Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add example workflow to push to public PR #49

Closed
wants to merge 1 commit into from
Closed

Add example workflow to push to public PR #49

wants to merge 1 commit into from

Conversation

manics
Copy link

@manics manics commented Sep 25, 2020

This uses https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows#pull_request_target which is triggered by the events as pull_request, but the action runs in the context of the base repository.
This should be safe to run as long as the workflow code does not execute any code from the PR since this would otherwise expose the GITHUB_TOKEN

Note this will only work if the PR submitter enables Allow edits and access to secrets by maintainers.

I've created a test repository https://github.com/manicstreetpreacher/test-precommit-push-pr
Feel free to open a PR to try the workflow.

@manics
Add example workflow to push to public PR
3baaef6 
This uses https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows#pull_request_target which is triggered by the events as `pull_request`, but the action runs in the context of the _base_ repository.
This should be safe to run as long as the workflow code does not execute any code from the PR since this would otherwise expose the `GITHUB_TOKEN`

Note this will only work if the PR submitter enables `Allow edits and access to secrets by maintainers`
manics
manics commented Sep 25, 2020
View reviewed changes
README.md
repository: ${{ github.event.pull_request.head.repo.full_name }}
# Use sha instead of ref because pre-commit attempts to checkout a branch with the same name
# https://github.com/pre-commit/action/blob/20242c769824ac7e54269ee9242da5bfae19c1c8/index.js#L77
ref: ${{ github.event.pull_request.head.sha }}
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Originally I used ${{ github.event.pull_request.head.sha }} which checks out the branch. This led to an error because

action/index.js

Line 77 in 20242c7

await exec.exec('git', ['checkout', 'HEAD', '-b', branch]);

checks out the branch again, leading to a name clash. Using pull_request.head.sha avoids this.

@asottile
Copy link
Member

this is not safe, a person could edit the github action and write code to your repository

@asottile asottile closed this Sep 25, 2020
@manics
Copy link
Author

manics commented Sep 25, 2020

Please read https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows#pull_request_target
It runs in the context of the parent repository, so any changes made to the workflow in the PR have no effect.

@asottile
Copy link
Member

there's arbitrary code execution involved, they can take that token and do whatever they want with it

@asottile
Copy link
Member

please trust me, I've spent a lot of time thinking about this and there's really no way to do this without a dedicated separate service

@manics
Copy link
Author

manics commented Sep 25, 2020

Could you explain a bit more about where the arbitary code execution occurs?

@asottile
Copy link
Member

in the hook executables themselves

@manics
Copy link
Author

manics commented Sep 25, 2020

OK, thanks for explaining.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@manics @asottile