fix: only checkout remote servers directory (#5027)

imconnorngl · Copilot · web-flow · commit 583437f3227a · 2026-04-26T20:28:48.000+01:00
* fix: only checkout remote servers directory

* chore: requested changes

* chore: seperate validate/pr comment

Co-authored-by: Copilot &lt;copilot@github.com&gt;

* chore: requested changes

Co-authored-by: Copilot &lt;copilot@github.com&gt;

* chore: requested changes

---------

Co-authored-by: Copilot &lt;copilot@github.com&gt;
diff --git a/.github/workflows/pr-feedback.yml b/.github/workflows/pr-feedback.yml
@@ -0,0 +1,49 @@
+name: Post validation feedback
+
+on:
+  workflow_run:
+    workflows: ["Validate and upload"]
+    types:
+      - completed
+
+jobs:
+  feedback:
+    name: Post validation feedback
+    if: github.event.workflow_run.event == 'pull_request'
+    runs-on: ubuntu-latest
+
+    permissions:
+      pull-requests: write
+      issues: write
+      actions: read
+      contents: read
+
+    steps:
+      - name: Checkout from GitHub
+        uses: actions/checkout@v4
+
+      - name: Setup Python 3.x
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.x"
+
+      - name: Install Python dependencies
+        run: pip install -r .scripts/requirements.txt
+
+      - name: Download validation results
+        id: download
+        uses: actions/download-artifact@v4
+        with:
+          name: pr-results
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+        continue-on-error: true
+
+      - name: Post validation feedback
+        run: python .scripts/post_pr_feedback.py
+        env:
+          BOT_PAT: ${{ secrets.BOT_PAT }}
+          DOWNLOAD_OUTCOME: ${{ steps.download.outcome }}
+          WORKFLOW_RUN_CONCLUSION: ${{ github.event.workflow_run.conclusion }}
+          WORKFLOW_RUN_HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
+          WORKFLOW_RUN_PULL_REQUESTS: ${{ toJSON(github.event.workflow_run.pull_requests) }}
diff --git a/.github/workflows/validate-upload.yml b/.github/workflows/validate-upload.yml
@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - master
-  pull_request_target:
+  pull_request:
     branches:
       - "*"
   schedule:
@@ -37,16 +37,26 @@ jobs:
   validate-servers:
     name: Validate Servers
     runs-on: ubuntu-latest
+
     permissions:
-      pull-requests: write
-      issues: write
+      contents: read
+      pull-requests: read
 
     steps:
-      - name: Checkout from GitHub
+      # Trusted checkout: scripts and schemas come from the base ref so a PR
+      # cannot alter the validator (e.g. fabricating pr_results.json as
+      # "ready") to bypass validation in the trusted feedback workflow.
+      - name: Checkout trusted base
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.base.ref || github.ref }}
+
+      - name: Checkout PR contents (untrusted)
+        if: github.event_name == 'pull_request'
         uses: actions/checkout@v4
         with:
-          repository: ${{ github.event.pull_request.head.repo.full_name }}
-          ref: ${{ github.event.pull_request.head.ref }}
+          ref: ${{ github.event.pull_request.head.sha }}
+          path: pr-contents
 
       - name: Setup Python 3.x
         uses: actions/setup-python@v5
@@ -57,18 +67,27 @@ jobs:
         run: pip install -r .scripts/requirements.txt
 
       - name: Validate Servers
+        working-directory: ${{ github.event_name == 'pull_request' && 'pr-contents' || '.' }}
         run: |
-          python .scripts/validate.py \
+          python "${GITHUB_WORKSPACE}/.scripts/validate.py" \
           --servers_dir servers \
-          --metadata_schema metadata.schema.json \
+          --metadata_schema "${GITHUB_WORKSPACE}/metadata.schema.json" \
           --inactive_file inactive.json \
-          --inactive_schema inactive.schema.json \
+          --inactive_schema "${GITHUB_WORKSPACE}/inactive.schema.json" \
           --no-validate_inactive
         env:
           PR_ID: ${{ github.event.pull_request.number }}
-          BOT_PAT: ${{ secrets.BOT_PAT }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           USE_ARGS: "true"
 
