From d7b28d6b0c5564c65fdbd2f46ca6d427ff86653f Mon Sep 17 00:00:00 2001 From: Billy Vong Date: Wed, 28 Oct 2020 13:55:56 -0700 Subject: [PATCH] build(gha): Use `pull_request_target` for acceptance workflow (#21600) This changes our visual snapshots/acceptance workflow to use the `pull_request_target` event instead of `pull_request` so that we can have Visual Snapshots working on fork PRs. By default, forks do not have write access tokens, but when using `pull_request_target`, forked PRs will use the base repository workflows as the source. This ensures that secrets/apis do not get exposed from by the fork changing workflows. See https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows#pull_request_target for more information. Important notes about `pull_request_target`: - Used to allow forks to have write-access tokens + secrets - Ensures safety by only running workflow from the main branch - You can test workflow changes by making your branch the base branch in a Pull Request - Note that the workflow seems to be cached after opening the PR - e.g. if you make a pull request against a feature branch, the workflow that will be used is the workflow in the base branch at the point when you create the PR. From there on, you won't be able to change the workflow that is run - You must specify the ref + repository when using the checkout action --- .github/workflows/acceptance.yml | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/.github/workflows/acceptance.yml b/.github/workflows/acceptance.yml index f4fd6c7c316ca0..d740aca2098127 100644 --- a/.github/workflows/acceptance.yml +++ b/.github/workflows/acceptance.yml @@ -11,7 +11,12 @@ on: branches: - master - releases/** - pull_request: + # XXX: We are using `pull_request_target` instead of `pull_request` because we want + # Visual Snapshots to run on forks. It allows forks to access secrets safely by + # only running workflows from the main branch. Prefer to use `pull_request` when possible. + # + # See https://github.com/getsentry/sentry/pull/21600 for more details + pull_request_target: jobs: frontend: @@ -23,6 +28,17 @@ jobs: VISUAL_HTML_ENABLE: 1 steps: - uses: actions/checkout@v2 + name: Checkout sentry (pull_request_target) + if: github.event.pull_request.head.ref != '' + with: + # Note this is required because of `pull_request_target`, which allows + # forks to access secrets safely by only running workflows from the main branch. + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + + - uses: actions/checkout@v2 + name: Checkout sentry (push) + if: github.event.pull_request.head.ref == '' - uses: volta-cli/action@v1 @@ -80,6 +96,17 @@ jobs: steps: - uses: actions/checkout@v2 + name: Checkout sentry (pull_request_target) + if: github.event.pull_request.head.ref != '' + with: + # Note this is required because of `pull_request_target`, which allows + # forks to access secrets safely by only running workflows from the main branch. + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + + - uses: actions/checkout@v2 + name: Checkout sentry (push) + if: github.event.pull_request.head.ref == '' - uses: volta-cli/action@v1