Closed posquit0 closed 2 years ago
Ah, noticed a gotcha in #403 - it won't run any of the workflows, including the one to add this welcome message, until manually approved.. Can that be set on a per-workflow basis?
Ah, noticed a gotcha in #403 - it won't run any of the workflows, including the one to add this welcome message, until manually approved.. Can that be set on a per-workflow basis?
In general, GitHub doesn't allow the write action to the repository by PR from outside collaborators. This is especially true if the pull request author's arbitrary action code can be executed. The pull_request
event triggers an action on the changed code base. On the other hand, the pull_request_target
event is safe because it triggers an action in the base branch codebase, and therefore grants write permission to the repository by default.
Yeah, that just seems a shame when it's just to add a message like this.
Seems to me it would be safe to be able to say 'run this specific workflow, as it is on master' (so you're asserting it's a safe workflow, doesn't execute anything the user has provided, and also not allowing the user to edit the workflow itself). But I don't think GitHub supports it.
Background
400
pull-request-labeler
andwelcome
action are not working for PRs by outside contributors.Problem Solving
pull_request_target
event type has read and write permission to the repository.