[libcxx-commits] [libcxx] [libc++] Move the check-generated-files job to Github Actions (PR #68920)

[Tom Stellard via libcxx-commits]

================
@@ -0,0 +1,29 @@
+name: "Check libc++ generated files"
+on:
+  pull_request_target:
+    paths:
+      - 'libcxx/**'
+permissions:
+  pull-requests: write
+
+jobs:
+  check_generated_files:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Fetch LLVM sources
+        uses: actions/checkout at v4
+        with:
+          fetch-depth: 2
+
+      - name: Install clang-format
+        uses: aminya/setup-cpp at v1
+        with:
+          clangformat: 17.0.1
+
+      - name: Install Ninja
+        uses: seanmiddleditch/gha-setup-ninja at master
+        with:
+          destination: build/ninja-install
+
+      - name: Check generated files
+        run: libcxx/utils/ci/run-buildbot check-generated-output
----------------
tstellar wrote:

This is insecure because you are using the privileged event 'pull_request_target' and running a script that could have been modified by the PR.  You will need to use the pull_request event or split the workflow into two parts like we do here: https://github.com/llvm/llvm-project/blob/main/.github/workflows/pr-receive.yml and https://github.com/llvm/llvm-project/blob/main/.github/workflows/new-prs.yml

See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

https://github.com/llvm/llvm-project/pull/68920