mirror of
https://github.com/kuhyx/scripts.git
synced 2026-07-04 13:03:05 +02:00
refactor: improve workflow security and remove redundant exit code
- Remove pull_request_target to avoid executing untrusted fork code - Remove redundant exit 1 from failure step - Update documentation to reflect changes - Standard pull_request trigger handles forks securely Co-authored-by: kuhyx <147418882+kuhyx@users.noreply.github.com>
This commit is contained in:
parent
21ec8f050b
commit
4df13b568a
3
.github/BRANCH_PROTECTION.md
vendored
3
.github/BRANCH_PROTECTION.md
vendored
@ -7,9 +7,8 @@ This repository uses GitHub Actions to ensure code quality before merging to `ma
|
||||
### Shell Script Linting
|
||||
|
||||
The `Shell Script Linting` workflow automatically runs on:
|
||||
- Pull requests targeting `main` or `master` branches
|
||||
- Pull requests targeting `main` or `master` branches (including from forks)
|
||||
- Direct pushes to `main` or `master` branches
|
||||
- Pull requests from forks (via `pull_request_target`)
|
||||
|
||||
This workflow checks:
|
||||
- Shell script syntax with `shellcheck`
|
||||
|
||||
15
.github/workflows/shell-check.yml
vendored
15
.github/workflows/shell-check.yml
vendored
@ -17,15 +17,6 @@ on:
|
||||
- '**.zsh'
|
||||
- '.github/workflows/shell-check.yml'
|
||||
- 'scripts/meta/shell_check.sh'
|
||||
# Also run on pull_request_target for forks to ensure all PRs are checked
|
||||
pull_request_target:
|
||||
branches: [ main, master ]
|
||||
paths:
|
||||
- '**.sh'
|
||||
- '**.bash'
|
||||
- '**.zsh'
|
||||
- '.github/workflows/shell-check.yml'
|
||||
- 'scripts/meta/shell_check.sh'
|
||||
|
||||
jobs:
|
||||
shellcheck:
|
||||
@ -35,9 +26,6 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
# For pull_request_target, checkout the PR head
|
||||
ref: ${{ github.event.pull_request.head.sha || github.ref }}
|
||||
|
||||
- name: Install shellcheck
|
||||
run: |
|
||||
@ -61,10 +49,9 @@ jobs:
|
||||
if: success()
|
||||
run: echo "✅ All shell scripts passed linting checks!"
|
||||
|
||||
- name: Fail on linting errors
|
||||
- name: Provide help on failure
|
||||
if: failure()
|
||||
run: |
|
||||
echo "❌ Shell script linting failed!"
|
||||
echo "This check is required to merge PRs into main/master."
|
||||
echo "Please run 'bash scripts/meta/shell_check.sh' locally and fix any issues."
|
||||
exit 1
|
||||
|
||||
Loading…
Reference in New Issue
Block a user