+      - name: Upload validation results
+        if: always() && github.event_name == 'pull_request'
+        uses: actions/upload-artifact@v4
+        with:
+          name: pr-results
+          path: pr-contents/pr_results.json
+          if-no-files-found: ignore
+
   upload-servers:
     name: Upload Servers
     needs: [validate-servers, changes]
@@ -88,7 +107,7 @@ jobs:
         with:
           workload_identity_provider: 'projects/824216268633/locations/global/workloadIdentityPools/github-actions/providers/github-actions-oidc'
           service_account: "github-actions@mw-lunarclient-cdn.iam.gserviceaccount.com"
-        
+
       - name: Setup Python 3.x
         uses: actions/setup-python@v5
         with:
@@ -172,3 +191,4 @@ jobs:
             -H "Content-Type: application/json" \
             -H "Authorization: Bearer $CLOUDFLARE_PURGE_TOKEN" \
             --data '{"files":["https://servermappings.lunarclientcdn.com/servers.json"]}'
+
diff --git a/.scripts/post_pr_feedback.py b/.scripts/post_pr_feedback.py
@@ -0,0 +1,162 @@
+"""
+Post-validation feedback for ServerMappings PRs.
+
+Triggered by the workflow_run job in the trusted base-repo context. Reads
+pr_results.json (uploaded by the validate-servers job that ran in the
+untrusted PR context) and either applies a "Ready for review" label or
+posts a review with the validation errors.
+
+Because pr_results.json is produced by code controlled by the PR author,
+its pr_id field cannot be trusted. The trusted PR number is derived from
+the workflow_run payload (with a head-SHA lookup as a fallback for fork
+PRs, whose pull_requests array is empty) and the artifact's pr_id is
+rejected if it doesn't match one of those numbers.
+"""
+
+import json
+import os
+
+import requests
+
+API_ROOT = "https://api.github.com"
+READY_LABEL = "Ready for review"
+RESULTS_FILE = "pr_results.json"
+
+
+def gh_request(method: str, path: str, token: str, **kwargs) -> requests.Response:
+    return requests.request(
+        method,
+        f"{API_ROOT}{path}",
+        headers={
+            "accept": "application/vnd.github+json",
+            "Authorization": f"Bearer {token}",
+            "X-GitHub-Api-Version": "2022-11-28",
+        },
+        timeout=30,
+        **kwargs,
+    )
+
+
+def resolve_trusted_pr_numbers(
+    repo: str, head_sha: str, pr_payload: list, token: str
+) -> set[int]:
+    """Return PR numbers that are safe to act on with the privileged token."""
+    numbers: set[int] = set()
+    for pr in pr_payload or []:
+        if isinstance(pr, dict) and isinstance(pr.get("number"), int):
+            numbers.add(pr["number"])
+
+    if numbers or not head_sha:
+        return numbers
+
+    res = gh_request("GET", f"/repos/{repo}/commits/{head_sha}/pulls", token)
+    if not res.ok:
+        print(
+            f"::warning::Failed to look up PRs for head SHA {head_sha}: "
+            f"{res.status_code} {res.text}"
+        )
+        return numbers
+
+    for pr in res.json():
+        if pr.get("state") == "open":
+            numbers.add(int(pr["number"]))
+    return numbers
+
+
+def remove_ready_label(repo: str, pr_number: int, token: str) -> None:
+    encoded = requests.utils.quote(READY_LABEL, safe="")
+    res = gh_request(
+        "DELETE", f"/repos/{repo}/issues/{pr_number}/labels/{encoded}", token
+    )
+    if res.status_code not in (200, 204, 404):
+        res.raise_for_status()
+
+
+def add_ready_label(repo: str, pr_number: int, token: str) -> None:
+    res = gh_request(
+        "POST",
+        f"/repos/{repo}/issues/{pr_number}/labels",
+        token,
