Open secustor opened 3 months ago
mscharley
commented
3 months ago Running commands is out of the question since this action doesn't check out the repo at all and that's by design as a security consideration - this means that any custom command you might want to run won't be available.
I'd definitely be up for making sure the generated files meet prettier standards though, do you have some examples of the kind of thing that prettier complains about?
secustor
commented
3 months ago Though this can be done out of the action, but in the same workflow, which is fine by me. 🤷
Not sure, what exactly prettier complains about. Looks like the issue are the double quotations though:
mscharley
commented
3 months ago Have a look through the security notes in the README, especially the article by Github. It's strongly recommended to not do a checkout in a pull_request_target workflow.
Regarding prettier though, I can definitely pull the prettier config and do my best to honour the quotes configuration. To be completely honest though, adding the .changeset folder to the ignore file sounds reasonable to me. they're machine-generated files intended to be consumed by machines (the changeset cli in both cases). They aren't really intended to be interacted with directly by a person.
secustor
commented
3 months ago I have not meant to checkout out the code but rather bake the logic in the workflow definition, but definitely a good read.
Not necessary IMO, as you say ignoring them is fine especially if it the only problem are the quote types.
My thought has been rather, if people want to inject text into the changesets.
I use prettier to prettify my markdown and source code files which clashes with the generated changeset files.
Ideally we can provide a number of commands which a run between changeset generation and pushing. I see multiple ways to achieve this:
My workaround currently is to simply ignore
.changeset/