repos/luketainton.github.io
4
0
Fork 0
Code Issues Pull Requests 1 Actions Activity

refactor(ci): switch to Gitea Actions #20

Merged
luke merged 1 commits from gitea into main 2025-04-10 16:01:18 +02:00
Conversation 1 Commits 1 Files Changed 2 +17
luke commented 2025-04-10 15:58:06 +02:00
Owner
Copy Link
No description provided.
luke added 1 commit 2025-04-10 15:58:07 +02:00
Gitea Actions
All checks were successful
Validate PR Title / validate (pull_request) Successful in 3s
Details
265390b3ea
luke changed title from Gitea Actions to refactor(ci): switch to Gitea Actions 2025-04-10 15:59:17 +02:00
ai-review-bot commented 2025-04-10 15:59:24 +02:00
Member
Copy Link

Decision: Reject
Change Score: 50%

I am rejecting this pull request for the following reasons:

  1. Unacceptable dependency: The workflow uses a third-party action https://git.tainton.uk/actions/conventional-commits-check-action@v1.2.4. Directly using a URL for a GitHub Action is highly discouraged because it lacks version immutability and poses a significant security risk. The action could be modified maliciously without your knowledge.

    Recommendation: Use the standard uses: <owner>/<repo>@<version> format to specify the action. Find the corresponding GitHub repository for https://git.tainton.uk/actions/conventional-commits-check-action and use a specific tag or commit SHA for versioning. This ensures that you are using a known and trusted version of the action. For example, if the repository was tainton-uk/conventional-commits-check-action and you wanted to use tag v1.2.4, the uses line would become uses: tainton-uk/conventional-commits-check-action@v1.2.4. If you want to use a specific commit SHA, which is even more secure, find the SHA on the repository, and use that. For example, uses: tainton-uk/conventional-commits-check-action@a1b2c3d4e5f6....

  2. Missing pull_request_target: The workflow is currently configured to trigger on pull_request events, which, by default, have restricted access to the repository's secrets and Gitea token. This can prevent the action from properly validating the pull request title, especially if the action needs write access (e.g., to add labels or comments).

    Recommendation: If the action needs access to the repository's secrets or the Gitea token with write permissions, you should consider using the pull_request_target event instead. Be aware that pull_request_target carries security implications because it runs in the context of the base branch. Ensure that the action you're using is trustworthy and that you understand the potential risks.

  3. CODEOWNERS file: The CODEOWNERS file simply assigns @luke as the owner for everything. This is not inherently wrong, but it's not helpful. Consider being more specific about what @luke owns, or consider if other code owners are needed.

Correct these issues and resubmit.

**Decision: Reject** **Change Score: 50%** I am rejecting this pull request for the following reasons: 1. **Unacceptable dependency:** The workflow uses a third-party action `https://git.tainton.uk/actions/conventional-commits-check-action@v1.2.4`. Directly using a URL for a GitHub Action is highly discouraged because it lacks version immutability and poses a significant security risk. The action could be modified maliciously without your knowledge. **Recommendation:** Use the standard `uses: <owner>/<repo>@<version>` format to specify the action. Find the corresponding GitHub repository for `https://git.tainton.uk/actions/conventional-commits-check-action` and use a specific tag or commit SHA for versioning. This ensures that you are using a known and trusted version of the action. For example, if the repository was `tainton-uk/conventional-commits-check-action` and you wanted to use tag `v1.2.4`, the `uses` line would become `uses: tainton-uk/conventional-commits-check-action@v1.2.4`. If you want to use a specific commit SHA, which is even more secure, find the SHA on the repository, and use that. For example, `uses: tainton-uk/conventional-commits-check-action@a1b2c3d4e5f6...`. 2. **Missing `pull_request_target`:** The workflow is currently configured to trigger on `pull_request` events, which, by default, have restricted access to the repository's secrets and Gitea token. This can prevent the action from properly validating the pull request title, especially if the action needs write access (e.g., to add labels or comments). **Recommendation:** If the action needs access to the repository's secrets or the Gitea token with write permissions, you should consider using the `pull_request_target` event instead. Be aware that `pull_request_target` carries security implications because it runs in the context of the base branch. Ensure that the action you're using is trustworthy and that you understand the potential risks. 3. **CODEOWNERS file:** The CODEOWNERS file simply assigns `@luke` as the owner for everything. This is not inherently wrong, but it's not helpful. Consider being more specific about what `@luke` owns, or consider if other code owners are needed. Correct these issues and resubmit.
luke merged commit 265390b3ea into main 2025-04-10 16:01:18 +02:00
luke deleted branch gitea 2025-04-10 16:01:19 +02:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
bug
Something isn't working
documentation
Improvements or additions to documentation
duplicate
This issue or pull request already exists
enhancement
New feature or request
good first issue
Good for newcomers
help wanted
Extra attention is needed
invalid
This doesn't seem right
question
Further information is requested
wontfix
This will not be worked on
Compat/Breaking
Breaking change that won't be backward compatible
Kind/Bug
Something is not working
Kind/Documentation
Documentation changes
Kind/Enhancement
Improve existing functionality
Kind/Feature
New functionality
Kind/Security
This is security issue
Kind/Testing
Issue or pull request related to testing
Priority
Critical
The priority is critical
Priority
High
The priority is high
Priority
Low
The priority is low
Priority
Medium
The priority is medium
Reviewed
Confirmed
Issue has been confirmed
Reviewed
Duplicate
This issue or pull request already exists
Reviewed
Invalid
Invalid issue
Reviewed
Won't Fix
This issue won't be fixed
Status
Abandoned
Somebody has started to work on this but abandoned work
Status
Blocked
Something is blocking this issue or pull request
Status
Need More Info
Feedback is required to reproduce issue or to continue work
No Label
Milestone
No items
No Milestone
Assignees
Clear assignees
ai-review-bot gitea-actions-bot luke renovate-bot
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: repos/luketainton.github.io#20
No description provided.
Delete Branch "gitea"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?