ci(github): fix checklist PR comment (#12180)

## Motivation Fix PR checklist on comment ## Implementation information To be able to leave a comment on a pull request we need `pull_request: write` permissions. Unfortunately github won't allow this level of permissions on PRs coming from forks. The way to get the permissions is to use `pull_request_target` as a triggering event. However, there are a lot of possible attack vectors when checking out code when using this event. Therefore we inline commitlint.config.js inside the action to not have to checkout any code and be able to run this action safely. ## Supporting documentation xrel: #11654 #11666 superseeds: #11674 - Why we remove the checkout: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/ - Why we need `pull_request_target`: marocchino/sticky-pull-request-comment#930 part of: Kong/team-mesh#302 --------- Signed-off-by: Charly Molter <[email protected]>
kumahq · Dec 6, 2024 · ff16ad0 · ff16ad0
1 parent e16e71f
commit ff16ad0
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 56 deletions.
diff --git a/.github/commitlint.config.js b/.github/commitlint.config.js
diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml
@@ -1,20 +1,38 @@
 name: "PR health"
 on:
-  pull_request:
-    types:
-      - edited
-      - opened
-      - reopened
-      - synchronize
+  pull_request_target:
+    # !!!! Be especially careful with checkouts are we are using: pull_request_target
+    # See: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
+    types: [edited, opened, reopened, synchronize]
 permissions:
   contents: read
-  pull-requests: write
 jobs:
-  commit-lint:
+  pr-check:
     timeout-minutes: 10
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
-      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      - name: Add checklist comment
+        if: github.event.pull_request.author != 'app/dependabot'
+        uses: marocchino/sticky-pull-request-comment@44e0bad81007ecff41ba26d1cbf49a0267d28e9d # v2.9.0
+        with:
+          header: PR reviewer checklist
+          only_create: true
+          message: |
+            ## Reviewer Checklist
+            :mag: Each of these sections need to be checked by the reviewer of the PR :mag::
+            If something doesn't apply please check the box and add a justification if the reason is non obvious.
+
+            - [ ] Is the PR title satisfactory? Is this part of a larger feature and should be grouped using `> Changelog`?
+            - [ ] PR description is clear and complete. It [Links to relevant issue][1] as well as docs and UI issues
+            - [ ] This will not break child repos: it doesn't hardcode values (.e.g "kumahq" as an image registry)
+            - [ ] IPv6 is taken into account (.e.g: no string concatenation of host port)
+            - [ ] Tests (Unit test, E2E tests, manual test on universal and k8s)
+                - Don't forget `ci/` labels to run additional/fewer tests
+            - [ ] Does this contain a change that needs to be notified to users? In this case, [`UPGRADE.md`](../blob/master/UPGRADE.md) should be updated.
+            - [ ] Does it need to be backported according to the [backporting policy](../blob/master/CONTRIBUTING.md#backporting)? ([this](https://github.com/kumahq/kuma/actions/workflows/auto-backport.yaml) GH action will add "backport" label based on these [file globs](https://github.com/kumahq/kuma/blob/master/.github/workflows/auto-backport.yaml#L6), if you want to prevent it from adding the "backport" label use [no-backport-autolabel](https://github.com/kumahq/kuma/blob/master/.github/workflows/auto-backport.yaml#L8) label)
+            [1]: https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword
       - name: Check PR title
         # This job checks the PR title using
         # https://github.com/conventional-changelog/commitlint
@@ -31,34 +49,23 @@ jobs:
         env:
           TITLE: ${{ github.event.pull_request.title }}
         run: |
-          npm install -g @commitlint/[email protected] @commitlint/[email protected]
-          commitlint --config .github/commitlint.config.js --edit=<(echo "${TITLE}")
-      - name: Maybe add backport label
-        if: github.event.action == 'synchronize' && false # disable until https://github.com/kumahq/kuma/issues/9482
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-          PREDEFINED_GLOBS: ".github/**/*,Makefile,mk/**/*,tools/**/*,.golangci.yml,.kube-linter.yaml"
-          LABEL_TO_ADD: backport
-          NO_BACKPORT_AUTOLABEL: no-backport-autolabel
-        run: |
-          tools/ci/needs_backporting.sh "${{ github.repository }}" "${{ github.event.pull_request.number }}" "origin/${{ github.base_ref }}" "HEAD" "$PREDEFINED_GLOBS" "$LABEL_TO_ADD" "$NO_BACKPORT_AUTOLABEL"
-      - name: Add checklist comment
-        if: false # disable as it doesn't work github.event.action == 'opened' && github.event.pull_request.author != 'dependabot'
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-          CHECKLIST_MESSAGE: |
-            :mag: Each of these sections need to be checked by the reviewer of the PR :mag::
-            
-            If something doesn't apply please check the box and add a justification if the reason is non obvious.
-            
-            - [ ] Is the PR title satisfactory? Is this part of a larger feature and should be grouped using `> Changelog`?
-            - [ ] PR description is clear and complete. It [Link to relevant issue][1] as well as docs and UI issues
-            - [ ] This will not break child repos: it doesn't hardcode values (.e.g "kumahq" as a image registry) 
-            - [ ] IPv6 is taken into account (.e.g: no concatenation of host port)
-            - [ ] Tests (Unit test, E2E tests, manual test on universal and k8s)
-                - Don't forget `ci/` labels to run additional/fewer tests
-            - [ ] Does this contain a change that needs to be notified to users? In this case it [`UPGRADE.md`](../blob/master/UPGRADE.md) should be updated.
-            - [ ] Does it need to be backported according to the [backporting policy](../blob/master/CONTRIBUTING.md#backporting)? ([this](https://github.com/kumahq/kuma/actions/workflows/auto-backport.yaml) GH action will add "backport" label based on these [file globs](https://github.com/kumahq/kuma/blob/master/.github/workflows/auto-backport.yaml#L6), if you want to prevent it from adding the "backport" label use [no-backport-autolabel](https://github.com/kumahq/kuma/blob/master/.github/workflows/auto-backport.yaml#L8) label)
-            [1]: https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword
-
-        run: echo '${{ env.CHECKLIST_MESSAGE }}' | gh pr comment -R "${{ github.repository }}" "${{ github.event.pull_request.number }}" -F -
+          echo '
+            module.exports = {
+              extends: ["@commitlint/config-conventional"],
+              helpUrl:
+                  "https://github.com/kumahq/kuma/blob/master/CONTRIBUTING.md#commit-message-format",
+              rules: {
+                "body-max-line-length": [0],
+                "footer-max-line-length": [0],
+                "footer-leading-blank": [0],
+                "header-max-length": [0],
+                       // Disable some common mistyped scopes and some that should be used
+                "scope-enum": [2, "never", [
+                  "kumacp", "kumadp", "kumacni", "kumainit", "*", "madr", "test", "ci", "perf", "policies", "tests"
+                ]],
+                "scope-empty": [2, "never"]
+              },
+            };
+          ' > commitlint.config.js
+          npm install -g @commitlint/[email protected] @commitlint/[email protected]
+          echo "${{ env.TITLE }}" | commitlint --config commitlint.config.js