Add verifyPeerReview.yml feature workflow#80
Conversation
Wires up the org-level ruleset workflow (GitHub App token generation, cross-repo checkout, npm ci, npm run verify-peer-review) extracted verbatim from #64, so the App permissions/secrets/checkout plumbing can be validated end-to-end (e.g. via a ruleset's Evaluate mode) before real peer-review logic lands. The script it invokes is still the Phase 1 no-op skeleton, so this check always passes for now. Also adds the first verifyPeerReview.yml README section, since Phase 1 landed with no README changes. Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Remove duplicated workflow YAML and verbose no-op explanation; the workflow file itself is the source of truth. Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
This comment was marked as outdated.
This comment was marked as outdated.
Use pull_request_target everywhere with GitHub-Actions@main checkout only, add workflow_dispatch for webhook re-runs, and document the security model. Co-authored-by: Cursor <cursoragent@cursor.com>
Re-runs after review will retry the existing ruleset check via PHP webhook follow-up, not a separate workflow_dispatch run. Co-authored-by: Cursor <cursoragent@cursor.com>
Drop mermaid diagram, trigger table, security notes, and rollout steps. Keep a short purpose and ruleset configuration summary. Co-authored-by: Cursor <cursoragent@cursor.com>
This comment was marked as resolved.
This comment was marked as resolved.
Pass PR metadata through env and quote shell args so branch names with metacharacters cannot inject commands in pull_request_target. Co-authored-by: Cursor <cursoragent@cursor.com>
This comment was marked as resolved.
This comment was marked as resolved.
|
Codex Review: Didn't find any major issues. What shall we delve into next? Reviewed commit: ℹ️ About Codex in GitHubCodex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback". |
| - name: Checkout GitHub-Actions | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 | ||
| with: | ||
| repository: Expensify/GitHub-Actions | ||
| path: GitHub-Actions |
There was a problem hiding this comment.
Is this still safe if the PR is against the GH actions repo?
There was a problem hiding this comment.
yes, I think so. Because it uses the pull_request_target trigger, the version of the workflow in the PR base will run. The default checkout will also use the ref from the PR base.
Co-authored-by: Rafe Colton <1058475+rafecolton@users.noreply.github.com>
Co-authored-by: Rafe Colton <1058475+rafecolton@users.noreply.github.com>
|
going to merge since @rafecolton previously approved and his comments were addressed |
Details
Adds
verifyPeerReview.ymlwith thepull_request_target-only architecture from Expensify#636197:pull_request_targetfor all repos (org rulesets + GitHub-Actions) — workflow YAML and scripts run frommainonlyGitHub-Actions@mainfor scriptspull_requestandpull_request_review(secrets unavailable on fork PRs;pull_request_reviewunsupported by rulesets)checkoutRepoAndGitHubActionsis not used — it would checkout the client repo, which is unsafe onpull_request_targetworkflow_dispatch, which would not clear the required check)The verify script remains a no-op skeleton. README documents the security model, trigger matrix, and mermaid flow diagram.
Related Issues
https://github.com/Expensify/Expensify/issues/636197
Manual Tests
Post-merge (ruleset Evaluate mode):
main.pull_request_target) in Evaluate mode on App-Test-Fork.mainworkflow version, not the PR head.