From 04668720333b2091526b26c65174e4786281f59e Mon Sep 17 00:00:00 2001 From: Gerwin Klein Date: Tue, 9 Jul 2024 11:29:05 +1000 Subject: [PATCH] github: move linter to pull_request_target trigger GITHUB_TOKEN only has read access when triggered from a fork on the pull_request trigger. Signed-off-by: Gerwin Klein --- .github/workflows/lint.yml | 32 ++++++++++++++++++++++++++++++++ .github/workflows/pr.yml | 18 ------------------ 2 files changed, 32 insertions(+), 18 deletions(-) create mode 100644 .github/workflows/lint.yml diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000000..69069b636b --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,32 @@ +# Copyright 2024, Proofcraft Pty Ltd +# +# SPDX-License-Identifier: BSD-2-Clause + +# Theory Linter action + +name: Lint + +# needs pull_request_target trigger for more authority on GITHUB_TOKEN when PR +# originates on a fork +on: + pull_request_target: + push: + branches: + - 'annotations*' + +jobs: + thylint: + name: 'Theory Linter' + runs-on: ubuntu-latest + steps: + - uses: seL4/ci-actions/thylint@master + with: + token: ${{ secrets.READ_TOKEN }} + pr_num: ${{ github.event.pull_request.number }} + - uses: yuzutech/annotations-action@v0.5.0 + with: + repo-token: "${{ secrets.GITHUB_TOKEN }}" + title: 'File annotations for theory linter' + input: './annotations.json' + continue-on-error: true + if: always() diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 3744b9ad5f..79ac547680 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -40,21 +40,3 @@ jobs: - uses: seL4/ci-actions/style@master with: token: ${{ secrets.READ_TOKEN }} - - thylint: - name: 'Theory Linter' - runs-on: ubuntu-latest - permissions: - contents: read - checks: write - steps: - - uses: seL4/ci-actions/thylint@master - with: - token: ${{ secrets.READ_TOKEN }} - - uses: yuzutech/annotations-action@v0.5.0 - with: - repo-token: "${{ secrets.GITHUB_TOKEN }}" - title: 'File annotations for theory linter' - input: './annotations.json' - continue-on-error: true - if: always()