Financial-Times / ftdomdelegate

Create and manage a DOM event delegator
MIT License
320 stars 36 forks source link

use pull_request_target and not pull_request for the safe workflows #169

Closed JakeChampion closed 3 years ago

JakeChampion commented 3 years ago

We have workflows that currently fail to run correctly for pull-requests from forks or pull-requests from dependabot. The reason is because those workflows are being triggered by the 'pull_request' event, which does will use a restricted github api token for pull-requests from forks or dependabot for security reasons.

For our workflows which are 'safe' (meaning they do not checkout the code or execute the code in the repository), we can change their trigger from 'pull_request' to 'pull_request_target', which uses a github api token with more permissions, specifically it has permission to read/use secrets, which are the things are workflows require.

Our workflows are safe, they do not checkout or execute the code from the repository, so we should change to using pull_request_target to make our workflows work for dependabot and pull-requests from forks.

origamiserviceuser commented 3 years ago

ftdomdelegate bundle size difference from 4.0.6 to 2d76bc035c03ff172fa59a10ca109421eb61f07f No significant bundle size differences found.