Skip to content

Commit

Permalink
feat: Allow customization of the github.event_name check (#500)
Browse files Browse the repository at this point in the history
  • Loading branch information
@diranged
diranged committed Jan 23, 2024
1 parent d52be47 commit 8206d01
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 1 deletion.
Binary file added .README.md.swp
View file
Binary file not shown.
16 changes: 16 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ Error: Resource not accessible by integration
| `pr-number` | No | | A pull request number, only required if triggered from a workflow_dispatch event. Typically this would be triggered by a script running in a separate CI provider. See [Trigger action from workflow_dispatch event](#trigger-action-from-workflow_dispatch-event) example. |
| `skip-commit-verification` | No | `false` | If `true`, then the action will not expect the commits to have a verification signature. It is required to set this to `true` in GitHub Enterprise Server. |
| `skip-verification` | No | `false` | If true, the action will not validate the user or the commit verification status |
| `event-name` | No | `pull_request` | Allows customizing the `github.event_name` that is used to sanity check the build and make sure its part of a Pull Request. Default is `pull_request`. Allowed values: `pull_request`, `pull_request_target`.|

## Output

Expand Down Expand Up @@ -131,6 +132,21 @@ curl -X POST \
-d '{"ref":"{ref}", "inputs":{ "pr-number": "{number}"}}'
```

### Trigger action from a `pull_request_target` instead of `pull_request` event

[trigger_doc]: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows
[security_blog]: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

The action by default verifies that the [trigger][trigger_doc] is a `pull_request` event - which is the most secure and safest way to run your builds. If necessary, you can use the `event-name` property to reconfigure this verification check to support `pull_request_target` events. Make sure that you understand the [security risks][security_blog] of this behavior first. Additionally, ensure that your `checkout` action is configured properly to check out and test the right branch:

```yaml
- name: Checkout
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name }}
```


## How to upgrade from `2.x` to new `3.x`

Expand Down
10 changes: 9 additions & 1 deletion action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,14 +40,22 @@ inputs:
type: boolean
description: 'If true, the action will not validate the user or the commit verification status'
default: false
event-name:
type: string
description:
default: pull_request
options:
- pull_request
- pull_request_target


runs:
using: 'composite'
steps:
- name: Fetch metadata
id: dependabot-metadata
uses: dependabot/fetch-metadata@v1
if: github.event_name == 'pull_request' && (github.actor == 'dependabot[bot]' || inputs.skip-verification == 'true')
if: github.event_name == '${{ inputs.event-name }}' && (github.actor == 'dependabot[bot]' || inputs.skip-verification == 'true')
with:
skip-commit-verification: ${{ inputs.skip-commit-verification }}
skip-verification : ${{ inputs.skip-verification }}
Expand Down

0 comments on commit 8206d01

Please sign in to comment.