Skip to content

Add verifyPeerReview.yml feature workflow#80

Merged
roryabraham merged 17 commits into
mainfrom
rory-peer-review-02e-workflow
Jul 8, 2026
Merged

Add verifyPeerReview.yml feature workflow#80
roryabraham merged 17 commits into
mainfrom
rory-peer-review-02e-workflow

Conversation

@roryabraham

@roryabraham roryabraham commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Details

Adds verifyPeerReview.yml with the pull_request_target-only architecture from Expensify#636197:

  • Uses pull_request_target for all repos (org rulesets + GitHub-Actions) — workflow YAML and scripts run from main only
  • Never checks out the PR's repo; uses the GitHub API for PR metadata and GitHub-Actions@main for scripts
  • Removes pull_request and pull_request_review (secrets unavailable on fork PRs; pull_request_review unsupported by rulesets)
  • checkoutRepoAndGitHubActions is not used — it would checkout the client repo, which is unsafe on pull_request_target
  • Re-runs after review: follow-up PHP webhook work will retry the existing ruleset check run on the PR (not workflow_dispatch, which would not clear the required check)

The verify script remains a no-op skeleton. README documents the security model, trigger matrix, and mermaid flow diagram.

Related Issues

https://github.com/Expensify/Expensify/issues/636197

Manual Tests

Post-merge (ruleset Evaluate mode):

  1. Merge this PR to main.
  2. Enable the ruleset (pull_request_target) in Evaluate mode on App-Test-Fork.
  3. Open or sync a PR in App-Test-Fork; confirm the check passes, secrets work, and no client repo is checked out.
  4. Open or sync a PR in App-Test-Fork from yet another fork. Confirm the check passes, secrets work, and no client repo is checked out.
  5. Open a PR in GitHub-Actions (including a workflow-edit PR); confirm the check runs the main workflow version, not the PR head.

Wires up the org-level ruleset workflow (GitHub App token generation,
cross-repo checkout, npm ci, npm run verify-peer-review) extracted
verbatim from #64, so the App
permissions/secrets/checkout plumbing can be validated end-to-end
(e.g. via a ruleset's Evaluate mode) before real peer-review logic
lands. The script it invokes is still the Phase 1 no-op skeleton, so
this check always passes for now.

Also adds the first verifyPeerReview.yml README section, since Phase 1
landed with no README changes.

Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
@roryabraham roryabraham changed the title Add verifyPeerReview.yml feature workflow (Phase 2e of #64 split, still no-op) Add verifyPeerReview.yml feature workflow Jul 3, 2026
roryabraham and others added 4 commits July 3, 2026 00:59
Remove duplicated workflow YAML and verbose no-op explanation; the
workflow file itself is the source of truth.

Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
@roryabraham roryabraham requested review from grgia and rafecolton July 3, 2026 08:08
@roryabraham roryabraham marked this pull request as ready for review July 3, 2026 08:08
chatgpt-codex-connector[bot]

This comment was marked as resolved.

@roryabraham

This comment was marked as outdated.

@roryabraham roryabraham marked this pull request as draft July 4, 2026 06:38
Use pull_request_target everywhere with GitHub-Actions@main checkout only,
add workflow_dispatch for webhook re-runs, and document the security model.

Co-authored-by: Cursor <cursoragent@cursor.com>
@roryabraham roryabraham marked this pull request as ready for review July 5, 2026 01:59
chatgpt-codex-connector[bot]

This comment was marked as resolved.

@roryabraham roryabraham marked this pull request as draft July 5, 2026 02:13
roryabraham and others added 3 commits July 4, 2026 19:15
Re-runs after review will retry the existing ruleset check via PHP
webhook follow-up, not a separate workflow_dispatch run.

Co-authored-by: Cursor <cursoragent@cursor.com>
Drop mermaid diagram, trigger table, security notes, and rollout steps.
Keep a short purpose and ruleset configuration summary.

Co-authored-by: Cursor <cursoragent@cursor.com>
@roryabraham roryabraham marked this pull request as ready for review July 6, 2026 19:59
@roryabraham

This comment was marked as resolved.

chatgpt-codex-connector[bot]

This comment was marked as resolved.

Pass PR metadata through env and quote shell args so branch names
with metacharacters cannot inject commands in pull_request_target.

Co-authored-by: Cursor <cursoragent@cursor.com>
@roryabraham

This comment was marked as resolved.

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. What shall we delve into next?

Reviewed commit: 7f79a76c0e

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

rafecolton
rafecolton previously approved these changes Jul 7, 2026
Comment thread .github/workflows/verifyPeerReview.yml Outdated
Comment thread .github/workflows/verifyPeerReview.yml Outdated
Comment thread .github/workflows/verifyPeerReview.yml Outdated
Comment on lines +49 to +53
- name: Checkout GitHub-Actions
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
with:
repository: Expensify/GitHub-Actions
path: GitHub-Actions

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this still safe if the PR is against the GH actions repo?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, I think so. Because it uses the pull_request_target trigger, the version of the workflow in the PR base will run. The default checkout will also use the ref from the PR base.

Comment thread .github/workflows/verifyPeerReview.yml Outdated
Co-authored-by: Rafe Colton <1058475+rafecolton@users.noreply.github.com>
roryabraham and others added 3 commits July 8, 2026 11:27
Co-authored-by: Rafe Colton <1058475+rafecolton@users.noreply.github.com>
chatgpt-codex-connector[bot]

This comment was marked as resolved.

Comment thread .github/workflows/verifyPeerReview.yml Outdated

@grgia grgia left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question

@grgia grgia left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@roryabraham

Copy link
Copy Markdown
Contributor Author

going to merge since @rafecolton previously approved and his comments were addressed

@roryabraham roryabraham merged commit 1ddd838 into main Jul 8, 2026
5 checks passed
@roryabraham roryabraham deleted the rory-peer-review-02e-workflow branch July 8, 2026 20:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants