diff options
| author |  Sebastiaan Zeeff <[email protected]> | 2020-11-16 15:33:49 +0100 |
|---|---|---|
| committer | Sebastiaan Zeeff <[email protected]> | 2020-11-16 15:47:18 +0100 |
| commit | 012cfa8f5bcc7a2830a8292989ec33f6e9677410 (patch) | |
| tree | a0f85f0809e87a95ec9ae085983909bfd986a661 | |
| parent | Merge pull request #517 from python-discord/sebastiaan/backend/remove-dockerh... (diff) | |
Ensure flake8 runs correctly in Pull Request check
Unfortunately, the flake8 action we were using from the marketplace
required us to use the `pull_request_target` event, which runs in the
context of the target repository to protect secrets.
However, this also meant that flake8 would run on files already merged
into our master branch, not the actual changes made in teh PR! That's
obviously pretty useless as a guard against merging linting errors into
our repository.
This change sidesteps the issue by removing the marketplace action and
replacing it by a direct `flake8` run command. To make sure error output
ends up as a GitHub Actions Annotation, we ask `flake8` to format its
error messages using the correct GitHub Workflow Command format:
::error file={filename},line={line},col={col}::{message}
Whenever something is printed to stdout/stderr in that format, GitHub
Actions will automatically interpret it as the "register error message"
workflow command.
Since this doesn't require a GitHub Token with "write" permissions, we
can now switch back to the safer `pull_request` event that gets a
read-only GitHub Token.
| -rw-r--r-- | .github/workflows/lint-build-deploy.yaml | 24 |
1 files changed, 11 insertions, 13 deletions
diff --git a/.github/workflows/lint-build-deploy.yaml b/.github/workflows/lint-build-deploy.yaml index c70e49b7..7cfd532c 100644 --- a/.github/workflows/lint-build-deploy.yaml +++ b/.github/workflows/lint-build-deploy.yaml @@ -4,7 +4,7 @@ on: push: branches: - master - pull_request_target: + pull_request: jobs: @@ -32,12 +32,8 @@ jobs: - name: Add custom PYTHONUSERBASE to PATH run: echo '${{ env.PYTHONUSERBASE }}/bin/' >> $GITHUB_PATH - # We don't want to persist credentials, as our GitHub Action - # may be run when a PR is made from a fork. - name: Checkout repository uses: actions/checkout@v2 - with: - persist-credentials: false - name: Setup python id: python @@ -84,15 +80,17 @@ jobs: - name: Run pre-commit hooks run: export PIP_USER=0; SKIP=flake8 pre-commit run --all-files - # This step requires `pull_request_target` as we need "write" permissions - # to add annotations to the Actions results. A normal `pull_request` trigger - # does not get those permissions for security reasons. + # Run flake8 and have it format the linting errors in the format of + # the GitHub Workflow command to register error annotations. This + # means that our flake8 output is automatically added as an error + # annotation to both the run result and in the "Files" tab of a + # pull request. + # + # Format used: + # ::error file={filename},line={line},col={col}::{message} - name: Run flake8 - uses: julianwachholz/flake8-action@v1 - with: - checkName: lint - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: "flake8 \ + --format='::error file=%(path)s,line=%(row)d,col=%(col)d::[flake8] %(code)s: %(text)s'" build-and-deploy: name: Build and Deploy to Kubernetes |