Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Allow customization of the github.event_name check #500

Merged
merged 1 commit into from
Jan 23, 2024
Merged

feat: Allow customization of the github.event_name check #500

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added .README.md.swp
View file
Open in desktop
Binary file not shown.
16 changes: 16 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ Error: Resource not accessible by integration
| `pr-number` | No | | A pull request number, only required if triggered from a workflow_dispatch event. Typically this would be triggered by a script running in a separate CI provider. See [Trigger action from workflow_dispatch event](#trigger-action-from-workflow_dispatch-event) example. |
| `skip-commit-verification` | No | `false` | If `true`, then the action will not expect the commits to have a verification signature. It is required to set this to `true` in GitHub Enterprise Server. |
| `skip-verification` | No | `false` | If true, the action will not validate the user or the commit verification status |
| `event-name` | No | `pull_request` | Allows customizing the `github.event_name` that is used to sanity check the build and make sure its part of a Pull Request. Default is `pull_request`. Allowed values: `pull_request`, `pull_request_target`.|

## Output

Expand Down Expand Up @@ -131,6 +132,21 @@ curl -X POST \
-d '{"ref":"{ref}", "inputs":{ "pr-number": "{number}"}}'
```

### Trigger action from a `pull_request_target` instead of `pull_request` event

[trigger_doc]: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows
[security_blog]: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

The action by default verifies that the [trigger][trigger_doc] is a `pull_request` event - which is the most secure and safest way to run your builds. If necessary, you can use the `event-name` property to reconfigure this verification check to support `pull_request_target` events. Make sure that you understand the [security risks][security_blog] of this behavior first. Additionally, ensure that your `checkout` action is configured properly to check out and test the right branch:

```yaml
- name: Checkout
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name }}
```


## How to upgrade from `2.x` to new `3.x`

Expand Down
10 changes: 9 additions & 1 deletion action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,14 +40,22 @@ inputs:
type: boolean
description: 'If true, the action will not validate the user or the commit verification status'
default: false
event-name:
type: string
description:
default: pull_request
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like the issue of missing quotes, it should be default: 'pull_request'

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@climba03003 @simoneb Can someone re-run that in debug mode (I don't have permissions) - I don't quite think this is a quoting issue, but I'd like to see how the evaluation of ${{ inputs.event-name }} goes.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@diranged I tried a few combinations of with-and-without quotes without success, may I ask some help to fix this? The easiest way to go about it is that you create a branch for the action, where you try your fixes, and push it to a branch on your own remote.

Then you set up a repo to try out the fix where you reference your own version of the action, meaning that assuming that you call the branch "fix-event-name", you'd reference it in the workflow as

uses: diranged/github-action-merge-dependabot@fix-event-name

options:
- pull_request
- pull_request_target


runs:
using: 'composite'
steps:
- name: Fetch metadata
id: dependabot-metadata
uses: dependabot/fetch-metadata@v1
if: github.event_name == 'pull_request' && (github.actor == 'dependabot[bot]' || inputs.skip-verification == 'true')
if: github.event_name == '${{ inputs.event-name }}' && (github.actor == 'dependabot[bot]' || inputs.skip-verification == 'true')
with:
skip-commit-verification: ${{ inputs.skip-commit-verification }}
skip-verification : ${{ inputs.skip-verification }}
Expand Down
Loading