From 2806511b14510c34b5efb831a521d6868a150279 Mon Sep 17 00:00:00 2001 From: kwiatekus Date: Thu, 7 May 2026 14:19:47 +0200 Subject: [PATCH 01/10] ci: remove insecure pull_request_target verify workflow --- .github/workflows/verify.yml | 24 ------------------------ 1 file changed, 24 deletions(-) delete mode 100644 .github/workflows/verify.yml diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml deleted file mode 100644 index ba3174819..000000000 --- a/.github/workflows/verify.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: verify - -on: - pull_request_target: - types: [ opened, edited, synchronize, reopened, ready_for_review ] - -permissions: - # Permission to post comments on pull requests - pull-requests: write - -jobs: - standards: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v5 - with: - ref: ${{ github.event.pull_request.head.ref }} - repository: ${{ github.event.pull_request.head.repo.full_name }} - - uses: ./.github/actions/setup-go - - name: Comment PR on violated standards - if: always() - uses: ./.github/actions/verify-standards-violation - with: - github_token: ${{ secrets.GITHUB_TOKEN }} From 202d8924fbc97dbbd18365b619ac078105cfdbd0 Mon Sep 17 00:00:00 2001 From: kwiatekus Date: Thu, 7 May 2026 14:22:11 +0200 Subject: [PATCH 02/10] ci: add untrusted PR code checker workflow --- .github/workflows/verify-pr-code.yml | 88 ++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 .github/workflows/verify-pr-code.yml diff --git a/.github/workflows/verify-pr-code.yml b/.github/workflows/verify-pr-code.yml new file mode 100644 index 000000000..521bbde69 --- /dev/null +++ b/.github/workflows/verify-pr-code.yml @@ -0,0 +1,88 @@ +name: verify-pr-code + +on: + pull_request: + types: [ opened, edited, synchronize, reopened, ready_for_review ] + +permissions: + contents: read + +jobs: + standards: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: ./.github/actions/setup-go + + - name: Verify Docs + if: always() + run: | + set -e + echo "Verifying documentation..." + make docs 1>/dev/null + DOCS_CHANGES=$(git status --porcelain) + + if [ -n "$DOCS_CHANGES" ]; then + cat >> "${REASON_FILE}" << EOF + * ❌ Documentation is out of date: + \`\`\`bash + $(echo -e "$DOCS_CHANGES" | sed 's/^/ /') + \`\`\` + Please run \`make docs\` and commit the changes. + EOF + exit 1 + fi + env: + REASON_FILE: ${{ runner.temp }}/failed_reason.txt + shell: bash + + - name: Verify Code Standards + if: always() + run: | + set +e + echo "Verifying code standard output usage..." + CODE_STD_OUT_USAGE=$(grep -r -E 'fmt\.Print|os\.Stdout|os\.Stderr' ./internal | grep --invert-match '^./internal/out') + + if [ -n "$CODE_STD_OUT_USAGE" ]; then + cat >> "${REASON_FILE}" << EOF + * ❌ Found usage of \`os.Stdout\`, \`os.Stderr\` or \`fmt.Print\` in code: + \`\`\`bash + $(echo -e "$CODE_STD_OUT_USAGE" | sed 's/^/ /') + \`\`\` + Please use the \`internal/out\` package for output handling instead. + EOF + exit 1 + fi + env: + REASON_FILE: ${{ runner.temp }}/failed_reason.txt + shell: bash + + - name: Prepare comment artifact + if: always() + run: | + set +e + FAIL_REASON=$(cat "${REASON_FILE}" 2>/dev/null || echo "") + + if [ -n "$FAIL_REASON" ]; then + echo "Standards violation detected" + MSG_TMPL=$(cat .github/actions/verify-standards-violation/violation-message_tmpl.md) + eval "echo -e \"${MSG_TMPL}\"" > "${RUNNER_TEMP}/comment-body.md" + else + echo "No standards violation detected" + cp .github/actions/verify-standards-violation/no-violation-message.md "${RUNNER_TEMP}/comment-body.md" + fi + + echo "${{ github.event.pull_request.number }}" > "${RUNNER_TEMP}/pr_number.txt" + env: + REASON_FILE: ${{ runner.temp }}/failed_reason.txt + shell: bash + + - name: Upload artifact + if: always() + uses: actions/upload-artifact@v4 + with: + name: standards-check-result + path: | + ${{ runner.temp }}/comment-body.md + ${{ runner.temp }}/pr_number.txt From a513e8a78ddadc6ed506408f2d198244699fdd91 Mon Sep 17 00:00:00 2001 From: kwiatekus Date: Thu, 7 May 2026 14:31:19 +0200 Subject: [PATCH 03/10] ci: fix temp path consistency and grep exclusion robustness --- .github/workflows/verify-pr-code.