Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AO3-6590 Add reviewdog for linting ERB files #4604

Merged
merged 3 commits into from
Aug 19, 2023
Merged

AO3-6590 Add reviewdog for linting ERB files #4604

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
346835d
AO3-6590 Add reviewdog ERB lint runner
Bilka2 Aug 13, 2023
47f5223
AO3-6590 Remove erb lint from Hound
Bilka2 Aug 15, 2023
41b8dff
AO3-6590 Rename reviewdog workflow to be more generic
Bilka2 Aug 15, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions .github/workflows/reviewdog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# Based on https://github.com/tk0miya/action-erblint/blob/main/README.md#example-usage

name: Reviewdog ERB Lint
Bilka2 marked this conversation as resolved.
Show resolved Hide resolved

on: [pull_request]

permissions:
checks: write

jobs:
erb-lint:
name: ERB Lint runner
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v3

- name: Set up Ruby and run bundle install
uses: ruby/setup-ruby@v1
with:
bundler-cache: true

- name: erb-lint
uses: tk0miya/action-erblint@667687e73b44e7b7a710a1204b180f49f80ebb5e
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason not to use @v1? https://github.com/tk0miya/action-erblint/releases/tag/v1

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you don't trust the creator of the action, it's usually best practices to use the hash version for actions, because it refers to a specific commit. That means that you can view the repository, read the source code of the action, and be sure that when the action runs, it's running only code that you've already reviewed.

Tags, on the other hand, can be switched to point to a different commit, which means that the owner of the action could choose to replace the existing code with some kind of exploit.

I'm not sure the extra security is necessary, in this case, but I can see both sides of the argument.

Copy link
Contributor Author

@Bilka2 Bilka2 Aug 17, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GitHub recommends using a SHA in their docs, especially if the action author is not a verified creator, like in this case.

However, this workflow has very few permissions ("write checks" for PRs from the same repo, "read checks" for third party repos), so if it were compromised I don't think it could do much harm. But I'd rather be safe than sorry, because github actions and their permissions are relatively new to me.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair enough! Thanks for the link @Bilka2!

with:
use_bundler: true
reporter: github-pr-check # default