Automated Resyntax fixes #134
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Resyntax Analysis | |
| # The Resyntax integration is split into two phases: a workflow that analyzes the code and uploads | |
| # the analysis as an artifact, and a workflow that downloads the analysis artifact and creates a | |
| # review of the pull request. This split is for permissions reasons; the analysis workflow checks out | |
| # the pull request branch and compiles it, executing arbitrary code as it does so. For that reason, | |
| # the first workflow has read-only permissions in the github repository. The second workflow only | |
| # downloads the pull request review artifact and submits it, and it executes with read-write permissions | |
| # without executing any code in the repository. This division of responsibilities allows Resyntax to | |
| # safely analyze pull requests from forks. This strategy is outlined in the following article: | |
| # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ | |
| on: | |
| pull_request: | |
| types: | |
| - opened | |
| - reopened | |
| - synchronize | |
| - ready_for_review | |
| jobs: | |
| analyze: | |
| runs-on: ubuntu-latest | |
| if: ${{ github.triggering_actor != 'resyntax-ci[bot]' }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/[email protected] | |
| # See https://github.com/actions/checkout/issues/118. | |
| with: | |
| fetch-depth: 0 | |
| - name: Install Racket | |
| uses: Bogdanp/[email protected] | |
| with: | |
| version: current | |
| packages: resyntax | |
| local_catalogs: $GITHUB_WORKSPACE | |
| dest: '"${HOME}/racketdist-current-CS"' | |
| sudo: never | |
| - name: Register local packages | |
| run: | | |
| raco pkg install -i --auto --no-setup --skip-installed scribble-test scribble-doc | |
| raco pkg update --auto --no-setup scribble-text-lib scribble-html-lib scribble-lib scribble-doc scribble-test scribble | |
| - name: Install local packages | |
| run: raco setup --pkgs scribble scribble-doc scribble-html-lib scribble-lib scribble-test scribble-text-lib | |
| - name: Analyze changed files | |
| run: xvfb-run racket -l- resyntax/cli analyze --local-git-repository . "origin/${GITHUB_BASE_REF}" --output-as-github-review --output-to-file ./resyntax-review.json | |
| - name: Upload analysis artifact | |
| uses: actions/[email protected] | |
| with: | |
| name: resyntax-review | |
| path: resyntax-review.json |