ci: Throw clear error when autogenerated parts list is not updated#542
ci: Throw clear error when autogenerated parts list is not updated#542Achllle wants to merge 1 commit intonasa-jpl:masterfrom
Conversation
Before, the int128/update-generated-files-action would attempt to push, but github doesn't allow the action to run on forks for security reasons. The action will still work on direct pushes Signed-off-by: achille <achille.verheye@gmail.com>
There was a problem hiding this comment.
Pull request overview
This PR updates the parts-list generation workflow to avoid attempting auto-push behavior on fork-based PRs and instead fail fast with a clear error when generated content is stale.
Changes:
- Add a pull-request-only check that fails with an explicit error if
parts_list/README.mdis not up to date after regeneration. - Keep auto-commit behavior for direct pushes to
master/v2viaint128/update-generated-files-action@v2.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # On pull requests: check the generated file is up to date and fail with a clear message if not | ||
| - name: Check for outdated generated files | ||
| if: github.event_name == 'pull_request' | ||
| run: | |
There was a problem hiding this comment.
This workflow grants contents: write / pull-requests: write at the job level even for pull_request runs, where untrusted PR code (e.g., parts_list/csv_to_md.py) is executed. The PR check step doesn’t need write permissions, so this unnecessarily increases the blast radius if a PR modifies the script. Consider splitting into separate jobs (PR job with contents: read, push job with contents: write) or otherwise reducing permissions for the PR path.
Before, the int128/update-generated-files-action would attempt to push, but github doesn't allow the action to run on forks for security reasons. The action will still work on direct pushes