mirror of
https://github.com/arsvendg/Stirling-PDF.git
synced 2026-07-14 18:44:05 +02:00
# Description of Changes Add runner hardening and housekeeping across workflows. - .github/dependabot.yml: add /docker/unoserver and /engine to Dependabot update paths. - .github/workflows/_runner-pick.yml and .github/workflows/build.yml: add step-security/harden-runner (egress-policy: audit) to audit outbound calls from runners. - .github/workflows/ai-engine.yml, .github/workflows/aur-publish.yml, .github/workflows/package-managers.yml: update actions/checkout usage to the newer v6.0.2 reference. - .github/workflows/package-managers.yml: minor YAML formatting tidy (release types array). These changes improve CI security by auditing egress, update the checkout action to a newer release, and expand Dependabot coverage. --- ## Checklist ### General - [ ] I have read the [Contribution Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md) - [ ] I have read the [Stirling-PDF Developer Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/DeveloperGuide.md) (if applicable) - [ ] I have read the [How to add new languages to Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md) (if applicable) - [ ] I have performed a self-review of my own code - [ ] My changes generate no new warnings ### Documentation - [ ] I have updated relevant docs on [Stirling-PDF's doc repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/) (if functionality has heavily changed) - [ ] I have read the section [Add New Translation Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags) (for new translation tags only) ### Translations (if applicable) - [ ] I ran [`scripts/counter_translation.py`](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/docs/counter_translation.md) ### UI Changes (if applicable) - [ ] Screenshots or videos demonstrating the UI changes are attached (e.g., as comments or direct attachments in the PR) ### Testing (if applicable) - [ ] I have run `task check` to verify linters, typechecks, and tests pass - [ ] I have tested my changes locally. Refer to the [Testing Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/DeveloperGuide.md#7-testing) for more details.
71 lines
2.2 KiB
YAML
71 lines
2.2 KiB
YAML
name: _runner-pick
|
|
|
|
# Tiny reusable workflow that classifies the trigger as either a "fork PR
|
|
# from an untrusted contributor" or a "trusted commit" so downstream jobs
|
|
# can pick a runner class without each one duplicating the 200-char gate
|
|
# expression in their own `runs-on:`.
|
|
#
|
|
# Caller pattern:
|
|
#
|
|
# jobs:
|
|
# pick:
|
|
# uses: ./.github/workflows/_runner-pick.yml
|
|
#
|
|
# real-work:
|
|
# needs: pick
|
|
# runs-on: ${{ needs.pick.outputs.is_fork == 'true' && 'ubuntu-latest' || 'depot-ubuntu-24.04-8' }}
|
|
# steps: [...]
|
|
#
|
|
# Output:
|
|
# is_fork: "true" when the trigger is a pull_request from a fork or an
|
|
# untrusted author_association, "false" otherwise.
|
|
|
|
on:
|
|
workflow_call:
|
|
outputs:
|
|
is_fork:
|
|
description: '"true" if the trigger is an untrusted fork PR.'
|
|
value: ${{ jobs.pick.outputs.is_fork }}
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
pick:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 1
|
|
outputs:
|
|
is_fork: ${{ steps.decide.outputs.is_fork }}
|
|
steps:
|
|
- name: Harden the runner (Audit all outbound calls)
|
|
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Classify the trigger
|
|
id: decide
|
|
env:
|
|
PR_NUMBER: ${{ github.event.pull_request.number }}
|
|
HEAD_REPO_FORK: ${{ github.event.pull_request.head.repo.fork }}
|
|
AUTHOR_ASSOC: ${{ github.event.pull_request.author_association }}
|
|
run: |
|
|
set -eu
|
|
if [ -z "${PR_NUMBER:-}" ]; then
|
|
# Not a pull_request event at all (push, schedule, workflow_dispatch,
|
|
# workflow_call from a non-PR trigger) -> trusted by default.
|
|
echo "is_fork=false" >> "$GITHUB_OUTPUT"
|
|
exit 0
|
|
fi
|
|
if [ "${HEAD_REPO_FORK}" = "true" ]; then
|
|
echo "is_fork=true" >> "$GITHUB_OUTPUT"
|
|
exit 0
|
|
fi
|
|
case "${AUTHOR_ASSOC}" in
|
|
OWNER|MEMBER|COLLABORATOR)
|
|
echo "is_fork=false" >> "$GITHUB_OUTPUT"
|
|
;;
|
|
*)
|
|
echo "is_fork=true" >> "$GITHUB_OUTPUT"
|
|
;;
|
|
esac
|