xalvarez
commented
1 month ago Hello @dp-sgr,
Thank you for raising this valid point, which I had not considered before.
In terms of implementation this is something that should be carefully analysed as it might include a number of changes.
Regarding releases, this would be a breaking change. I believe it would be better to start with a version that supports both events, while deprecating pull_request until it is eventually removed.
Unless you or someone else wishes to work on this, I would take care of it next week.
dp-sgr
Is your feature request related to a problem? Please describe. I want to use this action to prevent non-privileged users to modify .github/* folder changes. As far as i can see this, this action would be perfect for that i also got it already running.
BUT:
The current implementation only supports the Event "pull_request" and not "pull_request_target". This doesn't solve my issue at all, because everyone could simply modify the action in the PR (remove the action, modify the regex or add himself as a whitelisted author).
So in general: Actions which are using this Workflow can simply be manipulated by everyone with write acces, which makes the action obsolete (or am i missing something?)
Describe the solution you'd like
Only support pull_request_target.
Drop support for pull_request because this could lead to the issue i described above. Or at least add this info to the documentation (where nobody can miss it).
Describe alternatives you've considered Ive did't consider an alternative yet. I like the project because im stepped over this discussion: https://github.com/actions/starter-workflows/issues/1628
I also don't know if we can get everything to work with pull_request_target (Im not really deep in this topic yet)
Additional context
Infos: https://github.com/actions/starter-workflows/issues/1628#issuecomment-1324172475