Automated Resyntax fixes #51
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Resyntax Analysis | |
| # The Resyntax integration is split into two phases: a workflow that analyzes the code and uploads | |
| # the analysis as an artifact, and a workflow that downloads the analysis artifact and creates a | |
| # review of the pull request. This split is for permissions reasons; the analysis workflow checks out | |
| # the pull request branch and compiles it, executing arbitrary code as it does so. For that reason, | |
| # the first workflow has read-only permissions in the github repository. The second workflow only | |
| # downloads the pull request review artifact and submits it, and it executes with read-write permissions | |
| # without executing any code in the repository. This division of responsibilities allows Resyntax to | |
| # safely analyze pull requests from forks. This strategy is outlined in the following article: | |
| # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ | |
| on: | |
| pull_request: | |
| types: | |
| - opened | |
| - reopened | |
| - synchronize | |
| - ready_for_review | |
| jobs: | |
| analyze: | |
| runs-on: ubuntu-latest | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/[email protected] | |
| # See https://github.com/actions/checkout/issues/118. | |
| with: | |
| fetch-depth: 0 | |
| - name: Install Racket | |
| uses: Bogdanp/[email protected] | |
| with: | |
| version: current | |
| packages: resyntax | |
| local_catalogs: $GITHUB_WORKSPACE | |
| dest: '"${HOME}/racketdist-current-CS"' | |
| sudo: never | |
| - name: Register local packages | |
| run: | | |
| raco pkg install -i --auto --no-setup --skip-installed drracket-test drracket-tool-test | |
| raco pkg update --auto --no-setup drracket drracket-test drracket-tool drracket-tool-test drracket-tool-lib drracket-tool-doc drracket-plugin-lib | |
| - name: Install local packages | |
| run: raco setup --pkgs drracket drracket-test drracket-tool drracket-tool-test drracket-tool-lib drracket-tool-doc drracket-plugin-lib | |
| - name: Analyze changed files | |
| run: xvfb-run racket -l- resyntax/cli analyze --local-git-repository . "origin/${GITHUB_BASE_REF}" --output-as-github-review --output-to-file ./resyntax-review.json | |
| - name: Upload analysis artifact | |
| uses: actions/[email protected] | |
| with: | |
| name: resyntax-review | |
| path: resyntax-review.json |