TurboWarp · GarboMuffin · Dec 27, 2024 · Dec 27, 2024 · Dec 27, 2024 · Dec 27, 2024
diff --git a/.github/workflows/format-pr.yml b/.github/workflows/format-pr.yml
@@ -2,19 +2,23 @@ name: Format pull request
 
 on:
   workflow_dispatch:
+  issue_comment:
+    types: [created]
 
 jobs:
-  format:
+  # Handling workflow_dispatch is simple. Just checkout whatever branch it was run on.
+  # The workflow will run in that repository's context and thus can safely get write permissions.
+  manual-dispatch:
     runs-on: ubuntu-latest
-
+    if: github.event_name == 'workflow_dispatch'
     permissions:
       contents: write
-
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
-          # Credentials needed for pushing changes at the end
+          # Credentials needed for pushing changes at the end.
+          # This is already the default, but for safety we are being explicit about this.
           persist-credentials: true
       - name: Install Node.js
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af
@@ -29,6 +33,79 @@ jobs:
           git config --global user.name "$GITHUB_ACTOR"
           git config --global user.email "[email protected]"
           git stage .
-          git commit --author "format-pr-bot <[email protected]>" -m "[Automated] Format code" || echo "No changes to commit"
+          git commit --author "DangoCat[bot] <[email protected]>" -m "[Automated] Format code" || echo "No changes to commit"
       - name: Push
         run: git push
+
+  # Comments are more complicated because the action runs in the context of TurboWarp/extensions but
+  # we are processing content from the possibly malicious pull request. We break this into two
+  # separate jobs.
+  # The first job downloads the pull request, formats it, and uploads the new files to an artifact.
+  # Important to have no permissions for this because the code can't be trusted.
+  comment-format-untrusted:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'issue_comment' && github.event.issue.pull_request && contains(github.event.comment.body, '!format')
+    permissions: {}
+    steps:
+      - name: Checkout upstream
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          repository: TurboWarp/extensions
+          persist-credentials: false
+      - name: Checkout pull request
+        run: gh pr checkout "$PR_NUM"
+        env:
+          PR_NUM: ${{ github.event.issue.number }}
+          GH_TOKEN: ${{ github.token }}
+      - name: Install Node.js
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af
+        with:
+          node-version: 20.x
+      - name: Install dependencies
+        run: npm ci
+      - name: Format
+        run: npm run format
+      - name: Upload formatted code
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b
+        with:
+          name: comment-format-untrusted-artifact
+          path: extensions/
+          if-no-files-found: error
+          retention-days: 7
+
+  # Second job downloads the artifact, extracts it, and pushes it.
+  comment-push:
+    runs-on: ubuntu-latest
+    needs: comment-format-untrusted
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout upstream
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          repository: TurboWarp/extensions
+          # Credentials needed at the end to do the push.
+          persist-credentials: true
+      - name: Checkout pull request
+        run: gh pr checkout "$PR_NUM"
+        env:
+          PR_NUM: ${{ github.event.issue.number }}
+          GH_TOKEN: ${{ github.token }}
+      - name: Download formatted code
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
+        with:
+          name: comment-format-untrusted-artifact
+          path: extensions
+      - name: Commit
+        run: |
+          git config --global user.name "$GITHUB_ACTOR"
+          git config --global user.email "[email protected]"
+          git stage .
+          git commit --author "DangoCat[bot] <[email protected]>" -m "[Automated] Format code" || echo "No changes to commit"
+      - name: Push
+        run: git push
+        # Explicitly set push.default to upstream, otherwise by default git might complain about us being on a
+        # branch called "DangoCat/master" but the corresponding branch on remote "DangoCat" is just "master".
+        run: |
+          git config --global push.default upstream
+          git push