Description
I am trying to use this Action from a Workflow which responds to the pull_request event. Specifically, I'd like it to check out the branch named master:
on: pull_request
name: Synchronize the Pull Request Preview
jobs:
update-pr-preview:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@masterHowever, the logs show that the Action is not checking out the master branch. Instead, it appears to be fetching the GitHub-specific "merge" reference for the pull request that triggered the Workflow. The following command is listed in the logs:
git -c http.extraheader="AUTHORIZATION: basic ***" fetch --tags --prune --progress --no-recurse-submodules origin +refs/heads/*:refs/remotes/origin/* +refs/pull/11/merge:refs/remotes/pull/11/merge
This is a problem for a couple reasons.
First, subsequent steps in the Workflow use secret values. I do not want to execute the untrusted code of a pull request in the presence of those values.
Second, many people (and the automated scripts in my project) delete the pull request branch immediately after closing the pull request, causing GitHub to delete the corresponding refs/pull/XX/merge git ref. That prevents the action from running under these conditions, even though I don't actually need the deleted ref.