Skip to content

ci: install prettier-autofix caller#8

Merged
topcoder1 merged 1 commit into
mainfrom
ci/install-prettier-autofix-1778428673
May 10, 2026
Merged

ci: install prettier-autofix caller#8
topcoder1 merged 1 commit into
mainfrom
ci/install-prettier-autofix-1778428673

Conversation

@topcoder1
Copy link
Copy Markdown
Owner

@topcoder1 topcoder1 commented May 10, 2026

Wires the topcoder1/ci-workflows prettier-autofix reusable. When a PR lands with markdown that fails prettier --check (run by lint.yml), this workflow runs prettier --write on the changed files, commits the result as style: prettier auto-fix, and pushes back to the branch. The downstream lint check then re-runs on the new SHA and goes green automatically.

Pairs with the existing lint.yml prettier check — they read the same markdown_glob and changed_only semantics.

No new secret required: reuses the existing AUTOMERGE_PAT repo secret (same one claude-author-automerge.yml already consumes) via secrets: inherit. Pushes by the default GITHUB_TOKEN do not retrigger pull_request workflows, so a PAT push is required for the lint check to clear automatically.

Skipped automatically on fork PRs and PRs that touch zero markdown.

🤖 Auto-installed via install-prettier-autofix.sh. See runbooks/prettier-autofix.md for rotation + troubleshooting.

@topcoder1 topcoder1 enabled auto-merge (squash) May 10, 2026 15:57
claude[bot]
claude Bot reviewed May 10, 2026
View reviewed changes
Comment thread .github/workflows/prettier-autofix.yml

jobs:
prettier-autofix:
uses: topcoder1/ci-workflows/.github/workflows/prettier-autofix.yml@main
Copy link
Copy Markdown

@claude claude Bot May 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Supply chain risk — mutable ref pinned to @main.

@main is a mutable pointer. Any push to topcoder1/ci-workflows main branch takes effect here immediately with no review gate in this repo. Combined with contents: write + secrets: inherit, a compromise of that repo gives an attacker write access to this repo's contents and all its secrets.

Pin to an immutable commit SHA instead:

Suggested change
uses: topcoder1/ci-workflows/.github/workflows/prettier-autofix.yml@main
uses: topcoder1/ci-workflows/.github/workflows/prettier-autofix.yml@<COMMIT_SHA>

After each intentional upgrade, bump the SHA with a reviewed commit here.

claude[bot]
claude Bot reviewed May 10, 2026
View reviewed changes
Comment thread .github/workflows/prettier-autofix.yml
jobs:
prettier-autofix:
uses: topcoder1/ci-workflows/.github/workflows/prettier-autofix.yml@main
secrets: inherit
Copy link
Copy Markdown

@claude claude Bot May 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Over-broad secret exposure — secrets: inherit passes all repo secrets.

The PR description says only AUTOMERGE_PAT is needed, but secrets: inherit forwards every secret in this repository (any API keys, tokens, etc.) to the reusable workflow. Scope it to only what the callee actually requires:

Suggested change
secrets: inherit
secrets:
AUTOMERGE_PAT: ${{ secrets.AUTOMERGE_PAT }}

@claude
Copy link
Copy Markdown

claude Bot commented May 10, 2026

Flagged 2 issues inline — supply chain risk from @main ref pinning and over-broad secrets: inherit exposure.

@topcoder1 topcoder1 merged commit 872ac56 into main May 10, 2026
8 checks passed
@topcoder1 topcoder1 deleted the ci/install-prettier-autofix-1778428673 branch May 10, 2026 16:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@topcoder1