upload-openapi-spec-action/examples/pull_request_forks.yml at main · stainless-api/upload-openapi-spec-action · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
name: Build Stainless SDKs (including forks)

# This workflow uses pull_request_target, which allows it to run on pull requests
# from forks with access to secrets and OIDC tokens. This is safe because the
# workflow definition comes from the base branch (trusted), and the action only
# reads OpenAPI spec files without executing any code from the PR.
#
# Important: If your repository is public, configure GitHub to require approval
# for workflows from fork PRs. Go to Settings → Actions → General, and under
# "Fork pull request workflows from outside collaborators", select
# "Require approval for all outside collaborators".

on:
  pull_request_target:
    types: [opened, synchronize, reopened]
  push:
    # Set this to the branch of the repository that the `main` Stainless branch
    # of your project gets its OpenAPI spec from. This is usually the default
    # branch of your repository.
    branches: [main]
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

env:
  # Stainless organization name.
  STAINLESS_ORG: YOUR_ORG

  # Stainless project name.
  STAINLESS_PROJECT: YOUR_PROJECT

  # Path to your OpenAPI spec.
  OAS_PATH: YOUR_OAS_PATH

  # Path to your Stainless config. Optional; only provide this if you prefer
  # to maintain the ground truth Stainless config in your own repo.
  CONFIG_PATH: YOUR_CONFIG_PATH

  # When to fail the job based on build conclusion.
  # Options: "never" | "note" | "warning" | "error" | "fatal".
  FAIL_ON: error

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
      id-token: write
    steps:
      # Checkout the PR's code (including from forks)
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
          ref: ${{ github.event.pull_request.head.sha || github.sha }}

      - name: Run build
        uses: stainless-api/upload-openapi-spec-action/build@v1
        with:
          org: ${{ env.STAINLESS_ORG }}
          project: ${{ env.STAINLESS_PROJECT }}
          oas_path: ${{ env.OAS_PATH }}
          config_path: ${{ env.CONFIG_PATH }}
          fail_on: ${{ env.FAIL_ON }}
          base_sha: ${{ github.event.pull_request.base.sha }}
          base_ref: ${{ github.event.pull_request.base.ref }}
          head_sha: ${{ github.event.pull_request.head.sha }}