Skip to content

Commit

Permalink
ci(security): require access checks to pass before running unit tests (
Browse files Browse the repository at this point in the history
  • Loading branch information
zimeg authored Jan 16, 2024
1 parent f6aff2f commit 84a8f7d
Showing 1 changed file with 19 additions and 9 deletions.
28 changes: 19 additions & 9 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,15 @@ on:
- main

jobs:
unit_tests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
- run: npm ci && npm run build
- run: npm test

# Note: The `pull_request_target` event provides access to repository secrets!
#
# This is required to run the integration tests on PRs from forked branches.
# Any job checking out pull_request.head.sha should require the access_check.
#
# Actions require collaborator approval to start and might require a re-run.
# The proposed changes should be reviewed before approving any workflow jobs.
#
# Reference: https://michaelheap.com/access-secrets-from-forks/
access_check:
runs-on: ubuntu-latest
steps:
Expand All @@ -25,6 +25,16 @@ jobs:
echo "Action was not triggered by an organization member. Exiting now."
exit 1
unit_tests:
runs-on: ubuntu-latest
needs: access_check
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
- run: npm ci && npm run build
- run: npm test

integration_test_botToken:
runs-on: ubuntu-latest
needs: access_check
Expand Down

0 comments on commit 84a8f7d

Please sign in to comment.