diff --git a/.README.md.swp b/.README.md.swp new file mode 100644 index 00000000..9656a508 Binary files /dev/null and b/.README.md.swp differ diff --git a/README.md b/README.md index 0434bc27..792f50db 100644 --- a/README.md +++ b/README.md @@ -32,6 +32,7 @@ Error: Resource not accessible by integration | `pr-number` | No | | A pull request number, only required if triggered from a workflow_dispatch event. Typically this would be triggered by a script running in a separate CI provider. See [Trigger action from workflow_dispatch event](#trigger-action-from-workflow_dispatch-event) example. | | `skip-commit-verification` | No | `false` | If `true`, then the action will not expect the commits to have a verification signature. It is required to set this to `true` in GitHub Enterprise Server. | | `skip-verification` | No | `false` | If true, the action will not validate the user or the commit verification status | +| `event-name` | No | `pull_request` | Allows customizing the `github.event_name` that is used to sanity check the build and make sure its part of a Pull Request. Default is `pull_request`. Allowed values: `pull_request`, `pull_request_target`.| ## Output @@ -131,6 +132,21 @@ curl -X POST \ -d '{"ref":"{ref}", "inputs":{ "pr-number": "{number}"}}' ``` +### Trigger action from a `pull_request_target` instead of `pull_request` event + +[trigger_doc]: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows +[security_blog]: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ + +The action by default verifies that the [trigger][trigger_doc] is a `pull_request` event - which is the most secure and safest way to run your builds. If necessary, you can use the `event-name` property to reconfigure this verification check to support `pull_request_target` events. Make sure that you understand the [security risks][security_blog] of this behavior first. Additionally, ensure that your `checkout` action is configured properly to check out and test the right branch: + +```yaml +- name: Checkout + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} +``` + ## How to upgrade from `2.x` to new `3.x` diff --git a/action.yml b/action.yml index 8665bcc4..7419f716 100644 --- a/action.yml +++ b/action.yml @@ -40,6 +40,14 @@ inputs: type: boolean description: 'If true, the action will not validate the user or the commit verification status' default: false + event-name: + type: string + description: + default: pull_request + options: + - pull_request + - pull_request_target + runs: using: 'composite' @@ -47,7 +55,7 @@ runs: - name: Fetch metadata id: dependabot-metadata uses: dependabot/fetch-metadata@v1 - if: github.event_name == 'pull_request' && (github.actor == 'dependabot[bot]' || inputs.skip-verification == 'true') + if: github.event_name == '${{ inputs.event-name }}' && (github.actor == 'dependabot[bot]' || inputs.skip-verification == 'true') with: skip-commit-verification: ${{ inputs.skip-commit-verification }} skip-verification : ${{ inputs.skip-verification }}