diff --git a/.github/workflows/pr-format-workflow.yml b/.github/workflows/pr-format-workflow.yml new file mode 100644 index 00000000000..174e06bdc81 --- /dev/null +++ b/.github/workflows/pr-format-workflow.yml @@ -0,0 +1,55 @@ +# Description: This workflow applies the formatter against the opened pull request and upload the patch. +# Since this pull request receives untrusted code, we should **NOT** have any secrets in the environment. +# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ +--- +name: pr-format-workflow + +on: + pull_request: + types: [opened, synchronize] + branches: + - main + +concurrency: + group: '${{ github.workflow }} @ ${{ github.ref }}' + cancel-in-progress: true + +jobs: + upload-patch: + runs-on: ubuntu-latest + if: ${{ github.repository == 'spring-projects/spring-security' }} + timeout-minutes: 10 + steps: + - uses: actions/checkout@v4 + with: + ref: ${{github.event.pull_request.head.ref}} + repository: ${{github.event.pull_request.head.repo.full_name}} + - name: Set up gradle + uses: spring-io/spring-gradle-build-action@v2 + with: + java-version: '17' + distribution: 'temurin' + + # Capture the PR number + # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#using-data-from-the-triggering-workflow + - name: Create pr_number.txt + run: echo "${{ github.event.number }}" > pr_number.txt + - uses: actions/upload-artifact@v4 + with: + name: pr_number + path: pr_number.txt + - name: Remove pr_number.txt + run: rm -f pr_number.txt + + # Format code + - name: Format with Gradle + run: ./gradlew format + + # Capture the diff + - name: Create patch + run: | + git diff | tee git-diff.patch + - uses: actions/upload-artifact@v4 + with: + name: patch + path: git-diff.patch diff --git a/.github/workflows/pr-suggestions-workflow.yml b/.github/workflows/pr-suggestions-workflow.yml new file mode 100644 index 00000000000..9fb7be84397 --- /dev/null +++ b/.github/workflows/pr-suggestions-workflow.yml @@ -0,0 +1,59 @@ +# Description: This workflow is triggered when the `pr-format-workflow` completes to post suggestions on the PR. +# Since this pull request has write permissions on the target repo, we should **NOT** execute any untrusted code. +# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ +--- +name: pr-suggestions-workflow + +on: + workflow_run: + workflows: ["pr-format-workflow"] + types: + - completed + +jobs: + post-suggestions: + # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#running-a-workflow-based-on-the-conclusion-of-another-workflow + if: ${{ github.event.workflow_run.conclusion == 'success' }} + runs-on: ubuntu-latest + permissions: + actions: read + pull-requests: write + env: + # https://docs.github.com/en/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token + ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} + timeout-minutes: 10 + steps: + - uses: actions/checkout@v4 + with: + ref: ${{github.event.workflow_run.head_branch}} + repository: ${{github.event.workflow_run.head_repository.full_name}} + + # Download the patch + - uses: actions/download-artifact@v4 + with: + name: patch + github-token: ${{ secrets.GITHUB_TOKEN }} + run-id: ${{ github.event.workflow_run.id }} + - name: Apply patch + run: | + git apply git-diff.patch --allow-empty + rm git-diff.patch + + # Download the PR number + - uses: actions/download-artifact@v4 + with: + name: pr_number + github-token: ${{ secrets.GITHUB_TOKEN }} + run-id: ${{ github.event.workflow_run.id }} + - name: Read pr_number.txt + run: | + PR_NUMBER=$(cat pr_number.txt) + echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV + rm pr_number.txt + + # Post suggestions as a comment on the PR + - uses: googleapis/code-suggester@v4 + with: + command: review + pull_number: ${{ env.PR_NUMBER }} + git_dir: '.'