Bump projects/restheart from 8be1bc1
to dd0b9cf
#9339
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# This and other workflows that use `pull_request_target` event are dangerous | |
# and should be handled with a lot of care to avoid security problems. | |
# We use this event to give pull requests access to secrets with permissions to query projects, | |
# login into Docker registry, etc. | |
# But rogue PR authors could try to steal our secrets. | |
# We prevent that with the following: | |
# | |
# * We require approval for PRs from first-time contributors. That's a built-in feature for all actions. | |
# * For workflows that checkout source code, | |
# we require the `trust` label to be assigned to PRs by FerretDB maintainers after reviewing changes. | |
# Only a few trusted people have permission to do that. | |
# * Thanks to the way `pull_request_target` trigger works, | |
# PR changes in the workflow itself are not run until they are merged. | |
# * We use a short-lived automatic `GITHUB_TOKEN` instead of a long-living personal access token (PAT) where possible. | |
# * Both `GITHUB_TOKEN`s and PATs have minimal permissions. | |
# * We publish Docker images from PRs as a separate packages that should not be run by users. | |
# * We limit what third-party actions can be used. | |
# | |
# Relevant GitHub documentation is a bit scattered. The first article gives a good overview: | |
# * https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ | |
# * https://docs.github.com/en/actions/security-guides/automatic-token-authentication | |
# * https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
name: Conform PR | |
on: | |
pull_request_target: | |
# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target | |
# List all types to make it easier to enable new ones when they are needed. | |
types: | |
- assigned | |
- unassigned | |
- labeled | |
- unlabeled | |
- opened | |
- edited | |
# - closed | |
- reopened | |
- synchronize | |
- converted_to_draft | |
- ready_for_review | |
# - locked | |
- unlocked | |
- review_requested | |
- review_request_removed | |
- auto_merge_enabled | |
- auto_merge_disabled | |
# Do not run this workflow in parallel for any PR change. | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }} | |
cancel-in-progress: false | |
env: | |
GOPATH: /home/runner/go | |
GOCACHE: /home/runner/go/cache | |
GOLANGCI_LINT_CACHE: /home/runner/go/cache/lint | |
GOMODCACHE: /home/runner/go/mod | |
GOPROXY: https://proxy.golang.org | |
GOTOOLCHAIN: local | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
CONFORM_TOKEN: ${{ secrets.CONFORM_TOKEN }} # repo-scoped GITHUB_TOKEN is not enough to query org-level projects | |
jobs: | |
conform-pr: | |
name: Conform PR | |
runs-on: ubuntu-22.04 | |
timeout-minutes: 5 | |
# No `trust` label check because we don't checkout PR's code. | |
# No `not ready` label to prevent accidental auto-merges: jobs skipped with `if` conditional are considered successful. | |
if: github.event_name == 'pull_request_target' | |
steps: | |
# Do not add a source code checkout step because we don't check the `trust` label. | |
# See the warning at the top of the file. | |
- name: Setup Go | |
uses: FerretDB/github-actions/setup-go@main | |
with: | |
cache-key: conform-pr | |
- name: Conform PR | |
uses: FerretDB/github-actions/conform-pr@main |