Harden reusable workflows and introduce v1 versioning#88
Merged
Conversation
Restructures the IntegrationTest, IntegrationTestRequest, and FormatCheck reusable workflows to address security risks discussed in https://discourse.julialang.org/t/reviewing-github-actions-workflows-tokens/136400, and introduces a versioning convention so callers can pin to `@v1` instead of `@main`. IntegrationTest.yml: matrix expansion and aggregation gate move inside the reusable; the input changes from a scalar `pkg` to a JSON-array `pkgs`. A pre-leg step probes URL-based matrix entries anonymously and skips them on fork PRs that lack authentication (closing the pattern where PR-controlled Julia ran with `INTEGRATIONTEST_PAT` in scope under `pull_request_target`). The aggregate `IntegrationTest` check fails on fork-PR matrices that all-skip on private deps, with a `/integrationtest <pkg>` hint. IntegrationTestRequest.yml: comment-body parsing moves from shell interpolation to an `env:` mapping; on a successful manual `/integrationtest` run, posts a passing `IntegrationTest` check via the GitHub Checks API so the run can clear the gate above. FormatCheck.yml + new FormatCheckPostback.yml: split into a parse phase (runs on `pull_request:`, no secrets, uploads diff artifact) and a postback phase (runs on `workflow_run:`, in the trusted base context, downloads artifact, posts/updates the format-suggestion comment). Branch protection should require the parse phase's check. Tests, Documentation, CompatHelper, LiterateCheck, Registrator, FormatPullRequest: `${{ inputs.* }}` interpolations into shell `run:` blocks moved to `env:` mappings, and explicit per-job `permissions:` blocks added. `julia-actions/julia-buildpkg@latest` pinned to `@v1` in IntegrationTest.yml. New `.scripts/release.sh` tags `vX.Y.Z` (annotated, immutable) and maintains a `vX` mutable major tag, rewriting internal `@main` references in the released commit so the tagged release is fully snapshot-stable. README: new top-level Versioning section; FormatCheck section rewritten to document the parse + postback split. Breaking change: the IntegrationTest workflow's input shape changes from `pkg:` (scalar) to `pkgs:` (JSON array). Per-repo callers will need to update to the new form and to `@v1` pinning; that work is staged as a follow-up sweep across the ecosystem repos. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
mtfishman
force-pushed
the
mf/integration-test-fork-skip
branch
2 times, most recently
from
42c1e17 to
92acc71
Compare
mtfishman
force-pushed
the
mf/integration-test-fork-skip
branch
from
92acc71 to
dc36f8c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Restructures the
IntegrationTest,IntegrationTestRequest, andFormatCheckreusable workflows to reduce GitHub Actions trust-boundary risk, and introduces a versioning convention so callers can pin to@v1instead of@main.IntegrationTest
pkg:(scalar) topkgs:(JSON array).git ls-remotebefore secrets are used. Public URLs and registered package names run normally. Private URL entries are skipped on forkpull_requestevents, where secrets are not in scope.IntegrationTestgate inspects those markers and fails when every downstream leg skipped on a fork PR, with a/integrationtest <url>instruction.pull_request_target:trigger is no longer needed for migrated repositories; callers should usepull_request:.IntegrationTestRequest
env:mapping.pkgsarray input.IntegrationTestcheck run for the PR head SHA, allowing a maintainer-triggered private integration test to clear the gate.FormatCheck
FormatCheck.ymlis now the read-only parse phase. It runs onpull_request, checks out PR code without secrets, runs the formatter, uploads the diff and PR metadata as an artifact, and reports the branch-protection check.FormatCheckComment.ymlis the trusted comment phase. It runs after the parse workflow viaworkflow_run, downloads the artifact, and posts or updates the format-suggestion comment without checking out PR code.Format Check / Check Formatting); the comment workflow exists only to update the PR comment.Hygiene Across The Rest Of The Reusables
${{ inputs.* }}shell interpolations were moved toenv:mappings in the reusable workflows.permissions:blocks were added where they were missing.@latestaction references in this repository were removed.Versioning
vMAJOR.MINOR.PATCHrelease tag plus mutablevMAJORtag convention..scripts/release.shcreates release tags locally and rewrites internal@mainreferences in the tagged commit to a fixed SHA so tagged releases are snapshot-stable.Breaking Change
The
IntegrationTestreusable input changes frompkg:topkgs:. Per-repo callers need to update to the new JSON-array form.Test Plan
IntegrationTestcheck passes./integrationtest.FormatCheckruns frompull_requestwithout secrets and thatFormatCheckCommentposts or updates the formatting comment once the comment workflow exists on the target repository's default branch..scripts/release.sh v1.0.0locally after merge and confirm it creates the expectedv1.0.0andv1tags without pushing.