|
| 1 | +# Stub workflow — A copy of this workflow must live on the default branch (3.0) so that the pull_request_target |
| 2 | +# event can trigger it with access to secrets. It then delegates all real work to the reusable template on |
| 3 | +# tomls/base/main, which has the scripts, prompts, and agent definitions. |
| 4 | +# |
| 5 | +# This two-stage design lets fork PRs trigger the review safely: the stub runs in the |
| 6 | +# context of the default branch (with secret access), but the template checks out only |
| 7 | +# .spec files (data) from the PR head — never executable code. |
| 8 | +# |
| 9 | +# A stub is needed because pull_request_target workflows always run in the context of the default branch, so they can't |
| 10 | +# directly use a reusable workflow from the PR head (which would be a security risk since untrusted code could leak |
| 11 | +# the secrets). By having the stub on the default branch, we can safely ensure only the trusted reusable workflow from |
| 12 | +# the base is used, while still allowing the PR head to provide the .spec files as data input. |
| 13 | +name: Spec Review |
| 14 | + |
| 15 | +# pull_request_target is required here: we need secret access (COPILOT_TOKEN) to run the |
| 16 | +# spec review agent on fork PRs. The stub itself runs NO code from the PR — it only |
| 17 | +# delegates to a trusted reusable workflow pinned to tomls/base/main, which sparse-checks |
| 18 | +# out only .spec data files (never executable code) from the PR head. |
| 19 | +on: # zizmor: ignore[dangerous-triggers] |
| 20 | + pull_request_target: |
| 21 | + # Only trigger on PRs targeting the toml base branch which modify .spec files. We do |
| 22 | + # not want to affect PRs targeting other branches. |
| 23 | + |
| 24 | + branches: |
| 25 | + - tomls/base/main |
| 26 | + paths: |
| 27 | + - '**/*.spec' |
| 28 | + |
| 29 | +permissions: {} |
| 30 | + |
| 31 | +concurrency: |
| 32 | + group: spec-review-${{ github.event.pull_request.number }} |
| 33 | + cancel-in-progress: true |
| 34 | + |
| 35 | +jobs: |
| 36 | + review: |
| 37 | + # Prevent forks from running a stale/vulnerable copy of this stub with Actions enabled |
| 38 | + if: github.repository == 'microsoft/azurelinux' |
| 39 | + # Intentionally branch-pinned to our own repo so the |
| 40 | + # reusable workflow picks up prompt/script/agent updates automatically. |
| 41 | + uses: microsoft/azurelinux/.github/workflows/spec-review.yml@tomls/base/main # zizmor: ignore[unpinned-uses] |
| 42 | + permissions: |
| 43 | + contents: read |
| 44 | + pull-requests: write # Post review comments and inline annotations on PRs |
| 45 | + with: |
| 46 | + pr-head-sha: ${{ github.event.pull_request.head.sha }} |
| 47 | + pr-head-repo: ${{ github.event.pull_request.head.repo.full_name }} |
| 48 | + pr-number: ${{ github.event.pull_request.number }} |
| 49 | + repo: ${{ github.repository }} |
| 50 | + scripts-ref: tomls/base/main |
| 51 | + secrets: |
| 52 | + COPILOT_TOKEN: ${{ secrets.COPILOT_TOKEN }} |
0 commit comments