Skip to content

ci: format and auto-commit diffs instead of just checking #320

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ben-fornefeld merged 1 commit into from
May 10, 2026
Merged

ci: format and auto-commit diffs instead of just checking #320

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 15 additions & 2 deletions .github/workflows/code-quality.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,10 +44,16 @@ jobs:
format:
name: Format
runs-on: ubuntu-latest
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository

@chatgpt-codex-connector chatgpt-codex-connector Bot May 10, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Retain formatting check for forked pull requests

The new job-level condition restricts format to same-repo PRs only, so fork PRs now skip formatting entirely. In GitHub Actions, a skipped job is treated as successful for required checks, which means external contributions can merge without any formatter validation. If auto-commit is only intended for same-repo branches, keep the formatter step running for all PRs and gate only the commit step behind the same-repo condition.

Useful? React with 👍 / 👎.

permissions:
contents: write

steps:
- name: Checkout code
uses: actions/checkout@v4
with:
ref: ${{ github.head_ref }}
token: ${{ secrets.GITHUB_TOKEN }}

- name: Setup Bun
uses: oven-sh/setup-bun@v2
Expand All @@ -65,8 +71,15 @@ jobs:
- name: Install dependencies
run: bun install

- name: Run format check
run: bunx biome ci --formatter-enabled=true --assist-enabled=true --linter-enabled=false --reporter=github .
- name: Run formatter
run: bun run format

- name: Commit formatting changes
uses: stefanzweifel/git-auto-commit-action@v5

@cursor cursor Bot May 10, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Agentic Security Review
Severity: MEDIUM
Using stefanzweifel/git-auto-commit-action@v5 (mutable tag) in a job with contents: write introduces a supply-chain trust risk: if that tag is retargeted or compromised upstream, this workflow can run attacker-controlled code with repository write permissions.
Impact: Unauthorized commits could be pushed to PR branches from CI.

with:
commit_message: "style: apply biome formatting"
commit_user_name: "github-actions[bot]"
commit_user_email: "41898282+github-actions[bot]@users.noreply.github.com"

knip:
name: Knip
Expand Down
Loading