WilderForge · Gamebuster19901 · Jun 6, 2025 · Jun 6, 2025
@@ -4,6 +4,12 @@ on:
   pull_request_review:
     types: [submitted]
 
+permissions:
+  contents: read
+  pull-requests: write
+  actions: write
+  statuses: write
+
 jobs:
   approve_and_run:
     runs-on: ubuntu-latest
@@ -24,29 +30,24 @@ jobs:
         )
       )
     steps:
-      - name: Checking Approval
+      - name: Handle Approved Review
+        if: |
+          github.event.review.state == 'approved' || startsWith(github.event.review.body, 'approved')
         id: "checking_approval"
         run: |
-          DESC="null"
-          if [[ "${{ github.event.review.state }}" == "approved" || "${{ github.event.review.body }}" == approved* ]]; then
-            DESC="${{ github.event.review.user.login }} APPROVED build for ${{ github.event.review.commit_id }}"
-            echo $DESC
-            echo "conclusion=success" >> "$GITHUB_ENV"
-            echo "description=$DESC" >> "$GITHUB_ENV"
-            exit 0
-          elif [[ "${{ github.event.review.body }}" == reject* ]]; then
-            DESC="${{ github.event.review.user.login }} REJECTED build for ${{ github.event.review.commit_id }}"
-            echo $DESC
-            echo "conclusion=failure" >> "$GITHUB_ENV"
-            echo "description=$DESC" >> "$GITHUB_ENV"
-            exit 1
-          else
-            DESC="Assertion Error: Review body expected start with 'approved' or 'reject'. This step should have been skipped but it ran anyway!"
-            echo $DESC
-            echo "conclusion=failure" >> "$GITHUB_ENV"
-            echo "description=$DESC" >> "$GITHUB_ENV"
-            exit 1
-          fi
+          DESC="${{ github.event.review.user.login }} APPROVED build for ${{ github.event.review.commit_id }}"
+          echo "$DESC"
+          echo "conclusion=success" >> "$GITHUB_ENV"
+          echo "description=$DESC" >> "$GITHUB_ENV"
+
+      - name: Rejected Review Handling
+        if: startsWith(github.event.review.body, 'reject')
+        run: |
+          DESC="${{ github.event.review.user.login }} REJECTED build for ${{ github.event.review.commit_id }}"
+          echo "$DESC"
+          echo "conclusion=failure" >> "$GITHUB_ENV"
+          echo "description=$DESC" >> "$GITHUB_ENV"
+          exit 1
 
       - name: Post Status Check
         if:
@@ -76,23 +77,28 @@ jobs:
 
       - name: Trigger Build Commit Workflow
         if: success()
+        env:
+          PR_BRANCH: ${{ github.event.pull_request.head.ref }}
         run: |
-          # Get the source branch of the PR (from the pull_request object)
-          PR_BRANCH="${{ github.event.pull_request.head.ref }}"
-
+          echo "Triggering workflow for branch: $PR_BRANCH"
+
+          # Construct JSON payload safely using jq
+          JSON_PAYLOAD=$(jq -n --arg ref "refs/heads/$PR_BRANCH" \
+                               --arg sha "${{ github.event.review.commit_id }}" \
+                               '{ref: $ref, inputs: {sha: $sha}}')
+
           # Define the API endpoint for dispatching the workflow
           WORKFLOW_URL="https://api.github.com/repos/${{ github.repository }}/actions/workflows/build.yml/dispatches"
-
-          # Trigger the workflow for the branch of the pull request
-          echo "Triggering workflow for branch: $PR_BRANCH"
-          RESPONSE=$(curl -s -w "%{http_code}" -o response.json -X POST \
+
+          # Trigger the workflow
+          HTTP_CODE=$(curl -s -o response.json -w "%{http_code}" -X POST \
             -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-            -d '{"ref": "refs/heads/'${PR_BRANCH}'", "inputs": {"sha": "${{ github.event.review.commit_id }}"}}' \
+            -H "Accept: application/vnd.github.v3+json" \
+            -d "$JSON_PAYLOAD" \
             "$WORKFLOW_URL")
-
-          # Check if the HTTP status code is 2xx (successful)
-          if [[ "$RESPONSE" -lt 200 || "$RESPONSE" -ge 300 ]]; then
-            echo "Error triggering the workflow: HTTP $RESPONSE"
+
+          if [[ "$HTTP_CODE" -lt 200 || "$HTTP_CODE" -ge 300 ]]; then
+            echo "Error triggering the workflow: HTTP $HTTP_CODE"
             cat response.json
             exit 1
           else

@@ -13,6 +13,10 @@ on:
     branches:
       - master
 
+permissions:
+  contents: read
+  statuses: write
+
 jobs:
   build_commit:
     runs-on: [self-hosted, linux]
@@ -95,4 +99,4 @@ jobs:
               \"context\": \"Build Status\",
               \"target_url\": \"$TARGET_URL\"
             }" \
-            "https://api.github.com/repos/${{ github.repository }}/statuses/${{ env.COMMIT_SHA }}"
+            "https://api.github.com/repos/${{ github.repository }}/statuses/${{ env.COMMIT_SHA }}"