Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Change clear-pr-caches trigger to pull_request_target #4083

Merged
merged 2 commits into from
Nov 11, 2024
Merged

chore: Change clear-pr-caches trigger to pull_request_target #4083

merged 2 commits into from
Nov 11, 2024

Conversation

KapJI
Copy link
Contributor

@KapJI KapJI commented Nov 11, 2024
edited
Loading

This is actually mentioned in docs: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows#managing-caches

To run the following example on cross-repository pull requests or pull requests from forks, you can trigger the workflow with the pull_request_target event. If you do use pull_request_target to trigger the workflow, there are security considerations to keep in mind.

Security consideration here is that running or building PR code in this workflow is unsafe. But as this workflow doesn't do that, it's fine.

More notes on security are in "warning" section here: https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target

Also implement caches removal manually using the example from docs. This reduces security risk further if action owner modifies the code and action is updated without changes audit.

@KapJI KapJI marked this pull request as ready for review November 11, 2024 13:31
halostatue
halostatue reviewed Nov 11, 2024
View reviewed changes
Copy link
Collaborator

@halostatue halostatue left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@twpayne twpayne merged commit 41796ca into twpayne:master Nov 11, 2024
21 checks passed
@twpayne
Copy link
Owner

twpayne commented Nov 11, 2024

Thank you @KapJI for the code and @halostatue for the review :)

@KapJI KapJI deleted the fix-clear-caches-3 branch November 11, 2024 20:20
@KapJI
Copy link
Contributor Author

KapJI commented Nov 11, 2024

It's finally working as expected:

GITHUB_TOKEN Permissions
  Actions: write
  Metadata: read

https://github.com/twpayne/chezmoi/actions/runs/11785535444/job/32826975597

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 19, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@halostatue halostatue halostatue left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@KapJI @twpayne @halostatue