apricote/releaser-pleaser
1
0
Fork 0
mirror of https://github.com/apricote/releaser-pleaser.git synced 2026-01-13 21:21:03 +00:00
Code Issues Projects Releases Packages Wiki Activity

ci: run on pr updates from main branch

Browse source 
With `pull_request`, we run in the context of the pull request branch.

- This means we run with the code from the PR branch, possibly breaking
  the current release PR for this repo with in-progress, unreviewed changes.
- This means that the secret is not available on Pull Requests from
  forks.

Switching to `pull_request_target` means we always run in the scope of
the original repository. The secret is available and the code is checked
out from our main branch.

`pull_request_target` has security considerations, but they do not apply
here as we do not check out or run code from the (external, malicious) PR.
This commit is contained in:
Julian Tölle 2024-08-25 17:10:38 +02:00
parent 2cd73a8679
commit ace8ddeef5
1 changed files with 5 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

7
.github/workflows/releaser-pleaser.yaml vendored
View file

@ -3,8 +3,8 @@ name: releaser-pleaser
on:
push:
branches: [main]
# TODO: use pull_request_target to avoid tainting the actual release PR with code from open feature pull requests
pull_request:
# Using pull_request_target to avoid tainting the actual release PR with code from open feature pull requests
pull_request_target:
types:
- edited
- labeled
@ -14,10 +14,13 @@ permissions: {}
jobs:
releaser-pleaser:
# TODO: if: push or pull_request.closed
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: main
- name: Set up Go
uses: actions/setup-go@v5