On new PR #16474
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: On new PR | |
# PROCESS | |
# | |
# 1. Fetch PR details previously saved from untrusted location | |
# 2. Parse details for safety | |
# 3. Confirm there is a related issue for newly opened PR | |
# 4. Verify if PR template is used and legal acknowledgement hasn't been removed | |
# USAGE | |
# | |
# NOTE: meant to be used with ./.github/workflows/record_pr.yml | |
# | |
# Security Note: | |
# | |
# This workflow depends on "Record PR" workflow that runs in an untrusted location (forks) instead of `pull_request_target`. | |
# This enforces zero trust where "Record PR" workflow always runs on fork with zero permissions on GH_TOKEN. | |
# When "Record PR" completes, this workflow runs in our repository with the appropriate permissions and sanitize inputs. | |
# | |
# Coupled with "Approve GitHub Action to run on forks", we have confidence no privilege can be escalated, | |
# since any malicious change would need to be approved, and upon social engineering, it'll have zero permissions. | |
on: | |
workflow_run: | |
workflows: ["Record PR details"] | |
types: | |
- completed | |
permissions: | |
contents: read | |
jobs: | |
get_pr_details: | |
permissions: | |
actions: read # download PR artifact | |
contents: read # checkout code | |
if: ${{ github.event.workflow_run.conclusion == 'success' }} | |
uses: ./.github/workflows/reusable_export_pr_details.yml | |
with: | |
record_pr_workflow_id: ${{ github.event.workflow_run.id }} | |
workflow_origin: ${{ github.event.repository.full_name }} | |
secrets: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
check_related_issue: | |
permissions: | |
pull-requests: write # label and comment on PR if missing related issue (requirement) | |
needs: get_pr_details | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | |
- name: "Ensure related issue is present" | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
env: | |
PR_BODY: ${{ needs.get_pr_details.outputs.prBody }} | |
PR_NUMBER: ${{ needs.get_pr_details.outputs.prNumber }} | |
PR_ACTION: ${{ needs.get_pr_details.outputs.prAction }} | |
PR_AUTHOR: ${{ needs.get_pr_details.outputs.prAuthor }} | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
const script = require('.github/scripts/label_missing_related_issue.js') | |
await script({github, context, core}) | |
check_acknowledge_section: | |
needs: get_pr_details | |
runs-on: ubuntu-latest | |
permissions: | |
pull-requests: write # label and comment on PR if missing acknowledge section (requirement) | |
steps: | |
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | |
- name: "Ensure acknowledgement section is present" | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
env: | |
PR_BODY: ${{ needs.get_pr_details.outputs.prBody }} | |
PR_NUMBER: ${{ needs.get_pr_details.outputs.prNumber }} | |
PR_ACTION: ${{ needs.get_pr_details.outputs.prAction }} | |
PR_AUTHOR: ${{ needs.get_pr_details.outputs.prAuthor }} | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
const script = require('.github/scripts/label_missing_acknowledgement_section.js') | |
await script({github, context, core}) |