GEOPY-2799 #199
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name : Reviewdog PR Annotations | |
| # ========= | |
| # IMPORTANT | |
| # ========= | |
| # | |
| # TL;DR: | |
| # THIS ACTION SHOULD NOT RUN ANY CODE FROM THE PR BRANCH. | |
| # | |
| # This action is triggered after new events in Pull Requests (as the | |
| # `pull_request` trigger does), but this ones provides the workflow writing | |
| # permissions to the repo. | |
| # The second checkout step in each job checks out code from the PR branch. | |
| # Code from any PR branch should be treated as malicious! | |
| # Therefore, these action **SHOULD NOT RUN ANY CODE** from the PR branch since | |
| # the workflow has writting permisions. | |
| # Doing so introduces a high severity vulnerability that could be exploited to | |
| # gain access to secrets and/or introduce malicious code. | |
| # | |
| # For this particular workflow we need the writting permission in order for | |
| # reviewdog to publish comments in the PR. | |
| # zizmor will complain about the `pull_request_target` trigger, so we will | |
| # ignore it. | |
| # | |
| # Worth noting that the runner will execute the steps specified in the version | |
| # of this workflow file that lives in the **target branch** (usually `main`), | |
| # not the one in the Pull Request branch. This means that even if a contributor | |
| # opens a PR with a change to this file, the change won't be executed. This is | |
| # intended to prevent third-party contributors from running custom code with high | |
| # privileges on the repo. | |
| # | |
| # References: | |
| # * https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/ | |
| # * PR that added this action: https://github.com/simpeg/simpeg/pull/1424 | |
| # * PR that added this warning: https://github.com/simpeg/simpeg/pull/1592 | |
| # | |
| on: [pull_request_target] # zizmor: ignore[dangerous-triggers] | |
| jobs: | |
| flake8: | |
| runs-on: ubuntu-latest | |
| name: Flake8 check | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| steps: | |
| - name: Checkout target repository source | |
| uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false | |
| - name: Setup Python env | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| - name: Install dependencies to run the flake8 checks | |
| run: .ci/install_style.sh | |
| # Checkout PR branch. | |
| # TREAT THIS CODE AS MALICIOUS, DON'T RUN CODE FROM THIS BRANCH. | |
| - name: checkout pull request source | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| path: pr_source | |
| persist-credentials: false | |
| - name: flake8 review | |
| uses: reviewdog/action-flake8@b65981e158319f08cb7d0132f28bc0081e110adc # v3.15.2 | |
| with: | |
| workdir: pr_source | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| reporter: github-pr-review | |
| black: | |
| name: Black check | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| steps: | |
| - name: Checkout target repository source | |
| uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false | |
| - name: Setup Python env | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| - name: Install dependencies to run the black checks | |
| run: .ci/install_style.sh | |
| # Checkout PR branch. | |
| # TREAT THIS CODE AS MALICIOUS, DON'T RUN CODE FROM THIS BRANCH. | |
| - name: checkout pull request source | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| path: 'pr_source' | |
| persist-credentials: false | |
| - uses: reviewdog/action-black@644053a260402bc4278a865906107bd8aef7fae8 # v3.22.4 | |
| with: | |
| workdir: 'pr_source' | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| reporter: github-pr-review |