[libcxx-commits] [libcxx] [libc++] Move the check-generated-files job to Github Actions (PR #68920)
Tom Stellard via libcxx-commits
libcxx-commits at lists.llvm.org
Thu Oct 12 11:54:47 PDT 2023
================
@@ -0,0 +1,29 @@
+name: "Check libc++ generated files"
+on:
+ pull_request_target:
+ paths:
+ - 'libcxx/**'
+permissions:
+ pull-requests: write
+
+jobs:
+ check_generated_files:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Fetch LLVM sources
+ uses: actions/checkout at v4
+ with:
+ fetch-depth: 2
+
+ - name: Install clang-format
+ uses: aminya/setup-cpp at v1
+ with:
+ clangformat: 17.0.1
+
+ - name: Install Ninja
+ uses: seanmiddleditch/gha-setup-ninja at master
+ with:
+ destination: build/ninja-install
+
+ - name: Check generated files
+ run: libcxx/utils/ci/run-buildbot check-generated-output
----------------
tstellar wrote:
This is insecure because you are using the privileged event 'pull_request_target' and running a script that could have been modified by the PR. You will need to use the pull_request event or split the workflow into two parts like we do here: https://github.com/llvm/llvm-project/blob/main/.github/workflows/pr-receive.yml and https://github.com/llvm/llvm-project/blob/main/.github/workflows/new-prs.yml
See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
https://github.com/llvm/llvm-project/pull/68920
More information about the libcxx-commits
mailing list