Skip to content

chore(deps-dev): bump the boto-typing group with 1 update #11233

chore(deps-dev): bump the boto-typing group with 1 update

chore(deps-dev): bump the boto-typing group with 1 update #11233

Workflow file for this run

name: Record PR details
# PROCESS
#
# 1. Runs in fork location upon PR creation or changes
# 2. Saves GitHub Pull Request Webhook payload
# 3. Uploads as a temporary GitHub Action Artifact with shortest retention
# USAGE
#
# see .github/workflows/on_merged_pr.yml and related for full example.
#
# on:
# workflow_run:
# workflows: ["Record PR details"]
# types:
# - completed
#
# Security Note:
#
# For security, this is intended to be a 2-step process: (1) collect PR, (2) act on PR.
# Do not ever use `pull_request_target` to "simplify", as it sends a write-token to the fork. Our linter should catch it.
#
# The first step runs in untrusted location (fork), therefore we limit permissions to only check out code.
#
# The second step will be workflows that want to act on a given PR, this time with intended permissions, and
# it runs on its base location (this repo!).
#
# This enforces zero trust where this workflow always runs on fork with zero permissions on GH_TOKEN.
# When this workflow completes, X workflows run in our repository with the appropriate permissions and sanitize inputs.
#
# Coupled with "Approve GitHub Action to run on forks", we have confidence no privilege can be escalated,
# since any malicious change would need to be approved, and upon social engineering, it'll have zero permissions.
on:
pull_request:
types: [opened, edited, closed, labeled]
permissions:
contents: read
jobs:
record_pr:
runs-on: ubuntu-latest
permissions:
contents: read # NOTE: treat as untrusted location
steps:
- uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: "Extract PR details"
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
const script = require('.github/scripts/save_pr_details.js')
await script({github, context, core})
- uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: pr
path: pr.txt
retention-days: 1