AZIP-4 L1 Block Header Access via an L1 Portal #71
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Link AZIP to Discussion | |
| # When an AZIP PR is opened, edited, or resynchronized, this workflow reads | |
| # the AZIP preamble (`azip` number and `discussions-to` URL), then updates | |
| # the referenced GitHub Discussion: | |
| # | |
| # 1. Applies the `has-azip` label. | |
| # 2. Prepends a link to the AZIP PR at the top of the discussion body. | |
| # 3. Prefixes the discussion title with `AZIP-N: `. | |
| # | |
| # Idempotent: re-running makes no change if the discussion is already linked. | |
| # | |
| # Security notes: | |
| # * Uses `pull_request_target` so the workflow can write to discussions for | |
| # PRs opened from forks. To keep this safe we never check out or execute | |
| # PR code. We only read one file (the AZIP markdown) via the API and | |
| # parse it strictly. | |
| # * `discussions-to` values are validated against a strict regex before | |
| # any API call is made. | |
| # * Authenticates as `DISCUSSION_WRITE_TOKEN` (a fine-grained PAT scoped to | |
| # this repo with `discussions: write`) rather than `GITHUB_TOKEN`, because | |
| # org policy caps `GITHUB_TOKEN` to read-only and overrides the workflow | |
| # `permissions:` block. The PAT must be a *fine-grained* token limited to | |
| # this repository — do not use a classic PAT. | |
| on: | |
| pull_request_target: | |
| types: [opened, reopened, synchronize, edited] | |
| paths: | |
| - 'AZIPs/**.md' | |
| workflow_dispatch: | |
| inputs: | |
| pr_number: | |
| description: 'PR number to reprocess' | |
| required: true | |
| type: number | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: link-azip-${{ github.event.pull_request.number || inputs.pr_number }} | |
| cancel-in-progress: false | |
| jobs: | |
| link: | |
| runs-on: ubuntu-latest | |
| env: | |
| GH_TOKEN: ${{ secrets.DISCUSSION_WRITE_TOKEN }} | |
| REPO: ${{ github.repository }} | |
| PR_NUMBER: ${{ github.event.pull_request.number || inputs.pr_number }} | |
| steps: | |
| - name: Checkout workflow scripts only | |
| uses: actions/checkout@v4 | |
| with: | |
| # Always check out the default branch, NOT the PR head or its base | |
| # ref. We only need the script in `.github/scripts/`; PR contents | |
| # are fetched separately via the API and parsed without execution. | |
| # Pinning to the default branch prevents a PR from targeting a base | |
| # branch that carries a historically vulnerable script version. | |
| ref: ${{ github.event.repository.default_branch }} | |
| sparse-checkout: | | |
| .github/scripts | |
| sparse-checkout-cone-mode: false | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.12' | |
| - name: Link AZIP PR to discussion | |
| run: python3 .github/scripts/link_azip_to_discussion.py |