From 2567f0ae8bff0939b083ec6b912585d42e7ba81a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian=20T=C3=B6lle?= Date: Sun, 25 Aug 2024 17:16:43 +0200 Subject: [PATCH] ci: run on pr updates from main branch (#30) With `pull_request`, we run in the context of the pull request branch. - This means we run with the code from the PR branch, possibly breaking the current release PR for this repo with in-progress, unreviewed changes. - This means that the secret is not available on Pull Requests from forks. Switching to `pull_request_target` means we always run in the scope of the original repository. The secret is available and the code is checked out from our main branch. `pull_request_target` has security considerations, but they do not apply here as we do not check out or run code from the (external, malicious) PR. --- .github/workflows/releaser-pleaser.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/releaser-pleaser.yaml b/.github/workflows/releaser-pleaser.yaml index 0406d41..ff1c0fa 100644 --- a/.github/workflows/releaser-pleaser.yaml +++ b/.github/workflows/releaser-pleaser.yaml @@ -3,8 +3,8 @@ name: releaser-pleaser on: push: branches: [main] - # TODO: use pull_request_target to avoid tainting the actual release PR with code from open feature pull requests - pull_request: + # Using pull_request_target to avoid tainting the actual release PR with code from open feature pull requests + pull_request_target: types: - edited - labeled @@ -14,10 +14,13 @@ permissions: {} jobs: releaser-pleaser: + # TODO: if: push or pull_request.closed runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 + with: + ref: main - name: Set up Go uses: actions/setup-go@v5