Skip to content

Commit 8206d01

Browse files
dirangeddiranged
authored
feat: Allow customization of the github.event_name check (#500)
1 parent d52be47 commit 8206d01

File tree

3 files changed

+25
-1
lines changed

3 files changed

+25
-1
lines changed

.README.md.swp

36 KB
Binary file not shown.

README.md

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@ Error: Resource not accessible by integration
3232
| `pr-number` | No | | A pull request number, only required if triggered from a workflow_dispatch event. Typically this would be triggered by a script running in a separate CI provider. See [Trigger action from workflow_dispatch event](#trigger-action-from-workflow_dispatch-event) example. |
3333
| `skip-commit-verification` | No | `false` | If `true`, then the action will not expect the commits to have a verification signature. It is required to set this to `true` in GitHub Enterprise Server. |
3434
| `skip-verification` | No | `false` | If true, the action will not validate the user or the commit verification status |
35+
| `event-name` | No | `pull_request` | Allows customizing the `github.event_name` that is used to sanity check the build and make sure its part of a Pull Request. Default is `pull_request`. Allowed values: `pull_request`, `pull_request_target`.|
3536

3637
## Output
3738

@@ -131,6 +132,21 @@ curl -X POST \
131132
-d '{"ref":"{ref}", "inputs":{ "pr-number": "{number}"}}'
132133
```
133134

135+
### Trigger action from a `pull_request_target` instead of `pull_request` event
136+
137+
[trigger_doc]: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows
138+
[security_blog]: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
139+
140+
The action by default verifies that the [trigger][trigger_doc] is a `pull_request` event - which is the most secure and safest way to run your builds. If necessary, you can use the `event-name` property to reconfigure this verification check to support `pull_request_target` events. Make sure that you understand the [security risks][security_blog] of this behavior first. Additionally, ensure that your `checkout` action is configured properly to check out and test the right branch:
141+
142+
```yaml
143+
- name: Checkout
144+
uses: actions/checkout@v3
145+
with:
146+
ref: ${{ github.event.pull_request.head.ref }}
147+
repository: ${{ github.event.pull_request.head.repo.full_name }}
148+
```
149+
134150

135151
## How to upgrade from `2.x` to new `3.x`
136152

action.yml

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,14 +40,22 @@ inputs:
4040
type: boolean
4141
description: 'If true, the action will not validate the user or the commit verification status'
4242
default: false
43+
event-name:
44+
type: string
45+
description:
46+
default: pull_request
47+
options:
48+
- pull_request
49+
- pull_request_target
50+
4351

4452
runs:
4553
using: 'composite'
4654
steps:
4755
- name: Fetch metadata
4856
id: dependabot-metadata
4957
uses: dependabot/fetch-metadata@v1
50-
if: github.event_name == 'pull_request' && (github.actor == 'dependabot[bot]' || inputs.skip-verification == 'true')
58+
if: github.event_name == '${{ inputs.event-name }}' && (github.actor == 'dependabot[bot]' || inputs.skip-verification == 'true')
5159
with:
5260
skip-commit-verification: ${{ inputs.skip-commit-verification }}
5361
skip-verification : ${{ inputs.skip-verification }}

0 commit comments

Comments
 (0)