From 7ee4787feb4e8952b2b8195c324dde33e984ebaf Mon Sep 17 00:00:00 2001 From: risvh <67486979+risvh@users.noreply.github.com> Date: Wed, 27 Mar 2024 00:36:00 +0800 Subject: [PATCH] Made commenting on PR work when the PR's creator doesn't have write access to our repo Relevant read: Resource not accessible by integration https://github.com/actions/first-interaction/issues/10#issuecomment-545576314 https://github.com/actions/first-interaction/issues/10#issuecomment-670968624 Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ --- .github/workflows/readable-data-changes.yml | 11 +++++++---- readableAssets.py | 6 +++++- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/.github/workflows/readable-data-changes.yml b/.github/workflows/readable-data-changes.yml index b0974358e8..6392fce4a2 100644 --- a/.github/workflows/readable-data-changes.yml +++ b/.github/workflows/readable-data-changes.yml @@ -1,20 +1,23 @@ name: Readable data changes on: - pull_request: + pull_request_target: jobs: readable-data-changes: runs-on: ubuntu-latest steps: + - uses: actions/checkout@v4 with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} fetch-depth: '0' - uses: actions/setup-python@v5 with: python-version: '3.10' - + - name: Parse asset changes to be more readable id: readable-assets run: python readableAssets.py @@ -22,8 +25,8 @@ jobs: REPO: ${{ github.repository }} REPO_PATH: ${{ github.workspace }} PRNUM: ${{ github.event.number }} - COMMIT_A: ${{ github.event.pull_request.base.sha }} - COMMIT_B: ${{ github.event.pull_request.head.sha }} + COMMIT_A: origin/${{ github.base_ref }} + COMMIT_B: HEAD - name: Comment on PR uses: thollander/actions-comment-pull-request@v2 diff --git a/readableAssets.py b/readableAssets.py index a47d200609..4215886db2 100644 --- a/readableAssets.py +++ b/readableAssets.py @@ -63,7 +63,11 @@ def read_file_even_deleted(path): return read_txt(path) def run_command(command): - output = os.popen(command).read() + f = os.popen(command) + output = f.read() + status = f.close() + if status: + sys.exit(1) return output def set_multiline_output(name, value):