diff --git a/.github/commitlint.config.js b/.github/commitlint.config.js deleted file mode 100644 index deff804daeb9..000000000000 --- a/.github/commitlint.config.js +++ /dev/null @@ -1,16 +0,0 @@ -module.exports = { - extends: ["@commitlint/config-conventional"], - helpUrl: - "https://github.com/kumahq/kuma/blob/master/CONTRIBUTING.md#commit-message-format", - rules: { - "body-max-line-length": [0], - "footer-max-line-length": [0], - "footer-leading-blank": [0], - "header-max-length": [0], - // Disable some common mistyped scopes and some that should be used - "scope-enum": [2, "never", [ - "kumacp", "kumadp", "kumacni", "kumainit", "*", "madr", "test", "ci", "perf", "policies", "tests" - ]], - "scope-empty": [2, "never"] - }, -}; diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml index c6597dc5f430..9113cbd589dc 100644 --- a/.github/workflows/check.yaml +++ b/.github/workflows/check.yaml @@ -1,11 +1,9 @@ name: "PR health" on: - pull_request: - types: - - edited - - opened - - reopened - - synchronize + pull_request_target: + # !!!! Be especially careful with checkouts are we are using: pull_request_target + # See: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/ + types: [edited, opened, reopened, synchronize] permissions: contents: read jobs: @@ -35,8 +33,6 @@ jobs: - [ ] Does this contain a change that needs to be notified to users? In this case, [`UPGRADE.md`](../blob/master/UPGRADE.md) should be updated. - [ ] Does it need to be backported according to the [backporting policy](../blob/master/CONTRIBUTING.md#backporting)? ([this](https://github.com/kumahq/kuma/actions/workflows/auto-backport.yaml) GH action will add "backport" label based on these [file globs](https://github.com/kumahq/kuma/blob/master/.github/workflows/auto-backport.yaml#L6), if you want to prevent it from adding the "backport" label use [no-backport-autolabel](https://github.com/kumahq/kuma/blob/master/.github/workflows/auto-backport.yaml#L8) label) [1]: https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword - - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Check PR title # This job checks the PR title using # https://github.com/conventional-changelog/commitlint @@ -53,14 +49,23 @@ jobs: env: TITLE: ${{ github.event.pull_request.title }} run: | - npm install -g @commitlint/cli@19.0.1 @commitlint/config-conventional@19.0.0 - commitlint --config .github/commitlint.config.js --edit=<(echo "${TITLE}") - - name: Maybe add backport label - if: github.event.action == 'synchronize' && false # disable until https://github.com/kumahq/kuma/issues/9482 - env: - GITHUB_TOKEN: ${{ github.token }} - PREDEFINED_GLOBS: ".github/**/*,Makefile,mk/**/*,tools/**/*,.golangci.yml,.kube-linter.yaml" - LABEL_TO_ADD: backport - NO_BACKPORT_AUTOLABEL: no-backport-autolabel - run: | - tools/ci/needs_backporting.sh "${{ github.repository }}" "${{ github.event.pull_request.number }}" "origin/${{ github.base_ref }}" "HEAD" "$PREDEFINED_GLOBS" "$LABEL_TO_ADD" "$NO_BACKPORT_AUTOLABEL" + echo ' + module.exports = { + extends: ["@commitlint/config-conventional"], + helpUrl: + "https://github.com/kumahq/kuma/blob/master/CONTRIBUTING.md#commit-message-format", + rules: { + "body-max-line-length": [0], + "footer-max-line-length": [0], + "footer-leading-blank": [0], + "header-max-length": [0], + // Disable some common mistyped scopes and some that should be used + "scope-enum": [2, "never", [ + "kumacp", "kumadp", "kumacni", "kumainit", "*", "madr", "test", "ci", "perf", "policies", "tests" + ]], + "scope-empty": [2, "never"] + }, + }; + ' > commitlint.config.js + npm install -g @commitlint/cli@19.6.0 @commitlint/config-conventional@19.6.0 + commitlint --config commitlint.config.js --edit=<(echo "${TITLE}")