
|
||
| # v6.4.0 | ||
| - name: Setup Node | ||
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e | ||
| with: | ||
| node-version-file: GitHub-Actions/.nvmrc | ||
| cache: npm | ||
| cache-dependency-path: GitHub-Actions/package-lock.json | ||
|
|
||
| - name: Install npm packages | ||
| run: npm ci | ||
| working-directory: GitHub-Actions | ||
|
|
||
| - name: Verify peer review | ||
| run: >- | ||
| npm run verify-peer-review -- | ||
| --owner '${{ github.event.pull_request.base.repo.owner.login }}' | ||
| --repo '${{ github.event.pull_request.base.repo.name }}' | ||
| --pull-request-number '${{ github.event.pull_request.number }}' | ||
| --base-ref '${{ github.event.pull_request.base.ref }}' | ||
| working-directory: GitHub-Actions | ||
| env: | ||
| GITHUB_TOKEN: ${{ steps.generateAppToken.outputs.token }} | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this still safe if the PR is against the GH actions repo?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, I think so. Because it uses the
pull_request_targettrigger, the version of the workflow in the PR base will run. The default checkout will also use the ref from the PR base.