mirror of
https://github.com/nexu-io/open-design.git
synced 2026-06-01 03:14:35 +07:00
125dcd0174
* fix: run fork visual reports from trusted code * fix: auto-approve strict web visual capture * fix: address visual report review feedback Generated-By: looper 0.9.1 (runner=fixer, agent=opencode) * fix: propagate visual report storage failures Generated-By: looper 0.9.1 (runner=fixer, agent=opencode) * fix: validate PR screenshots before upload Generated-By: looper 0.9.1 (runner=fixer, agent=opencode) * fix: validate visual PR identity before comment * fix: harden fork visual report validation Generated-By: looper 0.9.1 (runner=fixer, agent=opencode) * fix: address remaining fork visual report review feedback Generated-By: looper 0.9.1 (runner=fixer, agent=opencode) * fix: handle stale fork visual report lookup Generated-By: looper 0.9.1 (runner=fixer, agent=opencode) * fix: allow stale fork visual report fallback Generated-By: looper 0.9.1 (runner=fixer, agent=opencode)
57 lines
2 KiB
YAML
57 lines
2 KiB
YAML
name: fork-pr-workflow-approval
|
|
|
|
# This workflow runs in the trusted base-repository context. It never checks out
|
|
# or executes the fork head; the TypeScript policy script only reads PR metadata
|
|
# through the GitHub API and approves pending pull_request runs when the touched
|
|
# paths are inside the low-risk source allowlist. It only approves low-privilege
|
|
# pull_request workflows (`ci`, visual verify, and strict web-source visual
|
|
# capture); privileged
|
|
# workflow_run / release / deploy workflows stay on manual gates.
|
|
on:
|
|
pull_request_target:
|
|
types: [opened, synchronize, reopened, ready_for_review, edited]
|
|
workflow_dispatch:
|
|
inputs:
|
|
pr_number:
|
|
description: Pull request number to evaluate.
|
|
required: true
|
|
type: string
|
|
dry_run:
|
|
description: Log decisions without approving workflow runs.
|
|
required: false
|
|
default: false
|
|
type: boolean
|
|
|
|
permissions:
|
|
actions: write
|
|
contents: read
|
|
pull-requests: read
|
|
|
|
concurrency:
|
|
group: fork-pr-workflow-approval-${{ github.event.pull_request.number || inputs.pr_number }}
|
|
cancel-in-progress: false
|
|
|
|
jobs:
|
|
approve:
|
|
if: github.repository == 'nexu-io/open-design' && (github.event_name != 'pull_request_target' || github.event.action != 'edited' || github.event.changes.base != null)
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 10
|
|
|
|
steps:
|
|
- name: Checkout trusted base code
|
|
uses: actions/checkout@v6.0.2
|
|
with:
|
|
ref: ${{ github.event.pull_request.base.sha || github.sha }}
|
|
persist-credentials: false
|
|
|
|
- name: Setup Node.js
|
|
uses: actions/setup-node@v6.4.0
|
|
with:
|
|
node-version: 24
|
|
|
|
- name: Evaluate and approve low-risk fork PR workflows
|
|
env:
|
|
GITHUB_TOKEN: ${{ github.token }}
|
|
PR_NUMBER: ${{ github.event.pull_request.number || inputs.pr_number }}
|
|
DRY_RUN: ${{ inputs.dry_run || false }}
|
|
run: node --experimental-strip-types scripts/approve-fork-pr-workflows.ts
|