Fix pull requests automatically by autofix.ci #986
Description
What
This issue proposes to fix pull requests automatically by autofix.ci. https://autofix.ci
What's autofix.ci?
https://autofix.ci
https://github.com/autofix-ci/action
autofix.ci is a GitHub App and GitHub Action to fix code via CI securely.
In general, GitHub Actions triggered by pull requests from fork don't have write permission and can't access secrets, so it's hard to fix code and push commits.
To do that, you need to trigger workflows via pull_request_target or workflow_run events, but they have security risks.
autofix.ci can push commits via pull_request events and it's designed securely.
Why?
We want to format Go code by gofumpt automatically. #982 (comment)
And we also want to fix go.mod and go.sum by go mod tidy.
autofix.ci allows us to achieve this securely.
Example usage of autofix.ci
I've written an example code to format changed files by gofumpt using autofix.ci:
- https://github.com/suzuki-shunsuke/test-autofix-ci/blob/e2f0526bfcc1bed3b5f5d20c6d6ddecd735e77cf/.github/workflows/test.yaml
- szksh-lab-2/test-autofix-ci@e2f0526
Tasks
- Install GitHub App autofix.ci. https://github.com/marketplace/autofix-ci
- Add a GitHub Actions Workflow ci: format Go code by autofix.ci #991
Alternatives
- Check if code is fixed in CI <= We need to fix code manually
- Format code by pull_request_target
- Format code by workflow_run
About 2 and 3, they have a security concern that malicious code can't be run via pull requests from fork.
Note
We need to install a GitHub App and trust it.
To understand autofix.ci, maybe these issues are helpful.
- Why does this app need permissions
actions:write, andchecks:write? autofix-ci/action#19 - Why does this action restrict the workflow name to
autofix.ci? autofix-ci/action#20
What do you think about this?