mirror of
https://github.com/kuhyx/scripts.git
synced 2026-07-04 15:03:09 +02:00
refactor: improve workflow security and remove redundant exit code
- Remove pull_request_target to avoid executing untrusted fork code - Remove redundant exit 1 from failure step - Update documentation to reflect changes - Standard pull_request trigger handles forks securely Co-authored-by: kuhyx <147418882+kuhyx@users.noreply.github.com>
This commit is contained in:
parent
21ec8f050b
commit
4df13b568a
3
.github/BRANCH_PROTECTION.md
vendored
3
.github/BRANCH_PROTECTION.md
vendored
@ -7,9 +7,8 @@ This repository uses GitHub Actions to ensure code quality before merging to `ma
|
|||||||
### Shell Script Linting
|
### Shell Script Linting
|
||||||
|
|
||||||
The `Shell Script Linting` workflow automatically runs on:
|
The `Shell Script Linting` workflow automatically runs on:
|
||||||
- Pull requests targeting `main` or `master` branches
|
- Pull requests targeting `main` or `master` branches (including from forks)
|
||||||
- Direct pushes to `main` or `master` branches
|
- Direct pushes to `main` or `master` branches
|
||||||
- Pull requests from forks (via `pull_request_target`)
|
|
||||||
|
|
||||||
This workflow checks:
|
This workflow checks:
|
||||||
- Shell script syntax with `shellcheck`
|
- Shell script syntax with `shellcheck`
|
||||||
|
|||||||
15
.github/workflows/shell-check.yml
vendored
15
.github/workflows/shell-check.yml
vendored
@ -17,15 +17,6 @@ on:
|
|||||||
- '**.zsh'
|
- '**.zsh'
|
||||||
- '.github/workflows/shell-check.yml'
|
- '.github/workflows/shell-check.yml'
|
||||||
- 'scripts/meta/shell_check.sh'
|
- 'scripts/meta/shell_check.sh'
|
||||||
# Also run on pull_request_target for forks to ensure all PRs are checked
|
|
||||||
pull_request_target:
|
|
||||||
branches: [ main, master ]
|
|
||||||
paths:
|
|
||||||
- '**.sh'
|
|
||||||
- '**.bash'
|
|
||||||
- '**.zsh'
|
|
||||||
- '.github/workflows/shell-check.yml'
|
|
||||||
- 'scripts/meta/shell_check.sh'
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
shellcheck:
|
shellcheck:
|
||||||
@ -35,9 +26,6 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
with:
|
|
||||||
# For pull_request_target, checkout the PR head
|
|
||||||
ref: ${{ github.event.pull_request.head.sha || github.ref }}
|
|
||||||
|
|
||||||
- name: Install shellcheck
|
- name: Install shellcheck
|
||||||
run: |
|
run: |
|
||||||
@ -61,10 +49,9 @@ jobs:
|
|||||||
if: success()
|
if: success()
|
||||||
run: echo "✅ All shell scripts passed linting checks!"
|
run: echo "✅ All shell scripts passed linting checks!"
|
||||||
|
|
||||||
- name: Fail on linting errors
|
- name: Provide help on failure
|
||||||
if: failure()
|
if: failure()
|
||||||
run: |
|
run: |
|
||||||
echo "❌ Shell script linting failed!"
|
echo "❌ Shell script linting failed!"
|
||||||
echo "This check is required to merge PRs into main/master."
|
echo "This check is required to merge PRs into main/master."
|
||||||
echo "Please run 'bash scripts/meta/shell_check.sh' locally and fix any issues."
|
echo "Please run 'bash scripts/meta/shell_check.sh' locally and fix any issues."
|
||||||
exit 1
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user