-
Notifications
You must be signed in to change notification settings - Fork 44
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #50 from pajlada/feat/split-up-review-and-post-wor…
…kflows Add split workflow, allowing the action to be used in PRs created from forks
- Loading branch information
Showing
13 changed files
with
1,078 additions
and
681 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
**/venv | ||
**/__pycache__ | ||
.git |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
__pycache__/ | ||
venv/ | ||
|
||
# Generated by review action | ||
clang-tidy-review-output.json | ||
clang-tidy-review-metadata.json | ||
|
||
# Generated by clang-tidy | ||
clang_tidy_review.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -98,6 +98,8 @@ at once, so `clang-tidy-review` will only attempt to post the first | |
- default: '25' | ||
- `lgtm_comment_body`: Message to post on PR if no issues are found. An empty string will post no LGTM comment. | ||
- default: 'clang-tidy review says "All clean, LGTM! :+1:"' | ||
- `split_workflow`: Only generate but don't post the review, leaving it for the second workflow. Relevant when receiving PRs from forks that don't have the required permissions to post reviews. | ||
- default: false | ||
|
||
## Outputs | ||
|
||
|
@@ -188,6 +190,86 @@ jobs: | |
base_dir: ${{ env.base_dir }} | ||
``` | ||
|
||
## Usage in fork environments (Split workflow) | ||
|
||
Actions from forks are limited in their permissions for your security. To support this use case, you can use the split workflow described below. | ||
|
||
Example lint workflow: | ||
|
||
```yaml | ||
name: clang-tidy-review | ||
# You can be more specific, but it currently only works on pull requests | ||
on: [pull_request] | ||
jobs: | ||
build: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v2 | ||
# Optionally generate compile_commands.json | ||
- uses: ZedThree/[email protected] | ||
with: | ||
split_workflow: true | ||
- uses: actions/upload-artifact@v3 | ||
with: | ||
name: clang-tidy-review | ||
path: | | ||
clang-tidy-review-output.json | ||
clang-tidy-review-metadata.json | ||
``` | ||
|
||
Example post comments workflow: | ||
|
||
```yaml | ||
name: Post clang-tidy review comments | ||
on: | ||
workflow_run: | ||
# The name field of the lint action | ||
workflows: ["clang-tidy-review"] | ||
types: | ||
- completed | ||
jobs: | ||
build: | ||
runs-on: ubuntu-latest | ||
steps: | ||
# Downloads the artifact uploaded by the lint action | ||
- name: 'Download artifact' | ||
uses: actions/github-script@v6 | ||
with: | ||
script: | | ||
const artifacts = await github.rest.actions.listWorkflowRunArtifacts({ | ||
owner: context.repo.owner, | ||
repo: context.repo.repo, | ||
run_id: ${{github.event.workflow_run.id }}, | ||
}); | ||
const matchArtifact = artifacts.data.artifacts.filter((artifact) => { | ||
return artifact.name == "clang-tidy-review" | ||
})[0]; | ||
const download = await github.rest.actions.downloadArtifact({ | ||
owner: context.repo.owner, | ||
repo: context.repo.repo, | ||
artifact_id: matchArtifact.id, | ||
archive_format: 'zip', | ||
}); | ||
const fs = require('fs'); | ||
fs.writeFileSync('${{github.workspace}}/clang-tidy-review.zip', Buffer.from(download.data)); | ||
- name: 'Unzip artifact' | ||
run: unzip clang-tidy-review.zip | ||
- uses: ZedThree/clang-tidy-review/[email protected] | ||
``` | ||
|
||
The lint workflow runs with limited permissions, while the post comments workflow has the required permissions because it's triggered by the `workflow_run` event. | ||
Read more about workflow security limitations [here](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/). | ||
|
||
## Real world project samples | ||
|Project|Workflow| | ||
|----------|-------| | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
FROM python:3 | ||
|
||
COPY requirements.txt /requirements.txt | ||
|
||
RUN pip3 install --upgrade pip && \ | ||
pip3 install -r requirements.txt | ||
|
||
WORKDIR /action | ||
|
||
COPY post.py /action/post.py | ||
COPY clang_tidy_review /action/clang_tidy_review | ||
|
||
ENTRYPOINT ["/action/post.py"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
# Clang-Tidy Review - Post | ||
|
||
This is a child-action that only posts the review from the [parent action](../README.md). |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
name: 'clang-tidy review - post comments' | ||
author: 'Peter Hill' | ||
description: 'Create a pull request review based on warnings produced by the parent action' | ||
branding: | ||
icon: 'book-open' | ||
color: 'red' | ||
inputs: | ||
token: | ||
description: 'Authentication token' | ||
default: ${{ github.token }} | ||
required: false | ||
repo: | ||
default: ${{ github.repository }} | ||
max_comments: | ||
description: 'Maximum number of comments to post at once' | ||
required: false | ||
default: '25' | ||
lgtm_comment_body: | ||
description: 'Message to post on PR if no issues are found. An empty string will post no LGTM comment.' | ||
required: false | ||
default: 'clang-tidy review says "All clean, LGTM! :+1:"' | ||
outputs: | ||
total_comments: | ||
description: 'Total number of warnings from clang-tidy' | ||
runs: | ||
using: 'docker' | ||
image: 'Dockerfile' | ||
args: | ||
- --token=${{ inputs.token }} | ||
- --repo=${{ inputs.repo }} | ||
- --max-comments=${{ inputs.max_comments }} | ||
- --lgtm-comment-body='${{ inputs.lgtm_comment_body }}' |
Oops, something went wrong.