[ci] Consolidate Verible linting workflow into one stage

Running the verible linter and adding review comments to the pull request previously had to be done in two stages: 1. Triggered on the pull request - prepare config and waiver files as artifacts. 2. Running on the repo's HEAD - run Verible and add review comments. This was required because Actions running in the context of the pull request did not have write permissions to add comments to pull requests. This is now possible with the `pull_request_target` event, which triggers when pull requests change, but runs in the context of the repo's HEAD and has the permissions to create comments. See lowRISC/ibex#1427 and chipsalliance/verible-linter-action#31 for details. Signed-off-by: James Wainwright <james.wainwright@lowrisc.org>
2025-04-20 11:57:12 -04:00 · 2023-07-20 11:36:15 +01:00 · 2023-07-20 11:36:15 +01:00 · 1eb0beafa5
commit 1eb0beafa5
parent 06df66452f
2 changed files with 29 additions and 58 deletions
--- a/.github/workflows/pr_lint_review.yml
+++ b/.github/workflows/pr_lint_review.yml
@ -1,49 +1,45 @@
 # Copyright lowRISC contributors.
 # Licensed under the Apache License, Version 2.0, see LICENSE for details.
 # SPDX-License-Identifier: Apache-2.0
+
+# GitHub Action to run Verible linting on pull requests and add review comments.
+#
+# See https://github.com/chipsalliance/verible-linter-action.
+
 name: pr-lint-review

+# Triggers when there is any activity on a pull request, e.g. opened, updated.
+#
+# The action runs in the context of the _base_ of the pull request, but later we
+# checkout the repository at the pull request's HEAD to run linting.
 on:
-  workflow_run:
-    workflows: ["pr-trigger"]
-    types:
-      - completed
+  pull_request_target:

 jobs:
-  review_triggered:
+  verible-lint:
    runs-on: ubuntu-latest
+    # Grant write permissions only for setting checks and adding review comments
+    # to pull requests.
+    permissions:
+      checks: write
+      contents: read
+      pull-requests: write
+    env:
+      verible_config: 'vendor/lowrisc_ip/lint/tools/veriblelint/lowrisc-styleguide.rules.verible_lint'
    steps:
-      - uses: actions/checkout@v2
-
-      # this workflow does not run in a PR context
-      # download 'event.json' file from a PR-tiggered workflow
-      # to mock the PR context and make a review
-      - name: 'Download artifact'
-        id: get-artifacts
-        uses: actions/github-script@v3.1.0
+      - uses: actions/checkout@v3
        with:
-          script: |
-            var artifacts = await github.actions.listWorkflowRunArtifacts({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               run_id: ${{github.event.workflow_run.id }},
-            });
-            var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
-              return artifact.name == "event.json"
-            })[0];
-            var download = await github.actions.downloadArtifact({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               artifact_id: matchArtifact.id,
-               archive_format: 'zip',
-            });
-            var fs = require('fs');
-            fs.writeFileSync('${{github.workspace}}/event.json.zip', Buffer.from(download.data));
-      - run: |
-          unzip event.json.zip
+          # Because `pull_request_target` runs at the PR's base, we need to
+          # checkout the head of the PR before running the lint.
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Display Verible config
+        run: |
+          echo "::group::Verible config"
+          cat "$verible_config"
+          echo "::endgroup::"
      - name: Run Verible linter action
        uses: chipsalliance/verible-linter-action@main
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          suggest_fixes: 'false'
-          config_file: 'vendor/lowrisc_ip/lint/tools/veriblelint/lowrisc-styleguide.rules.verible_lint'
+          config_file: ${{ env.verible_config }}
--- a/.github/workflows/pr_trigger.yml
+++ b/.github/workflows/pr_trigger.yml
@ -1,25 +0,0 @@
-# Copyright lowRISC contributors.
-# Licensed under the Apache License, Version 2.0, see LICENSE for details.
-# SPDX-License-Identifier: Apache-2.0
-name: pr-trigger
-
-on:
-  pull_request:
-
-jobs:
-  upload:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - name: Copy event file
-        run: cp "$GITHUB_EVENT_PATH" ./event.json
-
-      # If this workflow is triggered by a PR from a fork
-      # it won't have sufficient access rights to make a review
-      # so we just save the file needed to do the review
-      # in a context with proper access rights
-      - name: Upload event file as artifact
-        uses: actions/upload-artifact@v2
-        with:
-          name: event.json
-          path: event.json