refactor: improve workflow security and remove redundant exit code

- Remove pull_request_target to avoid executing untrusted fork code
- Remove redundant exit 1 from failure step
- Update documentation to reflect changes
- Standard pull_request trigger handles forks securely

Co-authored-by: kuhyx <147418882+kuhyx@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot] 2026-01-07 21:41:08 +00:00
parent 21ec8f050b
commit 4df13b568a
2 changed files with 2 additions and 16 deletions

View File

@ -7,9 +7,8 @@ This repository uses GitHub Actions to ensure code quality before merging to `ma
### Shell Script Linting
The `Shell Script Linting` workflow automatically runs on:
- Pull requests targeting `main` or `master` branches
- Pull requests targeting `main` or `master` branches (including from forks)
- Direct pushes to `main` or `master` branches
- Pull requests from forks (via `pull_request_target`)
This workflow checks:
- Shell script syntax with `shellcheck`

View File

@ -17,15 +17,6 @@ on:
- '**.zsh'
- '.github/workflows/shell-check.yml'
- 'scripts/meta/shell_check.sh'
# Also run on pull_request_target for forks to ensure all PRs are checked
pull_request_target:
branches: [ main, master ]
paths:
- '**.sh'
- '**.bash'
- '**.zsh'
- '.github/workflows/shell-check.yml'
- 'scripts/meta/shell_check.sh'
jobs:
shellcheck:
@ -35,9 +26,6 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
# For pull_request_target, checkout the PR head
ref: ${{ github.event.pull_request.head.sha || github.ref }}
- name: Install shellcheck
run: |
@ -61,10 +49,9 @@ jobs:
if: success()
run: echo "✅ All shell scripts passed linting checks!"
- name: Fail on linting errors
- name: Provide help on failure
if: failure()
run: |
echo "❌ Shell script linting failed!"
echo "This check is required to merge PRs into main/master."
echo "Please run 'bash scripts/meta/shell_check.sh' locally and fix any issues."
exit 1