-
-
Notifications
You must be signed in to change notification settings - Fork 131
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add example workflow to push to public PR #49
Conversation
This uses https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows#pull_request_target which is triggered by the events as `pull_request`, but the action runs in the context of the _base_ repository. This should be safe to run as long as the workflow code does not execute any code from the PR since this would otherwise expose the `GITHUB_TOKEN` Note this will only work if the PR submitter enables `Allow edits and access to secrets by maintainers`
repository: ${{ github.event.pull_request.head.repo.full_name }} | ||
# Use sha instead of ref because pre-commit attempts to checkout a branch with the same name | ||
# https://github.com/pre-commit/action/blob/20242c769824ac7e54269ee9242da5bfae19c1c8/index.js#L77 | ||
ref: ${{ github.event.pull_request.head.sha }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Originally I used ${{ github.event.pull_request.head.sha }}
which checks out the branch. This led to an error because
Line 77 in 20242c7
await exec.exec('git', ['checkout', 'HEAD', '-b', branch]); |
checks out the branch again, leading to a name clash. Using
pull_request.head.sha
avoids this.
this is not safe, a person could edit the github action and write code to your repository |
Please read https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows#pull_request_target |
there's arbitrary code execution involved, they can take that token and do whatever they want with it |
please trust me, I've spent a lot of time thinking about this and there's really no way to do this without a dedicated separate service |
Could you explain a bit more about where the arbitary code execution occurs? |
in the hook executables themselves |
OK, thanks for explaining. |
This uses https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows#pull_request_target which is triggered by the events as
pull_request
, but the action runs in the context of the base repository.This should be safe to run as long as the workflow code does not execute any code from the PR since this would otherwise expose the
GITHUB_TOKEN
Note this will only work if the PR submitter enables
Allow edits and access to secrets by maintainers
.I've created a test repository https://github.com/manicstreetpreacher/test-precommit-push-pr
Feel free to open a PR to try the workflow.