Support workflow_run triggered by push event workflows #138
Conversation
Updates to enhance security around github token handling means that PRs merged to a target branch by github native dependabot no longer receive a write access token by default. Instead it is required to have a push workflow trigger a workflow_run subsequently that is provided with write access. To support this add a route and handler function for workflow_run events that reuses much of the functionality from the push handler by moving the common capabilities to a shared function. Includes a check to skip such a workflow if it is triggered via pull_request events instead until such time as someone can add the required support using the existing pull_request handler for the common pieces. Adds tests following the same pattern for the handlePull function.
|
Nice one, thanks @electrofelix! It all looks good from a cursory glance, I'll take a proper look/test within the next week and cut a release with this soon |
|
@chinthakagodawita the tests were very straightforward to follow. I will admit I'm a little unsure as to what happens during a workflow_run triggered by a PR (or even how multiple PRs could appear in the event data though that is documented by GitHub's api) so I've just made the assumption that the head_branch might be empty in that case and that may mean I'm doubling up on checking that it's been triggered via an action running on a push event. I'll try to see what GitHub does in the second case to at least ensure whether that test is needed or if the one further down can just be moved up and have one check. |
|
Turned out to be easier to check than I thought, https://github.com/electrofelix/workflow_run-test/runs/2316504875?check_suite_focus=true contains debug output of a run. The good news is I can probably simplify the checking of the |
|
Hi @chinthakagodawita, is there anything else I can do to help with this change? |
|
Amazing work @electrofelix - I've tested this and it all looks great. I've made some minor tweaks and also added support for the Released as part of v1.3.0 🎉 |
Updates to enhance security around github token handling means that PRs
merged to a target branch by github native dependabot no longer receive
a write access token by default. Instead it is required to have a push
workflow trigger a workflow_run subsequently that is provided with write
access.
To support this add a route and handler function for workflow_run events
that reuses much of the functionality from the push handler by moving
the common capabilities to a shared function.
Includes a check to skip such a workflow if it is triggered via
pull_request events instead until such time as someone can add the
required support using the existing pull_request handler for the common
pieces.
Adds tests following the same pattern for the handlePull function.
Fixes: #137