Rewrite qhelp-pr-preview.yml #6995
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
aibaars
force-pushed
the
aibaars/pr-qhelp-check
branch
5 times, most recently
from
25a7f24 to
6ac05dd
Compare
aibaars
force-pushed
the
aibaars/pr-qhelp-check
branch
from
6ac05dd to
a0903c3
Compare
This reverts commit b128c7c.
aibaars
force-pushed
the
aibaars/pr-qhelp-check
branch
from
a881a9e to
53b0315
Compare
aibaars
commented
Nov 2, 2021
esbena
reviewed
Nov 3, 2021
aibaars
force-pushed
the
aibaars/pr-qhelp-check
branch
from
56ab35a to
b9bf597
Compare
adityasharad
reviewed
Nov 3, 2021
aibaars
force-pushed
the
aibaars/pr-qhelp-check
branch
from
b61392d to
332bbf3
Compare
adityasharad
previously approved these changes
Nov 3, 2021
esbena
reviewed
Nov 3, 2021
Co-authored-by: Aditya Sharad <6874315+adityasharad@users.noreply.github.com>
aibaars
force-pushed
the
aibaars/pr-qhelp-check
branch
from
332bbf3 to
7b4460e
Compare
adityasharad
approved these changes
Nov 3, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request makes the
qhelp-pr-previewworkflow suitable to be run on pull requests from forks. Actions jobs on pull requests from forks are run with limited privileges and as a result the workflow was not allowed to post a comment containing the QHelp previews. To make this work I split the workflow in two, the first generates the query help in markdown format and uploads the result as an artefact. The second workflow uses aworkflow_runtrigger and takes care of downloading the generated markdown and posting it to the pull request. The first workflow is completely user controlled and runs with read-only permissions. The second workflow has elevated permissionspull-request: writeto post the comment. However, this workflow is not user controlled and its inputs (a pull-request number and contents of the comment to be posted) are not used in dangerous ways. In addition the workflow double checks that the commit SHA of the head of the pull request and the one from the triggering workflow run match. This prevents a malicious user from writing spam comments on arbitrary pull requests.An example run can be found at aibaars#5 (comment)