Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 1 addition & 6 deletions .github/workflows/format-command.yml
Original file line number Diff line number Diff line change
@@ -1,10 +1,5 @@
name: format-command

# This workflow no longer triggers on issue_comment directly. It only runs
# after .github/workflows/slash-command-dispatch.yml has verified that the
# commenter has write access to the repository and created a
# "format-command" repository_dispatch event. This removes the unauthenticated
# pwn-request path: untrusted commenters never reach this job.
on:
repository_dispatch:
types: [format-command]
Expand Down Expand Up @@ -48,7 +43,7 @@ jobs:
issue_number: context.payload.client_payload.github.payload.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: "I have successfully run Prettier and pushed the formatting fixes to this PR.\n\n**Note for Contributors:** Because this commit was pushed by a bot, GitHub will not automatically re-run the CI checks. To trigger them to pass, you must either:\n- Push an empty commit locally (`git commit --allow-empty -m \"Trigger builds\"` and push)\n- Close and immediately reopen this Pull Request."
body: "I have successfully run Prettier and pushed the formatting fixes to this PR.\n\n**Note:** Since this commit was pushed by a bot, GitHub will not automatically re-run the CI checks. To trigger them, either:\n- Push an empty commit (`git commit --allow-empty -m \"Trigger builds\"` and push)\n- Close and immediately reopen this Pull Request."
})

- name: Post failure comment
Expand Down
5 changes: 1 addition & 4 deletions .github/workflows/slash-command-dispatch.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,11 @@ jobs:
slashCommandDispatch:
runs-on: ubuntu-latest
steps:
# peter-evans/slash-command-dispatch checks the commenter's repository
# permission (default: "write") BEFORE any dispatch event is created.
# No PR/fork code is checked out in this job, so untrusted commenters
# can never reach a step that holds write-scoped credentials.
- name: Slash Command Dispatch
uses: peter-evans/slash-command-dispatch@v5
with:
token: ${{ secrets.PAT }}
reaction-token: ${{ secrets.PAT }}
commands: format
permission: write
issue-type: pull-request
Loading