+        json={"labels": [READY_LABEL]},
+    )
+    res.raise_for_status()
+
+
+def request_changes(repo: str, pr_number: int, body: str, token: str) -> None:
+    res = gh_request(
+        "POST",
+        f"/repos/{repo}/pulls/{pr_number}/reviews",
+        token,
+        json={"event": "REQUEST_CHANGES", "body": body},
+    )
+    res.raise_for_status()
+
+
+def build_review_body(errors: dict) -> str:
+    body = ""
+    for server_id, msgs in (errors or {}).items():
+        if not msgs:
+            continue
+        joined = "\n- ".join(msgs)
+        body += f"\n\nErrors found for **{server_id}**:\n- {joined}"
+    return body
+
+
+def main() -> None:
+    token = os.environ["BOT_PAT"]
+    repo = os.environ["GITHUB_REPOSITORY"]
+    head_sha = os.environ.get("WORKFLOW_RUN_HEAD_SHA", "")
+    conclusion = os.environ.get("WORKFLOW_RUN_CONCLUSION", "")
+    download_outcome = os.environ.get("DOWNLOAD_OUTCOME", "")
+
+    try:
+        pr_payload = json.loads(os.environ.get("WORKFLOW_RUN_PULL_REQUESTS") or "[]")
+    except json.JSONDecodeError:
+        pr_payload = []
+
+    trusted = resolve_trusted_pr_numbers(repo, head_sha, pr_payload, token)
+    if not trusted:
+        print("No PR could be associated with this workflow run; nothing to do.")
+        return
+
+    artifact_present = (
+        conclusion == "success"
+        and download_outcome == "success"
+        and os.path.isfile(RESULTS_FILE)
+    )
+
+    if not artifact_present:
+        for n in trusted:
+            remove_ready_label(repo, n, token)
+        print(
+            "Upstream did not succeed or artifact missing — "
+            "removed stale ready label."
+        )
+        return
+
+    with open(RESULTS_FILE, "r", encoding="utf-8") as f:
+        data = json.load(f)
+
+    pr_id = data.get("pr_id")
+    if not isinstance(pr_id, int) or pr_id not in trusted:
+        print(
+            f"::warning::Artifact pr_id ({pr_id!r}) does not match trusted "
+            f"PR number(s) {sorted(trusted)}; refusing to act on it."
+        )
+        return
+
+    if data.get("status") == "ready":
+        add_ready_label(repo, pr_id, token)
+        return
+
+    remove_ready_label(repo, pr_id, token)
+
+    body = build_review_body(data.get("errors") or {})
+    if not body:
+        return
+
+    request_changes(repo, pr_id, body, token)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/.scripts/utils.py b/.scripts/utils.py
@@ -24,7 +24,6 @@
     "26.*": ["26.1", "26.1.1", "26.1.2"]
 }
 
-
 def _file_hash(path: str) -> str:
     """Compute SHA1 hash of a file's contents."""
     with open(path, "rb") as f:
@@ -202,14 +201,18 @@ def get_edited_servers():
         print("No pull request id found. Unable to get edited servers")
         return edited_server_ids
 
+    token = os.getenv("GITHUB_TOKEN")
     res = requests.get(
-            f"https://api.github.com/repos/LunarClient/ServerMappings/pulls/{pull_id}/files",
-            headers={
-                "accept": "application/vnd.github+json",
-                "Authorization": f"Bearer {os.getenv('BOT_PAT')}",
-            }
-        )
+        f"https://api.github.com/repos/LunarClient/ServerMappings/pulls/{pull_id}/files",
+        headers={
+            "accept": "application/vnd.github+json",
+            "Authorization": f"Bearer {token}",
+        },
+        timeout=30,
+    )
     
+    res.raise_for_status()
+
     for file in res.json():
         file_name: str = file['filename']
         if not file_name.startswith("servers/"):
diff --git a/.scripts/validate.py b/.scripts/validate.py
