add 2-step ci workflow [skip ci]

.github/workflows/build-and-deploy.yml

@@ -1,12 +1,12 @@
 on:
-  push:
-    branches:
-      - master
-      - staging
-      - release
-  pull_request:
-  repository_dispatch:
-    types: build-and-deploy
+  # push:
+  #   branches:
+  #     - master
+  #     - staging
+  #     - release
+  # pull_request:
+  # repository_dispatch:
+  #   types: build-and-deploy
   workflow_dispatch:
   workflow_call:
 

.github/workflows/fork-01-build.yml

@@ -0,0 +1,61 @@
+name: fork-01-build
+
+# /!\ Make sure you don't expose any sensitive information to this workflow.
+#
+# This is the first (unsafe) step in 2-step process triggered on pull request.
+# This workflow executes on forked repo branch and has only read-only repo token
+# and no access to secrets. It rebuilds the data_output/ directory using
+# potentially unsafe code from the forked repo, and passes the resulting data/
+# and data_output/ directories to next stage through artifacts. The step 2 then
+# commits and pushes it back to the forked branch.
+#
+# See:
+# - https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+# - https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run
+on:
+  pull_request:
+    branches:
+      - ci-test
+
+concurrency:
+  group: cli-${{ github.workflow }}-${{ github.ref_type }}-${{ github.event.pull_request.number || github.ref || github.run_id }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash -euxo pipefail {0}
+
+jobs:
+  build:
+    runs-on: ubuntu-20.04
+
+    steps:
+      - uses: "actions/checkout@v4"
+        with:
+          fetch-depth: 0 # Number of commits to fetch. 0 indicates all history for all branches and tags.
+          fetch-tags: true # Whether to fetch tags, even if fetch-depth > 0.
+
+      - name: "Install system dependencies"
+        run: |
+          sudo apt-get install python3 --yes -qq >/dev/null
+
+      - name: "Install Python dependencies"
+        run: |
+          pip3 install -r requirements.txt
+
+      - name: "Rebuild datasets"
+        if: github.ref != 'refs/heads/release'
+        run: |
+          ./scripts/rebuild --input-dir 'data/' --output-dir 'data_output/' --no-pull
+
+      - name: "Prepare artifact"
+        run: |
+          mkdir -p out
+          echo ${{ github.event.number }} > out/pr-number.txt
+          tar --use-compress-program=zstdmt -cf "out/data.tar.zst" "data/"
+          tar --use-compress-program=zstdmt -cf "out/data_output.tar.zst" "data_output/"
+
+      - uses: "actions/upload-artifact@v4"
+        with:
+          name: out
+          path: out/

.github/workflows/fork-02-push.yml

@@ -0,0 +1,82 @@
+name: fork-02-push
+
+# /!\ Make sure you don't run any external (unsafe) code in this workflow.
+#
+# This is the seconds (safe) step in 2-step process triggered on pull request.
+# This workflow executes in main repo context and has read-write repo token
+# and access to secrets.
+#
+# It retrieves the artifacts produced by the first (unsafe) step of the process
+# commits and pushes them back into the PR branch.
+#
+# See:
+# - https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+# - https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run
+on:
+  workflow_run:
+    workflows:
+      - "fork-01-build"
+    types:
+      - "completed"
+
+jobs:
+  download:
+    runs-on: ubuntu-latest
+    steps:
+      # /!\ This retrieves potentially unsafe code from a forked repository.
+      # It is fine to use data from it, and to treat code as data (e.g.
+      # linting it), but it is **unsafe to execute any of this code**. The code
+      # can potentially steal our credentials.
+      - name: "Checkout unsafe code from PR"
+        uses: actions/checkout@v4
+        with:
+          ref: ${{github.event.pull_request.head.ref}}
+          repository: ${{github.event.pull_request.head.repo.full_name}}
+
+      - name: 'Download artifact'
+        uses: actions/github-script@v6
+        with:
+          script: |
+            let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: context.payload.workflow_run.id,
+            });
+            let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "out"
+            })[0];
+            let download = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+            let fs = require('fs');
+            fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/out.zip`, Buffer.from(download.data));
+
+      - name: "Extract artifact"
+        run: |
+          unzip out.zip
+          rm -rf data/ data_output/
+          tar --use-compress-program=unzstd -xvf data.tar.zst
+          tar --use-compress-program=unzstd -xvf data_output.tar.zst
+
+      - name: "Prepare artifact"
+        run: |
+          ls -al .
+          ls -al data
+          ls -al data_output
+
+      - name: 'Comment on PR'
+        uses: actions/github-script@v6
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            let fs = require('fs');
+            let issue_number = Number(fs.readFileSync('out/pr-number.txt'));
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: issue_number,
+              body: 'Thank you for the PR!\nNewline\n\nDouble newline\n\nList:\n\n- one\n- two\n- three'
+            });