Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 6 additions & 5 deletions .github/workflows/pr-policy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,15 +24,16 @@ jobs:
if: github.event_name == 'merge_group'
run: echo "PR metadata was validated before merge-queue entry."

# pull_request_target runs trusted base-branch code. Checkout the current
# tip of the base branch (not a potentially stale base.sha) so the policy
# script is always available even when the PR was opened before the script
# was added to main. Never execute the PR head or persist credentials.
# pull_request_target runs trusted workflow-revision code. Checkout
# github.workflow_sha (not a moving base_ref tip, and not a potentially
# stale pull_request.base.sha from an older PR) so the policy script is
# always the exact revision that triggered this run. Never execute the PR
# head or persist credentials.
- name: Checkout trusted policy
if: github.event_name == 'pull_request_target'
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: ${{ github.base_ref }}
ref: ${{ github.workflow_sha }}
persist-credentials: false

- name: Validate pull request evidence
Expand Down
16 changes: 16 additions & 0 deletions scripts/pr-policy.mjs
Original file line number Diff line number Diff line change
Expand Up @@ -257,6 +257,22 @@ function selfTest() {
const template = readFileSync(new URL("../.github/pull_request_template.md", import.meta.url), "utf8");
for (const item of requiredClinicalGovernanceItems)
assert.match(template, new RegExp(`- \\[ \\] ${item.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}`));
const workflow = readFileSync(new URL("../.github/workflows/pr-policy.yml", import.meta.url), "utf8");
assert.match(
workflow,
/ref:\s*\$\{\{\s*github\.workflow_sha\s*\}\}/,
"PR policy workflow must checkout github.workflow_sha for a deterministic trusted tree.",
);
assert.doesNotMatch(
workflow,
/ref:\s*\$\{\{\s*github\.base_ref\s*\}\}/,
"PR policy workflow must not checkout the moving base branch ref.",
);
assert.doesNotMatch(
workflow,
/ref:\s*\$\{\{\s*github\.event\.pull_request\.base\.sha\s*\}\}/,
"PR policy workflow must not checkout a potentially stale pull_request.base.sha.",
);
console.error("[pr-policy] self-test passed");
}

Expand Down