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/verify-pr-code.yml b/.github/workflows/verify-pr-code.yml index 521bbde69..72a6d4da3 100644 --- a/.github/workflows/verify-pr-code.yml +++ b/.github/workflows/verify-pr-code.yml @@ -42,7 +42,7 @@ jobs: run: | set +e echo "Verifying code standard output usage..." - CODE_STD_OUT_USAGE=$(grep -r -E 'fmt\.Print|os\.Stdout|os\.Stderr' ./internal | grep --invert-match '^./internal/out') + CODE_STD_OUT_USAGE=$(grep -r -E 'fmt\.Print|os\.Stdout|os\.Stderr' --exclude-dir=out ./internal) if [ -n "$CODE_STD_OUT_USAGE" ]; then cat >> "${REASON_FILE}" << EOF @@ -67,15 +67,16 @@ jobs: if [ -n "$FAIL_REASON" ]; then echo "Standards violation detected" MSG_TMPL=$(cat .github/actions/verify-standards-violation/violation-message_tmpl.md) - eval "echo -e \"${MSG_TMPL}\"" > "${RUNNER_TEMP}/comment-body.md" + eval "echo -e \"${MSG_TMPL}\"" > "${ARTIFACT_DIR}/comment-body.md" else echo "No standards violation detected" - cp .github/actions/verify-standards-violation/no-violation-message.md "${RUNNER_TEMP}/comment-body.md" + cp .github/actions/verify-standards-violation/no-violation-message.md "${ARTIFACT_DIR}/comment-body.md" fi - echo "${{ github.event.pull_request.number }}" > "${RUNNER_TEMP}/pr_number.txt" + echo "${{ github.event.pull_request.number }}" > "${ARTIFACT_DIR}/pr_number.txt" env: REASON_FILE: ${{ runner.temp }}/failed_reason.txt + ARTIFACT_DIR: ${{ runner.temp }} shell: bash - name: Upload artifact From 849e368db0848ee2fa2b2a420899ac340d271a73 Mon Sep 17 00:00:00 2001 From: kwiatekus Date: Thu, 7 May 2026 14:35:00 +0200 Subject: [PATCH 04/10] ci: add trusted PR commenter workflow --- .github/workflows/verify-pr-comment.yml | 62 +++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 .github/workflows/verify-pr-comment.yml diff --git a/.github/workflows/verify-pr-comment.yml b/.github/workflows/verify-pr-comment.yml new file mode 100644 index 000000000..3e1c5a33b --- /dev/null +++ b/.github/workflows/verify-pr-comment.yml @@ -0,0 +1,62 @@ +name: verify-pr-comment + +on: + workflow_run: + workflows: ["verify-pr-code"] + types: [completed] + +permissions: {} + +jobs: + comment: + runs-on: ubuntu-latest + permissions: + pull-requests: write + steps: + - name: Download artifact + id: download + uses: actions/download-artifact@v4 + with: + name: standards-check-result + run-id: ${{ github.event.workflow_run.id }} + github-token: ${{ secrets.GITHUB_TOKEN }} + continue-on-error: true + + - name: Check artifact downloaded + if: steps.download.outcome == 'failure' + run: | + echo "Artifact not found — workflow may have been cancelled. Skipping comment." + exit 0 + shell: bash + + - name: Read PR number + if: steps.download.outcome == 'success' + id: pr + run: | + PR_NUMBER=$(cat pr_number.txt 2>/dev/null | tr -d '[:space:]') + if [ -z "$PR_NUMBER" ]; then + echo "pr_number.txt is empty or missing" + exit 1 + fi + echo "number=${PR_NUMBER}" >> "$GITHUB_OUTPUT" + shell: bash + + - name: Post or edit PR comment + if: steps.download.outcome == 'success' + run: | + set +e + FLAGS="--body-file comment-body.md" + + LAST_COMMENT_ID=$(gh pr view "${{ steps.pr.outputs.number }}" -R kyma-project/cli --json "comments" \ + | jq --raw-output '.comments[] | select(.author.login=="github-actions") | .id' \ + | tail -1) + + if [ -n "$LAST_COMMENT_ID" ]; then + echo "Editing last comment with ID: ${LAST_COMMENT_ID}" + FLAGS="${FLAGS} --edit-last" + fi + + gh pr comment "${{ steps.pr.outputs.number }}" -R kyma-project/cli $FLAGS + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + shell: bash From 12549878844d27f2834e4aba61ad4c95e6d2f7c0 Mon Sep 17 00:00:00 2001 From: kwiatekus Date: Thu, 7 May 2026 14:39:21 +0200 Subject: [PATCH 05/10] ci: fix jq field name, remove set+e, improve step guards --- .github/workflows/verify-pr-comment.