[Chore] Run CI checks on 'pull_request'

serokell / deploy-rs

A simple multi-profile Nix-flake deploy tool.

Other

1.22k stars 100 forks source link

[Chore] Run CI checks on 'pull_request' #236

Closed rvem closed 9 months ago

rvem commented 9 months ago

Problem: We want to be able to run CI checks on PRs from external forks. However, this is only possible with 'on: pull_request', while currently CI is triggered 'on: push'

Solution: Change CI triggering condition to 'on: pull_request'.

PhilTaken commented 9 months ago

Is this not security relevant? Docker has a bunch of problems that can lead to escaping the container. Malicious PRs on selfhosted runners (if they still are for the serokell org) could exploit those vulnerabilities if not properly secured.

rvem commented 9 months ago

Is this not security relevant?

External jobs require manual approval in order to run, so this should be relatively safe as long as we check what we actually run on our CI :sweat_smile: