From b49d3d6a7eb0a4ee27e57f8d56fcd13df8e0cc5b Mon Sep 17 00:00:00 2001 From: Stevengre Date: Tue, 30 Jun 2026 18:05:44 +0800 Subject: [PATCH 1/2] ci(test): drop PAT from formatting job, check format instead of auto-pushing The formatting job used JENKINS_GITHUB_PAT to push a fourmolu commit back to the PR branch. Remove the PAT dependency: run fourmolu and fail the job if any .hs file changed, prompting the author to format locally and commit. No write token or push is needed. --- .github/workflows/test.yml | 19 +++---------------- 1 file changed, 3 insertions(+), 16 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c17036a017..18e7930877 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -25,7 +25,6 @@ jobs: ref: ${{ github.event.pull_request.head.ref }} fetch-depth: 0 submodules: recursive - token: ${{ secrets.JENKINS_GITHUB_PAT }} - name: 'Install Nix' uses: cachix/install-nix-action@v25 @@ -45,23 +44,11 @@ jobs: - name: Format run: nix develop .#style --command bash -c './scripts/fourmolu.sh' - - name: Update branch - env: - GITHUB_EVENT_NAME: ${{ github.event_name }} + - name: Check formatting run: | - if git status -s -b | grep -q '^##.*(no branch)$'; then - echo 2>&1 "Error: Git is in detached HEAD state" - exit 1 - fi - if [ -n "$(git status --porcelain '*.hs')" ]; then - git config --global user.name github-actions - git config --global user.email github-actions@github.com - git add '*.hs' - git commit -m "Format with fourmolu" - git show --stat - git push - echo "Reformatted code pushed, aborting this workflow" | tee -a $GITHUB_STEP_SUMMARY + echo "Code is not formatted. Run scripts/fourmolu.sh and commit the result." | tee -a $GITHUB_STEP_SUMMARY + git diff --stat exit 1 fi # could run hlint here, but then no more jobs would run if the code is not accepted From 6c2736d1ab45e34ad01131cecbdddf3917262521 Mon Sep 17 00:00:00 2001 From: Stevengre Date: Thu, 2 Jul 2026 15:33:47 +0800 Subject: [PATCH 2/2] ci(test): drop CACHIX_PUBLIC_TOKEN, use k-framework cache pull-only The k-framework Cachix cache is publicly readable, so no auth token is needed to use it as a substituter. Removing authToken makes cachix-action pull-only (no push-back to the cache), eliminating the token dependency. Cache repopulation is left to other authenticated workflows. --- .github/workflows/test.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 18e7930877..b781b16c7a 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -39,7 +39,6 @@ jobs: uses: cachix/cachix-action@v17 with: name: k-framework - authToken: '${{ secrets.CACHIX_PUBLIC_TOKEN }}' - name: Format run: nix develop .#style --command bash -c './scripts/fourmolu.sh' @@ -97,7 +96,6 @@ jobs: uses: cachix/cachix-action@v17 with: name: k-framework - authToken: '${{ secrets.CACHIX_PUBLIC_TOKEN }}' - name: Build run: GC_DONT_GC=1 nix build .#kore-exec .#kore-rpc-booster @@ -245,7 +243,6 @@ jobs: uses: cachix/cachix-action@v17 with: name: k-framework - authToken: '${{ secrets.CACHIX_PUBLIC_TOKEN }}' - name: Format run: nix develop .#style --command bash -c './scripts/hlint.sh'