ED/EDMarketConnector
1
0
Fork 0
mirror of https://github.com/EDCD/EDMarketConnector.git synced 2025-04-12 23:37:14 +03:00
Code Issues Projects Releases Wiki Activity
EDMarketConnector/.github/workflows/pr-checks.yml
Athanasius 214bed27ee .github: workflows: Guard any shell $VAR with "..." 
This is with regards to what happened to another project, ref:

<https://www.wiz.io/blog/ultralytics-ai-library-hacked-via-github-for-cryptomining>

Basically, do NOT trust that things like branch names don't contain any
attempt at executing shell code if referenced in a workflow segment that
runs a shell command.
2024-12-09 21:43:47 +00:00

107 lines
4.0 KiB
YAML
Raw Blame History

# This workflow will:
#
# * install Python dependencies
# * lint with a single version of Python
#
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
name: PR-Checks
on:
pull_request:
branches: [ develop ]
jobs:
code-checks:
runs-on: ubuntu-latest
steps:
# Debug show the info we have to work with
- name: Show github context
run: cat "$GITHUB_EVENT_PATH"
####################################################################
# Checkout the necessary commits
####################################################################
# We need the repo from the 'head' of the PR, not what it's
# based on.
- name: Checkout head commits
# https://github.com/actions/checkout
uses: actions/checkout@v4
#with:
#ref: ${{github.head.sha}}
#repository: ${{github.event.pull_request.head.repo.full_name}}
#fetch-depth: 0
# But we do need the base references
- name: Fetch base commits
env:
BASE_REPO_URL: ${{github.event.pull_request.base.repo.svn_url}}
BASE_REPO_OWNER: ${{github.event.pull_request.base.repo.owner.login}}
run: |
echo "BASE_REPO_URL: ${BASE_REPO_URL}"
echo "BASE_REPO_OWNER: ${BASE_REPO_OWNER}"
# Add the 'base' repo as a new remote
git remote add "${BASE_REPO_OWNER}" "${BASE_REPO_URL}"
# And then fetch its references
git fetch "${BASE_REPO_OWNER}"
####################################################################
####################################################################
# Get Python set up
####################################################################
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version-file: '.python-version'
cache: 'pip' # caching pip dependencies
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install wheel flake8
if [ -f requirements-dev.txt ]; then pip install -r requirements-dev.txt; elif [ -f requirements.txt ]; then pip install -r requirements.txt ; fi
####################################################################
# Have issues be annotated on run
- name: Setup flake8 annotations
uses: rbialon/flake8-annotations@v1
####################################################################
# Lint with flake8
####################################################################
- name: Lint with flake8
env:
BASE_REPO_URL: ${{github.event.pull_request.base.repo.svn_url}}
BASE_REPO_OWNER: ${{github.event.pull_request.base.repo.owner.login}}
BASE_REF: ${{github.base_ref}}
run: |
echo "BASE_REPO_URL: ${BASE_REPO_URL}"
echo "BASE_REPO_OWNER: ${BASE_REPO_OWNER}"
echo "BASE_REF: ${BASE_REF}"
# Explicitly check for some errors
# E9 - Runtime (syntax and the like)
# F63 - 'tests' checking
# F7 - syntax errors
# F82 - undefined checking
git diff --name-only --diff-filter=d -z "refs/remotes/${BASE_REPO_OWNER}/${BASE_REF}" -- | \
grep -E -z -Z '\.py$' | \
xargs -0 flake8 --count --select=E9,F63,F7,F82 --show-source --statistics
# Can optionally add `--exit-zero` to the flake8 arguments so that
# this doesn't fail the build.
# explicitly ignore docstring errors (start with D)
git diff --name-only --diff-filter=d -z "refs/remotes/${BASE_REPO_OWNER}/${BASE_REF}" -- | \
grep -E -z -Z '\.py$' | \
xargs -0 flake8 --count --statistics --extend-ignore D
####################################################################
####################################################################
# Ensure all tests pass
####################################################################
- name: PyTest tests
run: |
pytest
####################################################################
Reference in New Issue View Git Blame Copy Permalink