Awesome/awesome-copilot
1
0
Fork 0
mirror of https://github.com/github/awesome-copilot.git synced 2026-06-21 23:17:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

Tighten external plugin PR workflow permissions

Browse Source 
Scope write permissions to the PR synchronization job, keep the quality-gate job read-only, and handle no-op and detection-failure states explicitly. Also fix source tree link encoding for refs, SHAs, and plugin paths.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
Aaron Powell
2026-06-16 13:39:14 +10:00
parent 83f7cc37a8
commit 351221bb9c
2 changed files with 8 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/external-plugin-pr-quality-gates.yml
+7 -4
View File
@@ -13,8 +13,6 @@ concurrency:
permissions: permissions:
contents: read contents: read
issues: write
pull-requests: write
jobs: jobs:
detect-changed-plugins: detect-changed-plugins:
@@ -113,6 +111,9 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: [detect-changed-plugins, run-quality-gates] needs: [detect-changed-plugins, run-quality-gates]
if: always() if: always()
permissions:
issues: write
pull-requests: write
steps: steps:
- name: Checkout staged branch - name: Checkout staged branch
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
@@ -122,6 +123,7 @@ jobs:
- name: Sync labels and PR status comment - name: Sync labels and PR status comment
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
env: env:
DETECT_JOB_RESULT: ${{ needs.detect-changed-plugins.result }}
SHOULD_RUN: ${{ needs.detect-changed-plugins.outputs.should-run }} SHOULD_RUN: ${{ needs.detect-changed-plugins.outputs.should-run }}
CHANGED_COUNT: ${{ needs.detect-changed-plugins.outputs.changed-count }} CHANGED_COUNT: ${{ needs.detect-changed-plugins.outputs.changed-count }}
QUALITY_RESULT_JSON: ${{ needs.run-quality-gates.outputs.quality-result }} QUALITY_RESULT_JSON: ${{ needs.run-quality-gates.outputs.quality-result }}
@@ -134,6 +136,7 @@ jobs:
const intakeState = await import(pathToFileURL(path.join(process.env.GITHUB_WORKSPACE, 'eng', 'external-plugin-intake-state.mjs')).href); const intakeState = await import(pathToFileURL(path.join(process.env.GITHUB_WORKSPACE, 'eng', 'external-plugin-intake-state.mjs')).href);
const marker = '<!-- external-plugin-pr-quality -->'; const marker = '<!-- external-plugin-pr-quality -->';
const detectJobResult = process.env.DETECT_JOB_RESULT;
const shouldRun = process.env.SHOULD_RUN === 'true'; const shouldRun = process.env.SHOULD_RUN === 'true';
const changedCount = Number.parseInt(process.env.CHANGED_COUNT || '0', 10); const changedCount = Number.parseInt(process.env.CHANGED_COUNT || '0', 10);
const qualityJobResult = process.env.QUALITY_JOB_RESULT; const qualityJobResult = process.env.QUALITY_JOB_RESULT;
@@ -145,7 +148,7 @@ jobs:
summary: 'No changed external plugin entries were detected in this PR.', summary: 'No changed external plugin entries were detected in this PR.',
}; };
if ('${{ needs.detect-changed-plugins.result }}' === 'failure' || '${{ needs.detect-changed-plugins.result }}' === 'cancelled') { if (detectJobResult === 'failure' || detectJobResult === 'cancelled') {
qualityResult = { qualityResult = {
overall_status: 'infra_error', overall_status: 'infra_error',
failure_class: 'infra', failure_class: 'infra',
@@ -190,7 +193,7 @@ jobs:
const checkedPlugins = Array.isArray(qualityResult.checked_plugins) ? qualityResult.checked_plugins : []; const checkedPlugins = Array.isArray(qualityResult.checked_plugins) ? qualityResult.checked_plugins : [];
const header = qualityResult.failure_class === 'submitter_fixes' const header = qualityResult.failure_class === 'submitter_fixes'
? '## ⚠️ External plugin PR checks require submitter fixes' ? '## ⚠️ External plugin PR checks require submitter fixes'
: qualityResult.overall_status === 'pass' : qualityResult.overall_status === 'pass' || !shouldRun
? '## ✅ External plugin PR checks passed' ? '## ✅ External plugin PR checks passed'
: '## ⚠️ External plugin PR checks need maintainer follow-up'; : '## ⚠️ External plugin PR checks need maintainer follow-up';
eng/external-plugin-pr-quality-gates.mjs
+1 -1
View File
@@ -28,7 +28,7 @@ export function buildSourceTreeUrl(plugin) {
return `https://github.com/${sourceRepo}`; return `https://github.com/${sourceRepo}`;
} }
const encodedLocator = encodePathLikeValue(sourceLocator); const encodedLocator = encodeURIComponent(sourceLocator);
const normalizedPath = normalizePluginPath(plugin?.source?.path); const normalizedPath = normalizePluginPath(plugin?.source?.path);
if (!normalizedPath) { if (!normalizedPath) {
return `https://github.com/${sourceRepo}/tree/${encodedLocator}`; return `https://github.com/${sourceRepo}/tree/${encodedLocator}`;