Skip to content

Delete .github/workflows/call-synchronize-to-dtk6.yml #533

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
zccrs merged 1 commit into from
Jan 20, 2026
Merged

Delete .github/workflows/call-synchronize-to-dtk6.yml #533

zccrs merged 1 commit into from
Jan 20, 2026

Conversation

@asterwyx
Copy link
Contributor

@asterwyx asterwyx commented Jan 20, 2026

No description provided.

@asterwyx
chore: delete workflow call-synchronize-to-dtk6
48f0ed6 
Synchronizing is no more needed.
@deepin-ci-robot
Copy link
Contributor

deepin-ci-robot commented Jan 20, 2026

deepin pr auto review

这段代码是一个被删除的 GitHub Actions 工作流配置文件。以下是对该文件的详细审查和改进建议:

1. 语法逻辑

  • 语法结构正确,符合 GitHub Actions YAML 格式规范
  • 触发条件 pull_request_target 使用正确
  • 参数传递格式正确

2. 代码质量

  • 命名规范:工作流名称 Call synchronize to dtk6 应改为更规范的 Call Synchronize to DTK6(首字母大写)
  • 路径过滤paths-ignore 列表清晰,但建议添加注释说明忽略这些路径的原因
  • 硬编码问题dest_repo: linuxdeepin/dtk6core 是硬编码的,建议考虑使用环境变量或配置文件

3. 代码性能

  • 路径过滤优化:当前使用 paths-ignore 会忽略特定路径,但可能需要确认是否需要添加 paths 来明确指定需要处理的路径
  • 工作流调用:使用 uses 调用外部工作流是合理的,但需要确保被调用的工作流是高效的

4. 代码安全

  • secrets: inherit:使用 inherit 传递所有密钥可能存在安全风险,建议明确指定需要传递的密钥
  • pull_request_target:使用此事件需要谨慎,因为它会以仓库写入权限运行。建议:
    • 添加 permissions 限制
    • 验证 PR 来源是否可信
    • 考虑添加 PR 作者白名单

改进建议代码:

name: Call Synchronize to DTK6
on:
  pull_request_target:
    # 忽略打包相关路径的变更
    paths-ignore:
      - "debian/**"
      - "archlinux/**"
      - "rpm/**"
      - ".obs/**"
      - ".github/**"

permissions:
  contents: write
  pull-requests: write

jobs:
  call-synchronize:
    uses: linuxdeepin/dtk/.github/workflows/synchronize-to-dtk6.yml@master
    # 明确指定需要的密钥,而不是继承所有
    secrets:
      PAT_TOKEN: ${{ secrets.PAT_TOKEN }}
      # 其他需要的密钥...
    with:
      dest_repo: linuxdeepin/dtk6core
      source_repo: ${{ github.event.pull_request.head.repo.full_name }}
      source_ref: ${{ github.event.pull_request.head.ref }}
      pull_number: ${{ github.event.pull_request.number }}

其他建议:

  1. 考虑添加工作流文档,说明其用途和工作原理
  2. 可以添加 concurrency 控制来防止多个工作流实例同时运行
  3. 考虑添加工作流状态检查,确保同步操作成功
  4. 建议在被调用的工作流中添加适当的日志记录和错误处理

安全补充建议:

# 在 job 开始前添加验证步骤
- name: Verify PR author
  run: |
    ALLOWED_AUTHORS=("user1" "user2" "user3")
    if [[ ! " ${ALLOWED_AUTHORS[@]} " =~ " ${GITHUB_ACTOR} " ]]; then
      echo "PR author $GITHUB_ACTOR is not allowed to trigger this workflow"
      exit 1
    fi

这些改进可以提高代码的可读性、安全性和可维护性。

@deepin-ci-robot
Copy link
Contributor

deepin-ci-robot commented Jan 20, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: asterwyx, zccrs

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@zccrs zccrs merged commit d0b66f5 into master Jan 20, 2026
10 of 11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zccrs zccrs zccrs approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@asterwyx @deepin-ci-robot @zccrs