From 94899ce837521d997f694ad5d162524d8a349e9a Mon Sep 17 00:00:00 2001
From: Johan Sydseter <johan.sydseter@admincontrol.com>
Date: Tue, 4 Feb 2025 14:09:26 +0100
Subject: [PATCH 1/4] Ensure the content security policy is correctly set for
 the youtube player.

---
 cornucopia.owasp.org/script/headers.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cornucopia.owasp.org/script/headers.js b/cornucopia.owasp.org/script/headers.js
index 7936491ab..d61bc00e1 100644
--- a/cornucopia.owasp.org/script/headers.js
+++ b/cornucopia.owasp.org/script/headers.js
@@ -27,13 +27,13 @@ function main() {
   Referrer-Policy: same-origin
   Permissions-Policy: accelerometer=(), autoplay=(), camera=(), document-domain=(), encrypted-media=(), fullscreen=(self "https://www.youtube.com/"), gyroscope=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), sync-xhr=(), usb=(), xr-spatial-tracking=(), geolocation=()
   Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
-  content-security-policy: base-uri 'self'; default-src 'none'; connect-src 'self'; script-src 'self' 'nonce-DhcnhD3khTMePgXw'; style-src 'self'; style-src-elem 'self'; img-src 'self'; upgrade-insecure-requests
+  Content-Security-Policy: base-uri 'self'; default-src 'none'; connect-src 'self'; script-src 'self' 'nonce-DhcnhD3khTMePgXw'; style-src 'self'; style-src-elem 'self'; img-src 'self'; upgrade-insecure-requests
 
 /how-to-play
   ! Permissions-Policy
   Permissions-Policy: accelerometer=(), autoplay=(), camera=(), document-domain=(), encrypted-media=(), fullscreen=(self "https://www.youtube.com/"), gyroscope=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(self "https://www.youtube.com/"), publickey-credentials-get=(), sync-xhr=(), usb=(), xr-spatial-tracking=(), geolocation=()
   ! Content-Security-Policy
-  content-security-policy: base-uri 'self'; default-src 'none'; frame-src 'self' https://www.youtube.com/; connect-src 'self'; img-src 'self' https://i.ytimg.com/vi/XXTPXozIHow/mqdefault.jpg; script-src 'self' 'nonce-DhcnhD3khTMePgXw'; style-src 'self'; style-src-elem 'self'; upgrade-insecure-requests
+  Content-Security-Policy: base-uri 'self'; default-src 'none'; frame-src 'self' https://www.youtube.com/; connect-src 'self'; img-src 'self' https://i.ytimg.com/vi/XXTPXozIHow/mqdefault.jpg; script-src 'self' 'nonce-DhcnhD3khTMePgXw'; style-src 'self'; style-src-elem 'self'; upgrade-insecure-requests
 `;
 
   const headersFile = path.join(buildDir, '_headers');

From e6d35877f4c439ef34453e8b15c6043cb6e04b3a Mon Sep 17 00:00:00 2001
From: Johan Sydseter <johan.sydseter@admincontrol.com>
Date: Tue, 4 Feb 2025 14:27:40 +0100
Subject: [PATCH 2/4] Always run tests for patching

---
 .github/workflows/run-tests-for-patches.yaml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/run-tests-for-patches.yaml b/.github/workflows/run-tests-for-patches.yaml
index e7c4a54ed..a59cd8690 100644
--- a/.github/workflows/run-tests-for-patches.yaml
+++ b/.github/workflows/run-tests-for-patches.yaml
@@ -3,8 +3,6 @@ name: Run tests status check.
 on:
   # Triggers the workflow on push or pull request events but only for the main branch
   pull_request:
-    paths-ignore:
-      - 'cornucopia.owasp.org/**'
     branches:
       - master
   # Allows you to run this workflow manually from the Actions tab

From d03c0b13fa0fddbe4ba0ea4572b68f6c100ab6f7 Mon Sep 17 00:00:00 2001
From: Johan Sydseter <johan.sydseter@admincontrol.com>
Date: Tue, 4 Feb 2025 14:39:31 +0100
Subject: [PATCH 3/4] Change to pull-request-target

---
 .github/workflows/deploy-staging.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index d430b3d47..5e5e85694 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -1,7 +1,7 @@
 ---
     name: Build and Deploy The Cornucopia Website on Staging
     on: 
-      pull_request:
+      pull_request_target:
         paths:
         - 'cornucopia.owasp.org/**'
     permissions:

From 1b4ac89c2105f0840c489e18731dbc417f9a4428 Mon Sep 17 00:00:00 2001
From: Johan Sydseter <johan.sydseter@admincontrol.com>
Date: Tue, 4 Feb 2025 14:42:56 +0100
Subject: [PATCH 4/4] Ensure to grab the head

---
 .github/workflows/deploy-staging.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 5e5e85694..80febbb9a 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -27,6 +27,8 @@
         steps:
           - name: Checkout repository
             uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+            with:
+              ref: ${{ github.event.pull_request.head.sha }}
           - uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
             name: Install pnpm
             with: