annajung
commented
2 years ago cc @Bubblyworld @lukemarsden
Closed annajung closed 2 years ago
annajung
commented
2 years ago cc @Bubblyworld @lukemarsden
Bubblyworld
commented
2 years ago I think it might need repository: ${{github.event.pull_request.head.repo.full_name}} as well, but not sure 🤔
annajung
commented
2 years ago Thanks, let me double check later today and will make changes as needed.
annajung
commented
2 years ago Update, tested that it works without the repository defined and is able to get the correct pull request head with changes. When the repository is set, the workflow actually fails with a repo not found error.
Bubblyworld
commented
2 years ago Whoops, sorry! 😅
annajung
commented
2 years ago No worries! It was a good suggestion, I also did see some posts where others also recommend adding the repository field when it fails to retrieve the pull request head. I don't think it's the case here, so I think it would be okay without it! :)
Signed-off-by: Anna Jung (VMware) antheaj@vmware.com
fixes https://github.com/SAME-Project/same-project/issues/61#event-6311428443
Based on Keeping your GitHub Actions and workflows secure blog post, explicit PR checkout is insecure when running against untrusted code. However, with the condition to run only if
ok-to-testlabel exists, this does remediate the issue (which is also stated in the blogpost).