varlock/.github/workflows/bumpy-check.yaml at main · dmno-dev/varlock · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
name: Bumpy check

# Posts/updates the release-plan comment on every PR (including forks).
#
# Uses `pull_request_target` so the comment can be posted on fork PRs (a plain
# `pull_request` gives forks a read-only token, so `pull-requests: write` would
# be ineffective). Because that runs with the base repo's elevated token, the PR
# code is treated as untrusted DATA only:
#   - the base branch is checked out at the root (trusted bunfig.toml / lockfile
#     + the base package.json we read the pinned bumpy version from);
#   - the PR head is checked out into ./pr, isolated and never executed;
#   - bumpy is run from the root (so the PR's bunfig.toml/.npmrc can't redirect
#     package resolution) and only reads the PR files via `--cwd ./pr`.
# ⚠️ DO NOT bun install / npm install / run any script from ./pr ⚠️
on: pull_request_target

permissions:
  pull-requests: write
  contents: read

concurrency:
  group: bumpy-check-${{ github.event.pull_request.number }}
  cancel-in-progress: true

jobs:
  check:
    runs-on: ubuntu-latest
    steps:
      # Trusted base checkout at the root: provides the bunfig.toml / lockfile
      # that govern how `bunx` below resolves and runs bumpy, plus the base
      # package.json we read the pinned bumpy version from.
      - uses: actions/checkout@v7
        with:
          ref: main
          persist-credentials: false

      - uses: oven-sh/setup-bun@v2

      # Untrusted PR head, isolated in ./pr — read as data, never executed.
      - uses: actions/checkout@v7
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          path: pr
          persist-credentials: false

      # Resolve bumpy from the base package.json (trusted) and run it from the
      # root against the PR files. The version is read straight into the bunx
      # invocation (never written to $GITHUB_ENV) so there is no env-injection
      # sink even though this is a pull_request_target workflow.
      - name: Bumpy release-plan check
        run: |
          VERSION=$(jq -r '.devDependencies["@varlock/bumpy"] // .dependencies["@varlock/bumpy"]' package.json | sed 's/[\^~]//')
          bunx "@varlock/bumpy@$VERSION" ci check --cwd ./pr
        env:
          GH_TOKEN: ${{ github.token }}