In short, this means that history will be rewritten and anyone who has previously forked a repo, will need to delete the fork and re-fork if they want to contribute.
The challenge is when people try to fix their forks, they can end up with a history that is interwoven with commits from styles that we have removed in git-filter-repo and this will appear as a pull request with hundreds of irrelevant commits, even for a small one-line change.
This PR does a few things:
it adds a parameter to the check-valid-pr action called invalid-hash which will take in a hash that should not exist in the fork.
it adds and output parameter MSG that will contain markdown-formatted information for a comment.
It provides clear errors/warnings and notes for different levels of caution in the validation steps.
**Examples of pull request comments**
## :ok: Pre-flight checks passed :smiley:
This pull request has been checked and contains no modified workflow files, spoofing, or invalid commits.
It should be safe to **Approve and Run** the workflows that need maintainer approval.
---
## :information_source: Modified Workflows
This pull request contains modified workflow files and no preview will be created.
Workflow files modified:
- .github/workflows/pkgdown.yaml
**If this is not from a trusted source, please inspect the changes for any malicious content.**
---
## :warning: WARNING :warning:
This pull request contains a mix of workflow files and regular files. **This could be malicious.**
regular files:
- tools/convertversion.sh
workflow files:
- .github/workflows/pkgdown.yaml
---
## :x: DANGER :x:
### DO NOT MERGE THIS PULL REQUEST
The fork [zkamvar/laughing-winner@zkamvar-patch-4](https://github.com/zkamvar/laughing-winner/tree/zkamvar-patch-4) has divergent history and contains an invalid commit ([6d0c122455837d4339e486140377d71701344e51](https://github.com/zkamvar/laughing-winner/tree/6d0c122455837d4339e486140377d71701344e51)).
### For the Pull Request Author
@zkamvar, if you want to contribute your changes, **you must [delete your fork](https://docs.github.com/en/repositories/creating-and-managing-repositories/deleting-a-repository)** and re-fork this repository.
---
I've also tested this using a workflow that runs on pull_request_target, which cannot be modified by pull request, so there is no danger of spoofing.
In a perfect world, I would be able to use e83e2c9bdeb259fcb7b12ae21da8f6eac8ff34a4 as the expected hash, but we don't live in a perfect world and there are lessons that were generated using the remote themes template and there were lessons like the R-ecology-lesson which did have that hash once upon a time (which github gladly returns), but moved to an independent sort of build.
I have begun including these in https://files.carpentries.org/invalid-hashes.json so they can be queried with the repository name. NOTE: this may not be the most reliable setup due to CDN propagation 😬
For the Beta Phase of The Carpentries Workbench, we are going to be running repositories through git-filter-repo.
In short, this means that history will be rewritten and anyone who has previously forked a repo, will need to delete the fork and re-fork if they want to contribute.
The challenge is when people try to fix their forks, they can end up with a history that is interwoven with commits from styles that we have removed in git-filter-repo and this will appear as a pull request with hundreds of irrelevant commits, even for a small one-line change.
This PR does a few things:
invalid-hashwhich will take in a hash that should not exist in the fork.**Examples of pull request comments**
## :ok: Pre-flight checks passed :smiley: This pull request has been checked and contains no modified workflow files, spoofing, or invalid commits. It should be safe to **Approve and Run** the workflows that need maintainer approval. --- ## :information_source: Modified Workflows This pull request contains modified workflow files and no preview will be created. Workflow files modified: - .github/workflows/pkgdown.yaml **If this is not from a trusted source, please inspect the changes for any malicious content.** --- ## :warning: WARNING :warning: This pull request contains a mix of workflow files and regular files. **This could be malicious.** regular files: - tools/convertversion.sh workflow files: - .github/workflows/pkgdown.yaml --- ## :x: DANGER :x: ### DO NOT MERGE THIS PULL REQUEST The fork [zkamvar/laughing-winner@zkamvar-patch-4](https://github.com/zkamvar/laughing-winner/tree/zkamvar-patch-4) has divergent history and contains an invalid commit ([6d0c122455837d4339e486140377d71701344e51](https://github.com/zkamvar/laughing-winner/tree/6d0c122455837d4339e486140377d71701344e51)). ### For the Pull Request Author @zkamvar, if you want to contribute your changes, **you must [delete your fork](https://docs.github.com/en/repositories/creating-and-managing-repositories/deleting-a-repository)** and re-fork this repository. ---I've also tested this using a workflow that runs on
pull_request_target, which cannot be modified by pull request, so there is no danger of spoofing.In a perfect world, I would be able to use
e83e2c9bdeb259fcb7b12ae21da8f6eac8ff34a4as the expected hash, but we don't live in a perfect world and there are lessons that were generated using the remote themes template and there were lessons like the R-ecology-lesson which did have that hash once upon a time (which github gladly returns), but moved to an independent sort of build.I have begun including these in https://files.carpentries.org/invalid-hashes.json so they can be queried with the repository name. NOTE: this may not be the most reliable setup due to CDN propagation 😬