feat(spec render): Add first pass of rendered specs #30
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Stub workflow — A copy of this workflow must live on the default branch (3.0) so that the pull_request_target | |
| # event can trigger it with access to secrets. It then delegates all real work to the reusable template on | |
| # tomls/base/main, which has the scripts, prompts, and agent definitions. | |
| # | |
| # This two-stage design lets fork PRs trigger the review safely: the stub runs in the | |
| # context of the default branch (with secret access), but the template checks out only | |
| # .spec files (data) from the PR head — never executable code. | |
| # | |
| # A stub is needed because pull_request_target workflows always run in the context of the default branch, so they can't | |
| # directly use a reusable workflow from the PR head (which would be a security risk since untrusted code could leak | |
| # the secrets). By having the stub on the default branch, we can safely ensure only the trusted reusable workflow from | |
| # the base is used, while still allowing the PR head to provide the .spec files as data input. | |
| name: Spec Review | |
| # pull_request_target is required here: we need secret access (COPILOT_TOKEN) to run the | |
| # spec review agent on fork PRs. The stub itself runs NO code from the PR — it only | |
| # delegates to a trusted reusable workflow pinned to tomls/base/main, which sparse-checks | |
| # out only .spec data files (never executable code) from the PR head. | |
| on: # zizmor: ignore[dangerous-triggers] | |
| pull_request_target: | |
| # Only trigger on PRs targeting the toml base branch which modify .spec files. We do | |
| # not want to affect PRs targeting other branches. | |
| branches: | |
| - tomls/base/main | |
| paths: | |
| - '**/*.spec' | |
| permissions: {} | |
| concurrency: | |
| group: spec-review-${{ github.event.pull_request.number }} | |
| cancel-in-progress: true | |
| jobs: | |
| review: | |
| # Prevent forks from running a stale/vulnerable copy of this stub with Actions enabled | |
| if: github.repository == 'microsoft/azurelinux' | |
| # Intentionally branch-pinned to our own repo so the | |
| # reusable workflow picks up prompt/script/agent updates automatically. | |
| uses: microsoft/azurelinux/.github/workflows/spec-review.yml@tomls/base/main # zizmor: ignore[unpinned-uses] | |
| permissions: | |
| contents: read | |
| pull-requests: write # Post review comments and inline annotations on PRs | |
| with: | |
| pr-head-sha: ${{ github.event.pull_request.head.sha }} | |
| pr-head-repo: ${{ github.event.pull_request.head.repo.full_name }} | |
| pr-number: ${{ github.event.pull_request.number }} | |
| repo: ${{ github.repository }} | |
| scripts-ref: tomls/base/main | |
| secrets: | |
| COPILOT_TOKEN: ${{ secrets.COPILOT_TOKEN }} |