Enable CI checks on PRs from forks with security hardening #22
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| pull_request: | |
| merge_group: | |
| permissions: | |
| contents: read | |
| jobs: | |
| build: | |
| name: Build project | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Setup elan | |
| run: | | |
| curl https://raw.githubusercontent.com/leanprover/elan/master/elan-init.sh -sSf | sh -s -- -y --default-toolchain none | |
| echo "$HOME/.elan/bin" >> "$GITHUB_PATH" | |
| - name: Restore cache | |
| id: cache-restore | |
| uses: actions/cache/restore@v5 | |
| with: | |
| path: .lake | |
| key: lake-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('lean-toolchain') }}-${{ hashFiles('lake-manifest.json') }}-${{ github.sha }} | |
| restore-keys: | | |
| lake-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('lean-toolchain') }}-${{ hashFiles('lake-manifest.json') }} | |
| - name: Get Mathlib cache | |
| run: lake exe cache get | |
| # Build Catalogue | |
| - name: Download JuliaMono | |
| run: | | |
| wget https://github.com/cormullion/juliamono/releases/download/v0.061/JuliaMono-webfonts.tar.gz | |
| mkdir juliamono | |
| tar -xvf JuliaMono-webfonts.tar.gz -C juliamono --strip-components 1 | |
| rm JuliaMono-webfonts.tar.gz | |
| working-directory: ./assets | |
| - name: Build Catalogue | |
| run: lake exe catalogue | |
| - name: Save project cache | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository | |
| uses: actions/cache/save@v5 | |
| with: | |
| path: .lake | |
| key: ${{ steps.cache-restore.outputs.cache-primary-key }} | |
| # Upload pages artifact | |
| - uses: actions/upload-pages-artifact@v4 | |
| with: | |
| path: _out/html-multi | |
| deploy: | |
| runs-on: ubuntu-latest | |
| needs: build | |
| if: github.ref == 'refs/heads/main' | |
| permissions: | |
| contents: read | |
| pages: write | |
| id-token: write | |
| steps: | |
| - id: deployment | |
| uses: actions/deploy-pages@v4 |