Closed annajung closed 2 years ago
cc @Bubblyworld @lukemarsden
I think it might need repository: ${{github.event.pull_request.head.repo.full_name}}
as well, but not sure 🤔
Thanks, let me double check later today and will make changes as needed.
Update, tested that it works without the repository defined and is able to get the correct pull request head with changes. When the repository is set, the workflow actually fails with a repo not found error.
Whoops, sorry! 😅
No worries! It was a good suggestion, I also did see some posts where others also recommend adding the repository field when it fails to retrieve the pull request head. I don't think it's the case here, so I think it would be okay without it! :)
Signed-off-by: Anna Jung (VMware) antheaj@vmware.com
fixes https://github.com/SAME-Project/same-project/issues/61#event-6311428443
Based on Keeping your GitHub Actions and workflows secure blog post, explicit PR checkout is insecure when running against untrusted code. However, with the condition to run only if
ok-to-test
label exists, this does remediate the issue (which is also stated in the blogpost).