fix: handle fork PRs in lint workflow

[koxudaxi]

Summary by CodeRabbit

• Chores
  • Improved CI/CD workflow configuration to better handle pull requests from forked repositories and same-repository pull requests with enhanced authentication mechanisms for automated commits and workflow retriggering.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Restructures GitHub Actions lint workflow checkout steps to handle fork-aware scenarios. Introduces conditional logic for different event types: fork pull requests use explicit head ref/repository checkout, while same-repo PRs, pushes, and pull_request_target events use a separate checkout with PAT token for auto-commit capabilities. Maintains existing setup and git-auto-commit steps.

Changes

Cohort / File(s)	Change Summary
GitHub Actions Workflow Configuration \.github/workflows/lint.yaml``	Adds fork-aware checkout logic for pull requests from forks. Introduces separate conditional checkout for same-repo PRs, pushes, and pull_request_target events with explicit PAT token usage. Moves token usage from first to second checkout step while maintaining ref and repository resolution.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Fork detection and handling logic: Verify the conditional properly distinguishes fork vs. same-repo scenarios
• Token management: Ensure PAT token is correctly passed and used for auto-commit/workflow retrigger; validate security implications
• Checkout step ordering: Confirm the new conditional structure doesn't skip necessary steps for any event type combination

Poem

🐰 A workflow refined with a fork-aware touch,
Checkouts now dance with conditions and such,
PAT tokens flow where commits take flight,
Testing and linting, all working just right! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: handling fork PRs in the lint workflow by adjusting checkout logic and token usage for different event types.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/lint-workflow-fork-token

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.33%. Comparing base (daa85a9) to head (254b860).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2706   +/-   ##
=======================================
  Coverage   99.33%   99.33%           
=======================================
  Files          81       81           
  Lines       11478    11478           
  Branches     1367     1367           
=======================================
  Hits        11402    11402           
  Misses         45       45           
  Partials       31       31           

Flag	Coverage Δ
unittests	99.33% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/lint.yaml (1)

21-28: Consider simplifying the second checkout conditional.

The current logic is correct, but the second checkout conditional could be simplified by inverting the first condition:

# Checkout for same-repo PRs, pushes, and pull_request_target (PAT for auto-commit and workflow retrigger)
- uses: actions/checkout@v4
  if: |
    github.event_name != 'pull_request' || 
    github.event.pull_request.head.repo.full_name == github.repository

This achieves the same result (runs for all cases except fork PRs) but is more concise. The current implementation is functional, so this is purely a readability suggestion.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between daa85a9 and 254b860.

📒 Files selected for processing (1)

• .github/workflows/lint.yaml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (10)

• GitHub Check: py312-black24 on Ubuntu
• GitHub Check: 3.14 on Windows
• GitHub Check: py312-black22 on Ubuntu
• GitHub Check: 3.11 on Windows
• GitHub Check: py312-isort5 on Ubuntu
• GitHub Check: py312-pydantic1 on Ubuntu
• GitHub Check: 3.10 on Windows
• GitHub Check: 3.12 on Windows
• GitHub Check: Analyze (python)
• GitHub Check: benchmarks

🔇 Additional comments (2)

.github/workflows/lint.yaml (2)

20-25: LGTM! Fork PR handling looks secure.

The fork-specific checkout correctly uses explicit head ref and repository without PAT, ensuring untrusted code doesn't have write access. The conditional logic properly identifies fork PRs.

---

26-32: Strengthen pull_request_target security model with additional controls.

Combining pull_request_target with checkout of untrusted PR code is a dangerous practice that may lead to malicious PR authors obtaining repository write permissions or stealing secrets. The second checkout (lines 26-32) checks out the PR head with PAT access, creating a risk window before the safe-to-fix label approval is applied.

While the job-level conditional gates execution behind manual approval, consider:

• Pin all action versions to specific commit SHAs rather than tags
• Add explicit validation that workflow files and linting commands haven't been modified in the PR before the label approval
• Document the security implications of the safe-to-fix label approval process for developers

[codspeed-hq]

CodSpeed Performance Report

Merging #2706 will not alter performance

_{Comparing fix/lint-workflow-fork-token (254b860) with main (daa85a9)}

Summary

✅ 52 untouched
⏩ 10 skipped¹

Footnotes

1. 10 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