Skip to content

Commit 0f4e823

Browse files
dmcilvaneydmcilvaney
authored
ci: Add stub to trigger render check workflow (#16890) (#16895)
1 parent 4c1ecd6 commit 0f4e823

1 file changed

Lines changed: 43 additions & 0 deletions

File tree

.github/workflows/check-rendered-specs-stub.yml

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
# Stub workflow — A copy of this workflow must live on the default branch (3.0) so that the
2+
# pull_request_target event can trigger it with access to GITHUB_TOKEN (pull-requests: write).
3+
# It delegates all real work to the reusable template on tomls/base/main.
4+
#
5+
# This two-stage design lets fork PRs trigger the check safely: the stub runs in the
6+
# context of the default branch (with write token), but the reusable workflow checks out
7+
# the PR's data files (TOML configs, specs) into a separate directory — never mixing
8+
# untrusted code with execution context.
9+
#
10+
# The stub must exist on the default branch because pull_request_target always runs
11+
# workflows from there. The reusable workflow on tomls/base/main has the actual scripts,
12+
# container setup, and rendering logic.
13+
name: Check Rendered Specs
14+
15+
# pull_request_target gives us a GITHUB_TOKEN with pull-requests: write even for fork PRs.
16+
# The stub itself runs NO code from the PR — it only delegates to a trusted reusable
17+
# workflow pinned to tomls/base/main, which checks out PR data (not code) into an
18+
# isolated subdirectory.
19+
on: # zizmor: ignore[dangerous-triggers]
20+
pull_request_target:
21+
branches:
22+
- tomls/base/main
23+
24+
permissions: {}
25+
26+
concurrency:
27+
group: render-check-${{ github.event.pull_request.number }}
28+
cancel-in-progress: true
29+
30+
jobs:
31+
check:
32+
# Prevent forks from running a stale/vulnerable copy of this stub with Actions enabled
33+
if: github.repository == 'microsoft/azurelinux'
34+
# Intentionally branch-pinned so the reusable workflow picks up updates automatically.
35+
uses: microsoft/azurelinux/.github/workflows/check-rendered-specs.yml@tomls/base/main # zizmor: ignore[unpinned-uses]
36+
permissions:
37+
contents: read
38+
pull-requests: write # Post/update/delete drift comments on PRs
39+
with:
40+
pr-head-sha: ${{ github.event.pull_request.head.sha }}
41+
pr-head-repo: ${{ github.event.pull_request.head.repo.full_name }}
42+
pr-number: ${{ github.event.pull_request.number }}
43+
repo: ${{ github.repository }}

0 commit comments

Comments
 (0)