Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update README regarding pull_request_target #321

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
+17 −0
Open

Update README regarding pull_request_target #321

Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
05aa1e5
Update README regarding `pull_request_target`
ylemkimon Aug 9, 2020
4c4d2b5
Update README.md
ylemkimon Aug 9, 2020
f16edde
Update README.md
ylemkimon Sep 14, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -118,6 +118,7 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
- [Checkout multiple repos (private)](#Checkout-multiple-repos-private)
- [Checkout pull request HEAD commit instead of merge commit](#Checkout-pull-request-HEAD-commit-instead-of-merge-commit)
- [Checkout pull request on closed event](#Checkout-pull-request-on-closed-event)
- [Checkout pull request on `pull_request_target`](#Checkout-pull-request-on-pull_request_target)
- [Push a commit using the built-in token](#Push-a-commit-using-the-built-in-token)

## Fetch all history for all tags and branches
@@ -214,6 +215,22 @@ jobs:
- uses: actions/checkout@v2
```

## Checkout pull request on `pull_request_target`

```yaml
on:
- pull_request_target
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
ref: refs/pull/${{ github.event.pull_request.number }}/head
```

**WARNING! NEVER** run code from pull requests of public repositories! The token of `pull_request_target` event has write access.

This comment was marked as resolved.

Sign in to view

Copy link
Author

@ylemkimon ylemkimon Sep 14, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@matfax The pull_request_target runs in the context of the base repository of the pull request, i.e., its GITHUB_TOKEN has read/write access even for pull requests from forked repos.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've tested various things now. Even though GITHUB_TOKEN doesn't seem to be available all the time, the github.token from the context has indeed write permissions as you stated. actions/checkout sets this context token as repository token, so it's available anyways once checkout is used. I find it rather odd that GitHub introduced pull_request_target as some kind of safe alternative but how are you supposed to check anything in a pull request if you can't even check out its code? Imho, they should change the permissions of the token if used in pull_request_target to read only the repository + write access to the pull request (except merge). The use case of checking forked pull requests is integrated and documented insufficiently.


## Push a commit using the built-in token

```yaml