Adds security checks for PRs (#1503)

* Update lint.yml * Build and e2e on PRs * Adds security checks for PRs
2022-01-13 12:37:34 -07:00 · 2022-01-13 12:37:34 -07:00 · f8c036164c
commit f8c036164c
parent 67bcbfd75a
3 changed files with 58 additions and 37 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -1,17 +1,22 @@
 name: Build
 on:
-  push:
-    branches:
-      - main
-      - staging
-  pull_request:
+  pull_request_target:
    branches:
      - main
 jobs:
+  approve:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Approve
+        run: echo For security reasons, all pull requests need to be approved first before running any automated CI.
+
  build:
+    needs: [approve] # Require the first step to finish
    timeout-minutes: 5
    name: Build on Node ${{ matrix.node }} and ${{ matrix.os }}
-
+    environment:
+      name: Preview
    env:
      DATABASE_URL: postgresql://postgres:@localhost:5432/calendso
      NODE_ENV: test
@ -35,6 +40,9 @@ jobs:
    steps:
      - name: Checkout repo
        uses: actions/checkout@v2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 2

      - name: Use Node ${{ matrix.node }}
        uses: actions/setup-node@v1
@ -57,28 +65,3 @@ jobs:
      - run: yarn prisma migrate deploy
      - run: yarn test
      - run: yarn build
-
-  types:
-    name: Check types
-
-    strategy:
-      matrix:
-        node: ["14.x"]
-        os: [ubuntu-latest]
-    runs-on: ${{ matrix.os }}
-
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-
-      - name: Use Node ${{ matrix.node }}
-        uses: actions/setup-node@v1
-        with:
-          node-version: ${{ matrix.node }}
-
-      - name: Install deps
-        uses: bahmutov/npm-install@v1
-
-      - run: yarn check-changed-files
--- a/.github/workflows/check-types.yml
+++ b/.github/workflows/check-types.yml
@ -0,0 +1,30 @@
+name: Check types
+on:
+  pull_request:
+    branches:
+      - main
+jobs:
+  types:
+    name: Check types
+
+    strategy:
+      matrix:
+        node: ["14.x"]
+        os: [ubuntu-latest]
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Use Node ${{ matrix.node }}
+        uses: actions/setup-node@v1
+        with:
+          node-version: ${{ matrix.node }}
+
+      - name: Install deps
+        uses: bahmutov/npm-install@v1
+
+      - run: yarn check-changed-files
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@ -1,17 +1,22 @@
 name: E2E test
 on:
-  push:
-    branches:
-      - main
-      - staging
-  pull_request:
+  pull_request_target:
    branches:
      - main
 jobs:
+  approve:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Approve
+        run: echo For security reasons, all pull requests need to be approved first before running any automated CI.
+
  test:
    timeout-minutes: 10
    name: ${{ matrix.node }} and ${{ matrix.os }}
-
+    needs: [approve] # Require the first step to finish
+    environment:
+      name: Preview
    env:
      DATABASE_URL: postgresql://postgres:@localhost:5432/calendso
      BASE_URL: http://localhost:3000
@ -52,6 +57,9 @@ jobs:
    steps:
      - name: Checkout repo
        uses: actions/checkout@v2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 2

      - name: Use Node ${{ matrix.node }}
        uses: actions/setup-node@v1