From 012cfa8f5bcc7a2830a8292989ec33f6e9677410 Mon Sep 17 00:00:00 2001
From: Sebastiaan Zeeff <sebastiaan.zeeff@gmail.com>
Date: Mon, 16 Nov 2020 15:33:49 +0100
Subject: Ensure flake8 runs correctly in Pull Request check

Unfortunately, the flake8 action we were using from the marketplace
required us to use the `pull_request_target` event, which runs in the
context of the target repository to protect secrets.

However, this also meant that flake8 would run on files already merged
into our master branch, not the actual changes made in teh PR! That's
obviously pretty useless as a guard against merging linting errors into
our repository.

This change sidesteps the issue by removing the marketplace action and
replacing it by a direct `flake8` run command. To make sure error output
ends up as a GitHub Actions Annotation, we ask `flake8` to format its
error messages using the correct GitHub Workflow Command format:

::error file={filename},line={line},col={col}::{message}

Whenever something is printed to stdout/stderr in that format, GitHub
Actions will automatically interpret it as the "register error message"
workflow command.

Since this doesn't require a GitHub Token with "write" permissions, we
can now switch back to the safer `pull_request` event that gets a
read-only GitHub Token.
---
 .github/workflows/lint-build-deploy.yaml | 24 +++++++++++-------------
 1 file changed, 11 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/lint-build-deploy.yaml b/.github/workflows/lint-build-deploy.yaml
index c70e49b7..7cfd532c 100644
--- a/.github/workflows/lint-build-deploy.yaml
+++ b/.github/workflows/lint-build-deploy.yaml
@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - master
-  pull_request_target:
+  pull_request:
 
 
 jobs:
@@ -32,12 +32,8 @@ jobs:
       - name: Add custom PYTHONUSERBASE to PATH
         run: echo '${{ env.PYTHONUSERBASE }}/bin/' >> $GITHUB_PATH
 
-      # We don't want to persist credentials, as our GitHub Action
-      # may be run when a PR is made from a fork.
       - name: Checkout repository
         uses: actions/checkout@v2
-        with:
-          persist-credentials: false
 
       - name: Setup python
         id: python
@@ -84,15 +80,17 @@ jobs:
       - name: Run pre-commit hooks
         run: export PIP_USER=0; SKIP=flake8 pre-commit run --all-files
 
-      # This step requires `pull_request_target` as we need "write" permissions
-      # to add annotations to the Actions results. A normal `pull_request` trigger
-      # does not get those permissions for security reasons.
+      # Run flake8 and have it format the linting errors in the format of
+      # the GitHub Workflow command to register error annotations. This
+      # means that our flake8 output is automatically added as an error
+      # annotation to both the run result and in the "Files" tab of a
+      # pull request.
+      #
+      # Format used:
+      # ::error file={filename},line={line},col={col}::{message}
       - name: Run flake8
-        uses: julianwachholz/flake8-action@v1
-        with:
-          checkName: lint
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: "flake8 \
+        --format='::error file=%(path)s,line=%(row)d,col=%(col)d::[flake8] %(code)s: %(text)s'"
 
   build-and-deploy:
     name: Build and Deploy to Kubernetes
-- 
cgit v1.2.3