Add XML validation workflow using GitHub Actions#454
Conversation
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
Reviewer's GuideAdds a new GitHub Actions workflow that runs Testing Farm’s xmllint-based validation for XML-related tmt plans on pushes, pull requests, and manual dispatches to the main branch. File-Level Changes
Possibly linked issues
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
Signed-off-by: Lokesh Mandvekar <[email protected]>
lsm5
force-pushed
the
xmllint-validation-1
branch
from
a8bb41b to
75d9491
Compare
|
Tests failed. @containers/packit-build please check. |
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- On pull_request events
github.refpoints torefs/pull/...rather than the merge or head SHA; if Testing Farm expects a commit-ish, consider usinggit_ref: ${{ github.sha }}orgithub.event.pull_request.head.shato ensure the correct revision is tested. - The workflow currently runs on every push and PR to main; if the XML validation is only relevant for certain files, consider adding a
pathsfilter underon:to avoid unnecessary remote runs. - To follow GitHub Actions least-privilege practices, consider explicitly setting
permissions:for this workflow (e.g.contents: readand only what the Testing Farm action actually needs) instead of relying on the default token permissions.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- On pull_request events `github.ref` points to `refs/pull/...` rather than the merge or head SHA; if Testing Farm expects a commit-ish, consider using `git_ref: ${{ github.sha }}` or `github.event.pull_request.head.sha` to ensure the correct revision is tested.
- The workflow currently runs on every push and PR to main; if the XML validation is only relevant for certain files, consider adding a `paths` filter under `on:` to avoid unnecessary remote runs.
- To follow GitHub Actions least-privilege practices, consider explicitly setting `permissions:` for this workflow (e.g. `contents: read` and only what the Testing Farm action actually needs) instead of relying on the default token permissions.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
|
@containers/container-selinux-maintainers PTAL. This (and perhaps similar future PRs) are a PoC for switching to a GHA + TMT/testing-farm workflow given that Cirrus CI will be shutting down on Jun 1. I'm told GHA actions first need to be merged to main in order for them to take effect on future PRs from forks. |
|
LGTM. |
| name: "XML Validation" | ||
|
|
||
| on: | ||
| pull_request: |
There was a problem hiding this comment.
that is not correct, you cannot use secrets on this trigger as it would leak them to any user, as such github blocks them for PRs from forks.
so this only works because you created the PR from a branch instead of your fork like we normally do.
So any outside contributor will have that job fail due the missing secret.
The only way to use secrets on PRs is pull_request_target which will always use workflow file from the target branch not the PR itself so a contributor cannot chnage it to leak the key to themselves. However it is easy to screw that up so using pull_request_target and secrets is often considered insecure.
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Schedule tests on Testing Farm | ||
| uses: sclorg/testing-farm-as-github-action@v2 |
There was a problem hiding this comment.
why are these importing outdated versions? There are newer major versions.
Also I think for security reasons we should start pinning these by commit sha, renovate will still be able tu update them like we see in podman
3 participants
Summary by Sourcery
CI: