github: move linter to pull_request_target trigger

GITHUB_TOKEN only has read access when triggered from a fork on the pull_request trigger. Signed-off-by: Gerwin Klein <[email protected]>
seL4 · Jul 9, 2024 · 0466872 · 0466872
1 parent 1576f11
commit 0466872
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 18 deletions.
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -0,0 +1,32 @@
+# Copyright 2024, Proofcraft Pty Ltd
+#
+# SPDX-License-Identifier: BSD-2-Clause
+
+# Theory Linter action
+
+name: Lint
+
+# needs pull_request_target trigger for more authority on GITHUB_TOKEN when PR
+# originates on a fork
+on:
+  pull_request_target:
+  push:
+    branches:
+      - 'annotations*'
+
+jobs:
+  thylint:
+    name: 'Theory Linter'
+    runs-on: ubuntu-latest
+    steps:
+    - uses: seL4/ci-actions/thylint@master
+      with:
+        token: ${{ secrets.READ_TOKEN }}
+        pr_num: ${{ github.event.pull_request.number }}
+    - uses: yuzutech/[email protected]
+      with:
+        repo-token: "${{ secrets.GITHUB_TOKEN }}"
+        title: 'File annotations for theory linter'
+        input: './annotations.json'
+      continue-on-error: true
+      if: always()
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -40,21 +40,3 @@ jobs:
     - uses: seL4/ci-actions/style@master
       with:
         token: ${{ secrets.READ_TOKEN }}
-
-  thylint:
-    name: 'Theory Linter'
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      checks: write
-    steps:
-    - uses: seL4/ci-actions/thylint@master
-      with:
-        token: ${{ secrets.READ_TOKEN }}
-    - uses: yuzutech/[email protected]
-      with:
-        repo-token: "${{ secrets.GITHUB_TOKEN }}"
-        title: 'File annotations for theory linter'
-        input: './annotations.json'
-      continue-on-error: true
-      if: always()