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/verify-pr-comment.yml b/.github/workflows/verify-pr-comment.yml index 3e1c5a33b..d47d44e2f 100644 --- a/.github/workflows/verify-pr-comment.yml +++ b/.github/workflows/verify-pr-comment.yml @@ -26,7 +26,6 @@ jobs: if: steps.download.outcome == 'failure' run: | echo "Artifact not found — workflow may have been cancelled. Skipping comment." - exit 0 shell: bash - name: Read PR number @@ -42,13 +41,12 @@ jobs: shell: bash - name: Post or edit PR comment - if: steps.download.outcome == 'success' + if: steps.download.outcome == 'success' && steps.pr.outcome == 'success' run: | - set +e FLAGS="--body-file comment-body.md" LAST_COMMENT_ID=$(gh pr view "${{ steps.pr.outputs.number }}" -R kyma-project/cli --json "comments" \ - | jq --raw-output '.comments[] | select(.author.login=="github-actions") | .id' \ + | jq --raw-output '.comments[] | select(.author.login=="github-actions") | .databaseId' \ | tail -1) if [ -n "$LAST_COMMENT_ID" ]; then From 851401e00f5609d51d9cff9069dd4d51e887bf6b Mon Sep 17 00:00:00 2001 From: kwiatekus Date: Thu, 7 May 2026 14:42:50 +0200 Subject: [PATCH 06/10] ci: remove Comment step and github_token input from standards action --- .../verify-standards-violation/action.yaml | 53 +++---------------- 1 file changed, 6 insertions(+), 47 deletions(-) diff --git a/.github/actions/verify-standards-violation/action.yaml b/.github/actions/verify-standards-violation/action.yaml index 56f048698..2ca15b495 100644 --- a/.github/actions/verify-standards-violation/action.yaml +++ b/.github/actions/verify-standards-violation/action.yaml @@ -1,10 +1,5 @@ name: 'Standards Violation Info' -description: 'Action for verifying and adding comment to current PR about violated standards' - -inputs: - github_token: - description: 'GitHub token' - required: true +description: 'Action for verifying PR code against repository standards' runs: using: 'composite' @@ -13,15 +8,12 @@ runs: if: always() run: | set -e - - FAIL_REASON="" - echo "Verifying documentation..." make docs 1>/dev/null DOCS_CHANGES=$(git status --porcelain) - + if [ -n "$DOCS_CHANGES" ]; then - cat >> ${REASON_FILE} << EOF + cat >> "${REASON_FILE}" << EOF * ❌ Documentation is out of date: \`\`\`bash $(echo -e "$DOCS_CHANGES" | sed 's/^/ /') @@ -39,10 +31,10 @@ runs: run: | set +e echo "Verifying code standard output usage..." - CODE_STD_OUT_USAGE=$(grep -r -E 'fmt\.Print|os\.Stdout|os\.Stderr' ./internal | grep --invert-match '^./internal/out') - + CODE_STD_OUT_USAGE=$(grep -r -E 'fmt\.Print|os\.Stdout|os\.Stderr' --exclude-dir=out ./internal) + if [ -n "$CODE_STD_OUT_USAGE" ]; then - cat >> ${REASON_FILE} << EOF + cat >> "${REASON_FILE}" << EOF * ❌ Found usage of \`os.Stdout\`, \`os.Stderr\` or \`fmt.Print\` in code: \`\`\`bash $(echo -e "$CODE_STD_OUT_USAGE" | sed 's/^/ /') @@ -54,36 +46,3 @@ runs: env: REASON_FILE: ${{ runner.temp }}/failed_reason.txt shell: bash - - - name: Comment - if: always() - run: | - set +e - FLAGS="" - - # Determine which message to post based on validation result - FAIL_REASON=$(cat ${REASON_FILE}) - if [ -n "$FAIL_REASON" ]; then - echo "Standards violation detected" - TMP_FILE=$(mktemp) - MSG_TMPL=$(cat .github/actions/verify-standards-violation/violation-message_tmpl.md) - eval "echo -e \"${MSG_TMPL}\"" > $TMP_FILE - FLAGS="${FLAGS} --body-file ${TMP_FILE}" - else - echo "No standards violation detected" - FLAGS="${FLAGS} --body-file .github/actions/verify-standards-violation/no-violation-message.md" - fi - - # Check for existing comment by github-actions and edit if found - LAST_COMMENT_ID=$(gh pr view ${{ github.event.pull_request.number }} -R kyma-project/cli --json "comments" \ - | jq --raw-output '.comments[] | select(.author.login=="github-actions") | .id') - if [ -n "$LAST_COMMENT_ID" ]; then - echo "Editing last comment with ID: $LAST_COMMENT_ID" - FLAGS="${FLAGS} --edit-last" - fi - - gh pr comment ${{ github.event.pull_request.number }} -R kyma-project/cli $FLAGS - env: - GITHUB_TOKEN: ${{ inputs.github_token }} - REASON_FILE: ${{ runner.temp }}/failed_reason.txt - shell: bash From f1b965670e944e155846c28cec2378bc0305efad Mon Sep 17 00:00:00 2001 From: kwiatekus Date: Thu, 7 May 2026 14:43:51 +0200 Subject: [PATCH 07/10] ci: update workflow name reference in PR comment templates --- .../actions/verify-standards-violation/no-violation-message.md | 2 +- .../verify-standards-violation/violation-message_tmpl.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/verify-standards-violation/no-violation-message.md b/.github/actions/verify-standards-violation/no-violation-message.md index 9b014966e..349e85c32 100644 --- a/.github/actions/verify-standards-violation/no-violation-message.md +++ b/.github/actions/verify-standards-violation/no-violation-message.md @@ -2,4 +2,4 @@ This pull request comes with up-to-date documentation and no illegal standard output usages. -Find more detailed information in the `verify / standards (pull_request_target)` action. +Find more detailed information in the `verify-pr-code / standards` action. diff --git a/.github/actions/verify-standards-violation/violation-message_tmpl.md b/.github/actions/verify-standards-violation/violation-message_tmpl.md index f19df1107..8a27bec78 100644 --- a/.github/actions/verify-standards-violation/violation-message_tmpl.md +++ b/.github/actions/verify-standards-violation/violation-message_tmpl.md @@ -6,4 +6,4 @@ Follow these requirements: ${FAIL_REASON} -Find more detailed information in the \`verify / standards (pull_request_target)\` action. +Find more detailed information in the `verify-pr-code / standards` action. From 65d1391d7803b2dc3875d5449e18ee01fea94ca9 Mon Sep 17 00:00:00 2001 From: kwiatekus Date: Thu, 7 May 2026 15:47:42 +0200 Subject: [PATCH 08/10] ci: fix github-actions bot login filter in jq selector --- .github/workflows/verify-pr-comment.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/verify-pr-comment.yml b/.github/workflows/verify-pr-comment.yml index d47d44e2f..b440f5862 100644 --- a/.github/workflows/verify-pr-comment.yml +++ b/.github/workflows/verify-pr-comment.yml @@ -46,7 +46,7 @@ jobs: FLAGS="--body-file comment-body.md" LAST_COMMENT_ID=$(gh pr view "${{ steps.pr.outputs.number }}" -R kyma-project/cli --json "comments" \ - | jq --raw-output '.comments[] | select(.author.login=="github-actions") | .databaseId' \ + | jq --raw-output '.comments[] | select(.author.login=="github-actions[bot]") | .databaseId' \ | tail -1) if [ -n "$LAST_COMMENT_ID" ]; then From cd4e0c921ee578ab26e81c8fb499c00f4797149a Mon Sep 17 00:00:00 2001 From: kwiatekus Date: Thu, 7 May 2026 15:48:24 +0200 Subject: [PATCH 09/10] ci: remove unused verify-standards-violation action --- .../verify-standards-violation/action.yaml | 48 ------------------- .../no-violation-message.md | 5 -- .../violation-message_tmpl.md | 9 ---- 3 files changed, 62 deletions(-) delete mode 100644 .github/actions/verify-standards-violation/action.yaml delete mode 100644 .github/actions/verify-standards-violation/no-violation-message.md delete mode 100644 .github/actions/verify-standards-violation/violation-message_tmpl.md diff --git a/.github/actions/verify-standards-violation/action.yaml b/.github/actions/verify-standards-violation/action.yaml deleted file mode 100644 index 2ca15b495..000000000 --- a/.github/actions/verify-standards-violation/action.yaml +++ /dev/null @@ -1,48 +0,0 @@ -name: 'Standards Violation