Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Revert "feat: Allow customization of the github.event_name check" #563

Merged
merged 1 commit into from
Jan 26, 2024
+1 −25
Merged

Revert "feat: Allow customization of the github.event_name check" #563

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file removed .README.md.swp
View file
Open in desktop
Binary file not shown.
16 changes: 0 additions & 16 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,6 @@ Error: Resource not accessible by integration
| `pr-number` | No | | A pull request number, only required if triggered from a workflow_dispatch event. Typically this would be triggered by a script running in a separate CI provider. See [Trigger action from workflow_dispatch event](#trigger-action-from-workflow_dispatch-event) example. |
| `skip-commit-verification` | No | `false` | If `true`, then the action will not expect the commits to have a verification signature. It is required to set this to `true` in GitHub Enterprise Server. |
| `skip-verification` | No | `false` | If true, the action will not validate the user or the commit verification status |
| `event-name` | No | `pull_request` | Allows customizing the `github.event_name` that is used to sanity check the build and make sure its part of a Pull Request. Default is `pull_request`. Allowed values: `pull_request`, `pull_request_target`.|

## Output

Expand Down Expand Up @@ -132,21 +131,6 @@ curl -X POST \
-d '{"ref":"{ref}", "inputs":{ "pr-number": "{number}"}}'
```

### Trigger action from a `pull_request_target` instead of `pull_request` event

[trigger_doc]: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows
[security_blog]: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

The action by default verifies that the [trigger][trigger_doc] is a `pull_request` event - which is the most secure and safest way to run your builds. If necessary, you can use the `event-name` property to reconfigure this verification check to support `pull_request_target` events. Make sure that you understand the [security risks][security_blog] of this behavior first. Additionally, ensure that your `checkout` action is configured properly to check out and test the right branch:

```yaml
- name: Checkout
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name }}
```


## How to upgrade from `2.x` to new `3.x`

Expand Down
10 changes: 1 addition & 9 deletions action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,22 +40,14 @@ inputs:
type: boolean
description: 'If true, the action will not validate the user or the commit verification status'
default: false
event-name:
type: string
description:
default: pull_request
options:
- pull_request
- pull_request_target


runs:
using: 'composite'
steps:
- name: Fetch metadata
id: dependabot-metadata
uses: dependabot/fetch-metadata@v1
if: github.event_name == '${{ inputs.event-name }}' && (github.actor == 'dependabot[bot]' || inputs.skip-verification == 'true')
if: github.event_name == 'pull_request' && (github.actor == 'dependabot[bot]' || inputs.skip-verification == 'true')
with:
skip-commit-verification: ${{ inputs.skip-commit-verification }}
skip-verification : ${{ inputs.skip-verification }}
Expand Down
Loading