Fix Issue #330 #47
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Resyntax Analysis | |
| # The Resyntax integration is split into two phases: a workflow that analyzes the code and uploads | |
| # the analysis as an artifact, and a workflow that downloads the analysis artifact and creates a | |
| # review of the pull request. This split is for permissions reasons; the analysis workflow checks out | |
| # the pull request branch and compiles it, executing arbitrary code as it does so. For that reason, | |
| # the first workflow has read-only permissions in the github repository. The second workflow only | |
| # downloads the pull request review artifact and submits it, and it executes with read-write permissions | |
| # without executing any code in the repository. This division of responsibilities allows Resyntax to | |
| # safely analyze pull requests from forks. This strategy is outlined in the following article: | |
| # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ | |
| on: | |
| pull_request: | |
| types: | |
| - opened | |
| - reopened | |
| - synchronize | |
| - ready_for_review | |
| jobs: | |
| analyze: | |
| runs-on: ubuntu-latest | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/[email protected] | |
| # See https://github.com/actions/checkout/issues/118. | |
| with: | |
| fetch-depth: 0 | |
| - name: Install Racket | |
| uses: Bogdanp/[email protected] | |
| with: | |
| version: current | |
| distribution: minimal | |
| local_catalogs: $GITHUB_WORKSPACE | |
| dest: '"${HOME}/racketdist-current-CS"' | |
| sudo: never | |
| - name: Install local packages | |
| run: raco pkg install --auto gui gui-lib gui-doc tex-table gui-test | |
| - name: Install Resyntax | |
| run: raco pkg install --auto resyntax | |
| - name: Analyze changed files | |
| run: xvfb-run racket -l- resyntax/cli analyze --local-git-repository . "origin/${GITHUB_BASE_REF}" --output-as-github-review --output-to-file ./resyntax-review.json | |
| - name: Upload analysis artifact | |
| uses: actions/[email protected] | |
| with: | |
| name: resyntax-review | |
| path: resyntax-review.json |