Info' -description: 'Action for verifying PR code against repository standards' - -runs: - using: 'composite' - steps: - - name: Verify Docs - if: always() - run: | - set -e - echo "Verifying documentation..." - make docs 1>/dev/null - DOCS_CHANGES=$(git status --porcelain) - - if [ -n "$DOCS_CHANGES" ]; then - cat >> "${REASON_FILE}" << EOF - * ❌ Documentation is out of date: - \`\`\`bash - $(echo -e "$DOCS_CHANGES" | sed 's/^/ /') - \`\`\` - Please run \`make docs\` and commit the changes. - EOF - exit 1 - fi - env: - REASON_FILE: ${{ runner.temp }}/failed_reason.txt - shell: bash - - - name: Verify Code Standards - if: always() - run: | - set +e - echo "Verifying code standard output usage..." - CODE_STD_OUT_USAGE=$(grep -r -E 'fmt\.Print|os\.Stdout|os\.Stderr' --exclude-dir=out ./internal) - - if [ -n "$CODE_STD_OUT_USAGE" ]; then - cat >> "${REASON_FILE}" << EOF - * ❌ Found usage of \`os.Stdout\`, \`os.Stderr\` or \`fmt.Print\` in code: - \`\`\`bash - $(echo -e "$CODE_STD_OUT_USAGE" | sed 's/^/ /') - \`\`\` - Please use the \`internal/out\` package for output handling instead. - EOF - exit 1 - fi - env: - REASON_FILE: ${{ runner.temp }}/failed_reason.txt - shell: bash diff --git a/.github/actions/verify-standards-violation/no-violation-message.md b/.github/actions/verify-standards-violation/no-violation-message.md deleted file mode 100644 index 349e85c32..000000000 --- a/.github/actions/verify-standards-violation/no-violation-message.md +++ /dev/null @@ -1,5 +0,0 @@ -# ✅ Proposed changes verification passed - -This pull request comes with up-to-date documentation and no illegal standard output usages. - -Find more detailed information in the `verify-pr-code / standards` action. diff --git a/.github/actions/verify-standards-violation/violation-message_tmpl.md b/.github/actions/verify-standards-violation/violation-message_tmpl.md deleted file mode 100644 index 8a27bec78..000000000 --- a/.github/actions/verify-standards-violation/violation-message_tmpl.md +++ /dev/null @@ -1,9 +0,0 @@ -# ⚠️ Proposed changes verification failed - -This message means some of your changes may interrupt repository standards. - -Follow these requirements: - -${FAIL_REASON} - -Find more detailed information in the `verify-pr-code / standards` action. From 6a0a3726e1e543445a7a7afec0c659599e081035 Mon Sep 17 00:00:00 2001 From: kwiatekus Date: Thu, 7 May 2026 15:49:27 +0200 Subject: [PATCH 10/10] ci: inline comment templates, remove eval and deleted file references --- .github/workflows/verify-pr-code.yml | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/.github/workflows/verify-pr-code.yml b/.github/workflows/verify-pr-code.yml index 72a6d4da3..ef7fe3025 100644 --- a/.github/workflows/verify-pr-code.yml +++ b/.github/workflows/verify-pr-code.yml @@ -66,11 +66,26 @@ jobs: if [ -n "$FAIL_REASON" ]; then echo "Standards violation detected" - MSG_TMPL=$(cat .github/actions/verify-standards-violation/violation-message_tmpl.md) - eval "echo -e \"${MSG_TMPL}\"" > "${ARTIFACT_DIR}/comment-body.md" + cat > "${ARTIFACT_DIR}/comment-body.md" << EOF + # ⚠️ Proposed changes verification failed + + This message means some of your changes may interrupt repository standards. + + Follow these requirements: + + ${FAIL_REASON} + + Find more detailed information in the \`verify-pr-code / standards\` action. + EOF else echo "No standards violation detected" - cp .github/actions/verify-standards-violation/no-violation-message.md "${ARTIFACT_DIR}/comment-body.md" + cat > "${ARTIFACT_DIR}/comment-body.md" << 'EOF' + # ✅ Proposed changes verification passed + + This pull request comes with up-to-date documentation and no illegal standard output usages. + + Find more detailed information in the `verify-pr-code / standards` action. + EOF fi echo "${{ github.event.pull_request.number }}" > "${ARTIFACT_DIR}/pr_number.txt"