Add theme-check action #8170
Add theme-check action #8170
Conversation
| name: WordPress Theme Check | ||
|
|
||
| on: | ||
| pull_request: |
There was a problem hiding this comment.
Using pull_request means that the action won't be able to post comments on PRs created from a fork. A workaround for this is using pull_request_target instead, but we would have to make sure that the audit is free from exploit opportunities before merging, as that event runs with higher permissions.
There was a problem hiding this comment.
I'm not sure what's the way to go around this. I think you researched this before for the playground preview action, right? Could you provide more context, please?
There was a problem hiding this comment.
Yeah, this action looks safe because we are not loading code from outside the YML file. The risk we faced when using pull_request_target earlier came from the fact that the YML file was checking out a file from the same repo, which could potentially be modified by an attacker.
Here's a more in-depth and general explanation: https://github.com/CycodeLabs/raven/blob/main/docs/Pull%20Request%20Injections/README.md#2-pull_request_target--checkout
The real danger arises when such a workflow is combined with checkout action, which checks out code from an incoming, potentially untrusted pull request and then executes scripts or runs commands based on that code.
There was a problem hiding this comment.
Thanks for the context! I think we can merge this PR and research more in case we need forked repos run this action.
.github/workflows/theme-check.yml
Outdated
| docker exec $(docker ps -qf "ancestor=wordpress:php8.2") curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar | ||
| docker exec $(docker ps -qf "ancestor=wordpress:php8.2") chmod +x wp-cli.phar | ||
| docker exec $(docker ps -qf "ancestor=wordpress:php8.2") mv wp-cli.phar /usr/local/bin/wp |
There was a problem hiding this comment.
Could we use @wordpress/env instead? I tested the theme-check cli integration using npx @wordpress/env run cli
There was a problem hiding this comment.
Yes, that is good suggestion; I replaced the plain docker definition by the use the @wordpress/env. The code looks a bit simpler now. 2840740
👍 Yes, implemented that here: 6f61618 |
Changes proposed in this Pull Request:
Add a theme-check github action that runs theme-check plugin checks on the themes that were modified in a particular PR. The action post their reports as a comment.
It's using the theme-check wp-cli from this PR until it's merged.
I created a demo repo to test it.
Screenshot
The action should post a message like this: