search

stakater / Reloader

A Kubernetes controller to watch changes in ConfigMap and Secrets and do rolling upgrades on Pods with their associated Deployment, StatefulSet, DaemonSet and DeploymentConfig – [✩Star] if you're using it!
https://docs.stakater.com/reloader/
Apache License 2.0
7.65k stars 511 forks source link

qq on pull_request.yaml #485

Open chrislin22 opened 1 year ago

chrislin22 commented 1 year ago

I have noticed that for PR: https://github.com/stakater/Reloader/pull/467 https://github.com/PatrickSpies/stakater-reloader/blob/feat/chart-netpol/.github/workflows/pull_request.yaml#L4 actually changed pull_request to pull_request_target https://github.com/stakater/Reloader/blob/master/.github/workflows/pull_request.yaml#L4 which allows fork PR be able to use base repo's secrets. Is this a common practice? Otherwise the secret values are invisible to the fork PR. Thanks

-cl

karl-johan-grahn commented 1 year ago

pull_request_target has some weird side effects, and it is only first-time contributors that require approval to run workflows, subsequent runs should work without approval. You can switch back still if you like.

chrislin22 commented 1 year ago

follow up question please:

  1. The PR did not container the modified file pull_request.yaml, even there is modifcation there, any reason why?
  2. if using pull_request_target, then will it trigger some special approval then after that github action runs?
  3. after the first PR got proved, for future PR just use pull_request the github action behavior will be just like treating PR from a branch (able to use base secret)? thanks - I have a repo facing the similar issue