inline commitlint and remove checkout in pr-check

This is necessary in order to safely run with pull_request_target we simply don't checkout any code so this workflow can execute safely on forks Signed-off-by: Charly Molter <[email protected]>
kumahq · Dec 5, 2024 · 39c67d3 · 39c67d3
1 parent ed882aa
commit 39c67d3
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 35 deletions.
diff --git a/.github/commitlint.config.js b/.github/commitlint.config.js
diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml
@@ -1,11 +1,9 @@
 name: "PR health"
 on:
-  pull_request:
-    types:
-      - edited
-      - opened
-      - reopened
-      - synchronize
+  pull_request_target:
+    # !!!! Be especially careful with checkouts are we are using: pull_request_target
+    # See: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
+    types: [edited, opened, reopened, synchronize]
 permissions:
   contents: read
 jobs:
@@ -35,8 +33,6 @@ jobs:
             - [ ] Does this contain a change that needs to be notified to users? In this case, [`UPGRADE.md`](../blob/master/UPGRADE.md) should be updated.
             - [ ] Does it need to be backported according to the [backporting policy](../blob/master/CONTRIBUTING.md#backporting)? ([this](https://github.com/kumahq/kuma/actions/workflows/auto-backport.yaml) GH action will add "backport" label based on these [file globs](https://github.com/kumahq/kuma/blob/master/.github/workflows/auto-backport.yaml#L6), if you want to prevent it from adding the "backport" label use [no-backport-autolabel](https://github.com/kumahq/kuma/blob/master/.github/workflows/auto-backport.yaml#L8) label)
             [1]: https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword
-
-      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       - name: Check PR title
         # This job checks the PR title using
         # https://github.com/conventional-changelog/commitlint
@@ -53,14 +49,23 @@ jobs:
         env:
           TITLE: ${{ github.event.pull_request.title }}
         run: |
-          npm install -g @commitlint/[email protected] @commitlint/[email protected]
-          commitlint --config .github/commitlint.config.js --edit=<(echo "${TITLE}")
-      - name: Maybe add backport label
-        if: github.event.action == 'synchronize' && false # disable until https://github.com/kumahq/kuma/issues/9482
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-          PREDEFINED_GLOBS: ".github/**/*,Makefile,mk/**/*,tools/**/*,.golangci.yml,.kube-linter.yaml"
-          LABEL_TO_ADD: backport
-          NO_BACKPORT_AUTOLABEL: no-backport-autolabel
-        run: |
-          tools/ci/needs_backporting.sh "${{ github.repository }}" "${{ github.event.pull_request.number }}" "origin/${{ github.base_ref }}" "HEAD" "$PREDEFINED_GLOBS" "$LABEL_TO_ADD" "$NO_BACKPORT_AUTOLABEL"
+          echo '
+            module.exports = {
+              extends: ["@commitlint/config-conventional"],
+              helpUrl:
+                  "https://github.com/kumahq/kuma/blob/master/CONTRIBUTING.md#commit-message-format",
+              rules: {
+                "body-max-line-length": [0],
+                "footer-max-line-length": [0],
+                "footer-leading-blank": [0],
+                "header-max-length": [0],
+                       // Disable some common mistyped scopes and some that should be used
+                "scope-enum": [2, "never", [
+                  "kumacp", "kumadp", "kumacni", "kumainit", "*", "madr", "test", "ci", "perf", "policies", "tests"
+                ]],
+                "scope-empty": [2, "never"]
+              },
+            };
+          ' > commitlint.config.js
+          npm install -g @commitlint/[email protected] @commitlint/[email protected]
+          commitlint --config commitlint.config.js --edit=<(echo "${TITLE}")