Github Actions, use pull_request and workflow_run instead of pull_request_target #1279
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…uest_target Motivation: pull_request_target will run against the commit where a PR is branched off of. This may result in errors not being detected until after the change is merged (e.g. checkstyle, etc.). Modifications: - Instead use the pull_request event to build pull requests, and publish the artifacts which need post analysis (test results, checkstyle, etc.). A workflow_run job can run with the permissions of the original repo and post annotations to PRs indicating any issues with the build. This separation is done for security reasons to prevent forks from getting access to credentials/secrets. Result: Pull requests build/analysis is done on the code in the pull request, instead of from the target branch.
Scottmitch
commented
Dec 14, 2020
| name: Checkstyle Report JDK ${{ matrix.java }} | ||
| path: '**/build/reports/checkstyle/*.xml' | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
| # TODO https://github.com/jwgmeligmeyling/checkstyle-github-action/issues/6 |
There was a problem hiding this comment.
note we will not get the quality reports or GitHub annotations until the Github Actions resolve these issues.
|
tested locally in my fork, I will merge this since our current approach is broken and doesn't detect checkstyle and other issues on the PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation:
pull_request_target will run against the commit where a PR is branched
off of. This may result in errors not being detected until after the
change is merged (e.g. checkstyle, etc.).
Modifications:
the artifacts which need post analysis (test results, checkstyle, etc.).
A workflow_run job can run with the permissions of the original repo and
post annotations to PRs indicating any issues with the build. This
separation is done for security reasons to prevent forks from getting
access to credentials/secrets.
Result:
Pull requests build/analysis is done on the code in the pull request,
instead of from the target branch.