New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support workflow_dispatch Event Context #45
Comments
Meanwhile this issue is legit i'm wondering how you can wait for all your CI runs if it's not in the same workflow file. Do you have an example? |
The feature request is legitimate, we need to pay special attention to the attack surface. If you look into how this action works, which is also described here, we're working around limitations in permissions of the GH token by delegating the merge to an external GH app. Hence, we need to be extra careful which PRs that application is capable of merging. With that being said, I don't see this feature request necessarily impacting the attach surface. The action would have to be changed to accept a PR number, which could come from anywhere, including workflow_dispatch trigger inputs. If that is not provided, the current behavior is preserved. The syntax would then look something like: name: automerge
on:
workflow_dispatch:
inputs:
pr:
required: true
jobs:
automerge:
runs-on: ubuntu-latest
steps:
- uses: fastify/github-action-merge-dependabot@v2.1.1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
pr: ${{ github.event.inputs.pr }} |
I will try to make time to take a look at making this change. Our CI provider is CircleCI, I believe I can derive the PR number from a job triggered by a pull request. |
I am testing this a bit, and in addition to the PR number, we would also need to derive these details:
I can easily get the ref in the workflow event, it's in name: automerge
on:
workflow_dispatch:
inputs:
pr:
required: true
user:
required: true
jobs:
automerge:
runs-on: ubuntu-latest
steps:
- uses: fastify/github-action-merge-dependabot@v2.1.1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
pr: ${{ github.event.inputs.pr }}
user: ${{ github.event.inputs.user }} |
Wouldn't it be better that the user resolution will done using the PR number? |
The For my tests, when I am doing a |
While thinking about and working on this, please always consider that any user provided input is a possible attack vector, hence we want to minimize it. As I described earlier, I don't think that anything other than the PR number is necessary |
After taking a look at what the code is checking for, I thought it would be easier just to fetch the pull request data from the supplied input. That way we still only need the PR number provided by the CI/script that initiates the manual workflow request. All the other functionality should remain the same. |
馃殌 Feature Proposal
Support the
workflow_dispatch
as an acceptable event context to run this action.Motivation
It looks like this only supports the
pull_request
event context here. In my case, my CI runs on a different provider which I can't change out right now. I would like to initiate aworkflow_dispatch
via API when my CI has passed so that the auto-merge action can then take effect.workflow_dispatch
Example
The text was updated successfully, but these errors were encountered: