From 8813b0cf1c0458c7f2c94f59c289964ffb4828c7 Mon Sep 17 00:00:00 2001
From: Manav Rathi <manav@mrmr.io>
Date: Mon, 26 Aug 2024 21:50:04 +0530
Subject: [PATCH] [meta] Run PRs lint checks for pull requests from external
 forks

Currently, for PRs opened by external contributors, the various lint checks
don't run (sometimes causing code that fails basic lint checks to be committed
to main).

From my current understanding (I find the docs around this confusing), we need
to instead use the "pull_request" target. Refs:

* https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request
* https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/

Note that even then, we will need a manual step to approve running the lints for
first time contributors. Which is fine, at least we'll see the option, unlike
right now where they just can't be run until the code hits main.
---
 .github/workflows/auth-lint.yml         | 5 ++---
 .github/workflows/desktop-lint.yml      | 5 ++---
 .github/workflows/docs-verify-build.yml | 5 ++---
 .github/workflows/infra-lint-staff.yml  | 5 ++---
 .github/workflows/mobile-lint.yml       | 5 ++---
 .github/workflows/server-lint.yml       | 5 ++---
 .github/workflows/web-lint.yml          | 5 ++---
 7 files changed, 14 insertions(+), 21 deletions(-)

diff --git a/.github/workflows/auth-lint.yml b/.github/workflows/auth-lint.yml
index b3b302a32e..4518c542da 100644
--- a/.github/workflows/auth-lint.yml
+++ b/.github/workflows/auth-lint.yml
@@ -1,9 +1,8 @@
 name: "Lint (auth)"
 
 on:
-    # Run on every push to a branch other than main that changes auth/
-    push:
-        branches-ignore: [main]
+    # Run on every pull request (open or push to it) that changes auth/
+    pull_request:
         paths:
             - "auth/**"
             - ".github/workflows/auth-lint.yml"
diff --git a/.github/workflows/desktop-lint.yml b/.github/workflows/desktop-lint.yml
index d1cfda884d..0c24a081ff 100644
--- a/.github/workflows/desktop-lint.yml
+++ b/.github/workflows/desktop-lint.yml
@@ -1,9 +1,8 @@
 name: "Lint (desktop)"
 
 on:
-    # Run on every push to a branch other than main that changes desktop/
-    push:
-        branches-ignore: [main]
+    # Run on every pull request (open or push to it) that changes desktop/
+    pull_request:
         paths:
             - "desktop/**"
             - ".github/workflows/desktop-lint.yml"
diff --git a/.github/workflows/docs-verify-build.yml b/.github/workflows/docs-verify-build.yml
index addb52a059..e07f9f973f 100644
--- a/.github/workflows/docs-verify-build.yml
+++ b/.github/workflows/docs-verify-build.yml
@@ -4,9 +4,8 @@ name: "Verify build (docs)"
 # succeeding before we merge the PR into main.
 
 on:
-    # Run on every push to a branch other than main that changes docs/
-    push:
-        branches-ignore: [main]
+    # Run on every pull request (open or push to it) that changes docs/
+    pull_request:
         paths:
             - "docs/**"
             - ".github/workflows/docs-verify-build.yml"
diff --git a/.github/workflows/infra-lint-staff.yml b/.github/workflows/infra-lint-staff.yml
index 5c2894281e..3f3612bd04 100644
--- a/.github/workflows/infra-lint-staff.yml
+++ b/.github/workflows/infra-lint-staff.yml
@@ -1,9 +1,8 @@
 name: "Lint (staff)"
 
 on:
-    # Run on every push to a branch other than main that changes infra/staff/
-    push:
-        branches-ignore: [main]
+    # Run on every pull request (open or push to it) that changes infra/staff/
+    pull_request:
         paths:
             - "infra/staff/**"
             - ".github/workflows/infra-deploy-staff.yml"
diff --git a/.github/workflows/mobile-lint.yml b/.github/workflows/mobile-lint.yml
index 59bfcbbf67..0a57c0b30b 100644
--- a/.github/workflows/mobile-lint.yml
+++ b/.github/workflows/mobile-lint.yml
@@ -1,9 +1,8 @@
 name: "Lint (mobile)"
 
 on:
-    # Run on every push to a branch other than main that changes mobile/
-    push:
-        branches-ignore: [main, f-droid]
+    # Run on every pull request (open or push to it) that changes mobile/
+    pull_request:
         paths:
             - "mobile/**"
             - ".github/workflows/mobile-lint.yml"
diff --git a/.github/workflows/server-lint.yml b/.github/workflows/server-lint.yml
index 3b0cbc855f..2f126899ff 100644
--- a/.github/workflows/server-lint.yml
+++ b/.github/workflows/server-lint.yml
@@ -1,9 +1,8 @@
 name: "Lint (server)"
 
 on:
-    # Run on every push to a branch other than main that changes server/
-    push:
-        branches-ignore: [main]
+    # Run on every pull request (open or push to it) that changes server/
+    pull_request:
         paths:
             - "server/**"
             - ".github/workflows/server-lint.yml"
diff --git a/.github/workflows/web-lint.yml b/.github/workflows/web-lint.yml
index 7f5d270029..c64463384c 100644
--- a/.github/workflows/web-lint.yml
+++ b/.github/workflows/web-lint.yml
@@ -1,9 +1,8 @@
 name: "Lint (web)"
 
 on:
-    # Run on every push to a branch other than main that changes web/
-    push:
-        branches-ignore: [main]
+    # Run on every pull request (open or push to it) that changes web/
+    pull_request:
         paths:
             - "web/**"
             - ".github/workflows/web-lint.yml"