From 4df13b568a49995e80d6c723d46f6440ea8656f3 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 7 Jan 2026 21:41:08 +0000 Subject: [PATCH] refactor: improve workflow security and remove redundant exit code - Remove pull_request_target to avoid executing untrusted fork code - Remove redundant exit 1 from failure step - Update documentation to reflect changes - Standard pull_request trigger handles forks securely Co-authored-by: kuhyx <147418882+kuhyx@users.noreply.github.com> --- .github/BRANCH_PROTECTION.md | 3 +-- .github/workflows/shell-check.yml | 15 +-------------- 2 files changed, 2 insertions(+), 16 deletions(-) diff --git a/.github/BRANCH_PROTECTION.md b/.github/BRANCH_PROTECTION.md index 0fb01e7..04fb4cc 100644 --- a/.github/BRANCH_PROTECTION.md +++ b/.github/BRANCH_PROTECTION.md @@ -7,9 +7,8 @@ This repository uses GitHub Actions to ensure code quality before merging to `ma ### Shell Script Linting The `Shell Script Linting` workflow automatically runs on: -- Pull requests targeting `main` or `master` branches +- Pull requests targeting `main` or `master` branches (including from forks) - Direct pushes to `main` or `master` branches -- Pull requests from forks (via `pull_request_target`) This workflow checks: - Shell script syntax with `shellcheck` diff --git a/.github/workflows/shell-check.yml b/.github/workflows/shell-check.yml index e755ff3..0fb7877 100644 --- a/.github/workflows/shell-check.yml +++ b/.github/workflows/shell-check.yml @@ -17,15 +17,6 @@ on: - '**.zsh' - '.github/workflows/shell-check.yml' - 'scripts/meta/shell_check.sh' - # Also run on pull_request_target for forks to ensure all PRs are checked - pull_request_target: - branches: [ main, master ] - paths: - - '**.sh' - - '**.bash' - - '**.zsh' - - '.github/workflows/shell-check.yml' - - 'scripts/meta/shell_check.sh' jobs: shellcheck: @@ -35,9 +26,6 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 - with: - # For pull_request_target, checkout the PR head - ref: ${{ github.event.pull_request.head.sha || github.ref }} - name: Install shellcheck run: | @@ -61,10 +49,9 @@ jobs: if: success() run: echo "✅ All shell scripts passed linting checks!" - - name: Fail on linting errors + - name: Provide help on failure if: failure() run: | echo "❌ Shell script linting failed!" echo "This check is required to merge PRs into main/master." echo "Please run 'bash scripts/meta/shell_check.sh' locally and fix any issues." - exit 1