Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: run contribution checks on pull_request_target #153

Merged
merged 2 commits into from
Apr 15, 2024

Conversation

tbouffard
Copy link
Member

@tbouffard tbouffard commented Apr 15, 2024

There is no security issue here. The checks are done only on the updated file of the PR without doing tool installation, cache update or branch checkout.
Using this event allows to create PR comment when the PR is created from a forked repository.

Resources

https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

covers bonitasoft/bonita-documentation-site#685

There is no security issue here. The checks are done only on the updated file of the PR without
doing tool installation, cache update or branch checkout.
Using this event allows to create PR comment when the PR is created from a forked repository.
Copy link

github-actions bot commented Apr 15, 2024

♻️ PR Preview b4240cd has been successfully destroyed since this PR has been closed.

🤖 By surge-preview

Copy link

📝 Check the pages that have been modified

In order to merge this pull request, you need to check your updates with the following url.

🔍 Updated pages

The following pages were updated, please ensure that the display is correct:

@tbouffard tbouffard marked this pull request as ready for review April 15, 2024 12:54
@tbouffard tbouffard merged commit 76c8278 into master Apr 15, 2024
2 checks passed
@tbouffard tbouffard deleted the ci/contrib-checks_run_pr-target branch April 15, 2024 12:56
@tbouffard
Copy link
Member Author

tbouffard commented Apr 15, 2024

✔️ PR created from a fork: the PR comment can now be created.

For example, in #154:

image

❌ But the action is not checking the content of the pull request but the content of the base branch!

In the code of the action, we use the github.context.sha to get the content of the file (https://github.com/bonitasoft/actions/blob/v3.0.0/packages/pr-antora-content-guidelines-checker/src/github-utils.ts#L28-L40) but this value depends on the event:

event GITHUB_SHA source of information
pull_request Last merge commit on the GITHUB_REF branch https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request
pull_request_target Last commit on the PR base branch https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target

benjaminParisel pushed a commit to bonitasoft/actions that referenced this pull request Apr 16, 2024
…129)

Ensure that the commit of the PR branch is used when the action is
triggered by `pull_request_target` and not the commit of the base
branch.
Improve debug logs and remove duplication.

### Notes

This should fix what is described in
bonitasoft/bonita-labs-doc#153 (comment).
This PR has been tested with
bonitasoft/bonita-labs-doc#155
Covers
bonitasoft/bonita-documentation-site#685
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant