Harden Forgejo CI: disable untrusted PR runs on self-hosted runner #68
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main, dev, release/*, feature/*] | |
| pull_request: | |
| branches: [main, dev, release/*] | |
| env: | |
| CARGO_TERM_COLOR: always | |
| jobs: | |
| check: | |
| name: Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| run: | | |
| rm -rf .git | |
| git init . | |
| git remote add origin "https://x-access-token:${{ github.token }}@github.com/${{ github.repository }}.git" | |
| git fetch --depth=1 origin "${{ github.sha }}" | |
| git checkout --detach FETCH_HEAD | |
| - name: Install Rust | |
| run: | | |
| curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable | |
| echo "$HOME/.cargo/bin" >> $GITHUB_PATH | |
| - name: Verify assets are up to date | |
| run: | | |
| make clean | |
| make assets | |
| git diff --exit-code static/sf/sf.css static/sf/sf.js static/sf/sf.*.css static/sf/sf.*.js | |
| - name: Check formatting | |
| run: cargo fmt --all -- --check | |
| - name: Run clippy | |
| run: cargo clippy --all-targets -- -D warnings | |
| - name: Build | |
| run: cargo build | |
| - name: Run tests | |
| run: | | |
| cargo test | |
| node --test tests/*.test.js | |
| - name: Verify package contents | |
| run: ./scripts/verify-package.sh |