ci: split formal and build to fix posting comments

Separate formal from build so the event trigger can be set to
pull_request_target and fix posting comments. This event allows
workflow to do things like label or comment on pull requests from forks,
but it's not recommended for build jobs due to security implications.

Switch build to workflow_dispatch and trigger it from formal when it
succeeds. Dispatching a workflow requires a fine-grained token, exposed
through FORMAL_TOKEN secret. Since the workflow is no longer running in
a PR context, it needs the PR info passed to it to manually make the
appearance of being tied to said PR by setting run-name, and passing
back individual matrix step statuses manually to the PR with all the
correct info. To that end re-introduce the full build workflow that was
moved to actions for easier testing with the expectation of moving it
back to actions once it's fully tested.

FORMAL_TOKEN requires actions: write permission.

Build workflow can now be triggered from the UI, but it's limited to
repo members.

Fixes: 7658669 ("multi-arch-test-build: post formal summaries to PR")
Link: https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target
Link: https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#workflow_dispatch
Link: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
Link: https://securitylab.github.com/resources/github-actions-new-patterns-and-mitigations/
Signed-off-by: George Sapkin <[email protected]>

Author: GeorgeSapkin

.github/workflows/formal.yml

@@ -0,0 +1,65 @@
+name: Test Formalities
+
+on:
+  pull_request_target:
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  formalities:
+    name: Test Formalities
+    uses: openwrt/actions-shared-workflows/.github/workflows/formal.yml@main
+    with:
+      post_comment: true
+
+  check_formality_status:
+    name: Check Formality Status
+    runs-on: ubuntu-slim
+    needs: formalities
+    if: always()
+
+    steps:
+      - name: Trigger build
+        if: needs.formalities.result == 'success'
+        env:
+          # Token needs actions: write
+          TOKEN: ${{ secrets.FORMAL_TOKEN }}
+          BASE_REF: ${{ github.base_ref }}
+          # Workflow is running in target context, so we need to get head ref
+          # from the event
+          HEAD_REF: ${{ github.event.pull_request.head.ref }}
+          PR_NAME: ${{ github.event.pull_request.title }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          JSON_PAYLOAD=$(jq -n \
+            --arg head_ref "$HEAD_REF" \
+            --arg base_ref "$BASE_REF" \
+            --arg pr_number "$PR_NUMBER" \
+            --arg pr_name "$PR_NAME" \
+            '{ref: $head_ref, inputs: {base_ref: $base_ref, pr_number: $pr_number, pr_name: $pr_name}}')
+
+          curl -L \
+            -X POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer $TOKEN" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            "https://api.github.com/repos/${{ github.repository }}/actions/workflows/multi-arch-test-build.yml/dispatches" \
+            -d "$JSON_PAYLOAD"
+
+      - name: Add 'not following guidelines' label
+        if: needs.formalities.result == 'failure'
+        uses: buildsville/[email protected]
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          labels: "not following guidelines"
+          type: add
+
+      - name: Remove 'not following guidelines' label
+        if: needs.formalities.result == 'success'
+        uses: buildsville/[email protected]
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          labels: "not following guidelines"
+          type: remove

.github/workflows/labeler.yml

@@ -1,21 +1,19 @@
-name: 'Pull Request Labeler'
+name: Labeler
+
 on:
-  - pull_request_target
+  pull_request_target:
 
 permissions:
   contents: read
   pull-requests: write
 
 jobs:
   labeler:
-    permissions:
-      contents: read
-      pull-requests: write
-
-    name: Pull Request Labeler
+    name: Labeler
     runs-on: ubuntu-slim
     steps:
-      - uses: actions/labeler@v6
+      - name: Label pull request
+        uses: actions/labeler@v6
         with:
           repo-token: '${{ secrets.GITHUB_TOKEN }}'
           sync-labels: true