feat: Allow customization of the github.event_name check #500
Conversation
|
If we add this, I would like to have some docs showing how to use it. What I do not want to see is that people start using it because it's supported, but then they don't do what's necessary to make this action work properly with that trigger. In fact, if you use that trigger but then you don't check out the right git commit, you end up merging a PR after running CI against a version of the code that's different from what's in the PR. |
There was a problem hiding this comment.
I'm requesting changes just to prevent this being merged. As per the comment I added, we need to have docs showing how to use it. Because if you use this trigger but then don't check out the right version of the code, you are in bigger troubles than if you didn't use this trigger in the first place
|
@diranged I tested the PR and it works! 🥳 However, I think we could achieve the same result without creating a new configuration entry. We can simply modify the if statement to accept both values:
What do you think? |
|
Folks the main point here is how we prevent people from misusing this. If you use pull_request_target, you're potentially merging a PR after testing it against the base branch, which would be more unsafe than not supporting that trigger in the first place. |
|
I think it is actually the best solution to have it as a configuration entry and not in the code, as it makes it possible to explicitly allow pull_request_target. The documentation part still remains as somebody should be aware, that he is going a potential risky path. |
|
I agree; we have two distinct needs:
This PR addresses point 1, but in my opinion, it's not optimal for point 2. This is because pull_request_target events aren't explicitly disabled; instead, they don't work due to a side effect (fetch-metadata doesn't run). For point 2, my proposal is to reopen #502 with an added skip-trigger-validation. In that scenario, the action will throw an informative message if used with pull_request_target, unless the user explicitly sets a skip-verification-trigger config. I would then merge this PR to fix the action in case a user still wants to use the pull_request_target trigger |
I do agree with point 2 here... the failure to run as a by-product of the fetch-metadata failing to run was frustrating as an end user to troubleshoot and understand. I would agree that a |
|
Actually the skip-trigger-validation made the less sense for me. |
|
Imho this PR has only one flaw: It is not possibel to use this action in a workflow which listens on pull_request and pull_request_target events. |
That is technically true - I can't think of a scenario where that happens though... but you are right. Wouldn't putting in |
|
It seems wrong to implement a Probably would make sense if it is called But still in both RPs is no documentation. That is why @simoneb blocks them, because it is a potential security risk and/or a potential error source. With documentation, if somebody opens an issue, we could than point to the documentation and close the issue. |
|
Yes folks, I am giving this some time because I would like us to converge on a solution which doesn't lend itself to abuse if the user is not careful enough. If that's the compromise we have to accept, I'd much rather not have the feature in the first place rather than allowing users to shoot themselves in the foot. |
diranged
force-pushed
the
pull_request_target
branch
from
672c910
to
81e74ec
Compare
|
I've updated my PR with some README docs... |
|
@simoneb Any update on this one? |
|
Closing this as there is no consensus on the approach. |
|
@simoneb Have you had time to think more about this for an alternative approach? It's really a shame to not be able to use this action in our environment due to this issue. |
|
My personal opinion is that this should not be supported because it leads to misuse and security issues due to that. I don't own this repository so if anybody has a different opinion I'm happy to hear proposals. In general, the easiest way to see anything landing in any project is to submit a PR. Note though that whatever implementation it contains, it should be one that is secure by default. |
|
@simoneb :) This is the PR that I submitted... which just gives a user the option of making this work. |
|
Fair enough, let's reopen this then. I didn't notice you had included additional documentation. This makes it look much better now. Approving |
|
I'm going to merge this now, the changes look good to me as they are now because they add the feature by keeping the default behavior secure, and explaining the steps that need to be taken to adopt the alternative behavior while still preserving security. |
|
@diranged this change seems to have broken the action, do you have time to look into it? https://github.com/fastify/github-action-merge-dependabot/actions/runs/7623277429 |
| event-name: | ||
| type: string | ||
| description: | ||
| default: pull_request |
There was a problem hiding this comment.
Seems like the issue of missing quotes, it should be default: 'pull_request'
There was a problem hiding this comment.
@climba03003 @simoneb Can someone re-run that in debug mode (I don't have permissions) - I don't quite think this is a quoting issue, but I'd like to see how the evaluation of ${{ inputs.event-name }} goes.
There was a problem hiding this comment.
@diranged I tried a few combinations of with-and-without quotes without success, may I ask some help to fix this? The easiest way to go about it is that you create a branch for the action, where you try your fixes, and push it to a branch on your own remote.
Then you set up a repo to try out the fix where you reference your own version of the action, meaning that assuming that you call the branch "fix-event-name", you'd reference it in the workflow as
uses: diranged/github-action-merge-dependabot@fix-event-name
That warning message is from https://github.com/dependabot/fetch-metadata/blob/924483a3d758e3539d35e512c5ca92c75c7a748d/src/dependabot/verified_commits.ts#L18-L24 - which seems to be doing a sane-check that you can't run the Looking at the last working build (https://github.com/fastify/github-action-merge-dependabot/actions/runs/7614170037) we can see it fails out with I need to see how https://github.com/fastify/github-action-merge-dependabot/pull/500/files#diff-1243c5424efaaa19bd8e813c5e6f6da46316e63761421b3e5f5c8ced9a36e6b6R58 evaluates on |
|
Meanwhile I'm reverting this PR to unbreak the main branch. #563 |
Just making sure you noticed the comment I posted here #500 (comment) |
The motivation of this PR is to allow the use of automatic merging on
pull_request_targettriggered builds, if so desired. See #355 (comment) and #497 for context.Closes #355
Closes #497
Checklist
and the Code of conduct