pr-comment: Safe checkout of script files

pnacht · pnacht · commit 71fddb69c9d4 · 2023-12-08T20:29:01.000Z
Signed-off-by: Pedro Kaj Kjellerup Nacht &lt;pnacht@google.com&gt;
diff --git a/.github/workflows/pr-comment.yml b/.github/workflows/pr-comment.yml
@@ -23,9 +23,18 @@ jobs:
         with:
           python-version: "3.11"
           cache: "pip"
+      # checkout these files from the base branch to guarantee they haven't been
+      # modified by the PR
+      - uses: actions/checkout@v4
+        with:
+          path: base-branch
+          sparse-checkout-cone-mode: false
+          sparse-checkout: |
+            requirements.txt
+            scripts/list_missing_entries.py
       - name: Instalar dependencias
         run: |
-          python -m pip install -r requirements.txt
+          python -m pip install -r base-branch/requirements.txt
       - name: Obtiene lista de archivos con cambios
         id: changed-files
         uses: tj-actions/changed-files@v40
@@ -40,7 +49,7 @@ jobs:
         run: |
           {
             echo 'comment<<EOF'
-            python scripts/list_missing_entries.py --github $CHANGED_PO_FILES
+            python base-branch/scripts/list_missing_entries.py --github $CHANGED_PO_FILES
             echo EOF
           } >> "$GITHUB_OUTPUT"
 
