xalvarez / prevent-file-change-action

Fail a pull request workflow if certain files are changed
MIT License
14 stars 9 forks source link

Support pull_request_target instead of pull_request #1023

Open dp-sgr opened 4 weeks ago

dp-sgr commented 4 weeks ago

Is your feature request related to a problem? Please describe. I want to use this action to prevent non-privileged users to modify .github/* folder changes. As far as i can see this, this action would be perfect for that i also got it already running.

BUT:

The current implementation only supports the Event "pull_request" and not "pull_request_target". This doesn't solve my issue at all, because everyone could simply modify the action in the PR (remove the action, modify the regex or add himself as a whitelisted author).

So in general: Actions which are using this Workflow can simply be manipulated by everyone with write acces, which makes the action obsolete (or am i missing something?)

Describe the solution you'd like

Only support pull_request_target.

Drop support for pull_request because this could lead to the issue i described above. Or at least add this info to the documentation (where nobody can miss it).

Describe alternatives you've considered Ive did't consider an alternative yet. I like the project because im stepped over this discussion: https://github.com/actions/starter-workflows/issues/1628

I also don't know if we can get everything to work with pull_request_target (Im not really deep in this topic yet)

Additional context

Infos: https://github.com/actions/starter-workflows/issues/1628#issuecomment-1324172475

xalvarez commented 4 weeks ago

Hello @dp-sgr,

Thank you for raising this valid point, which I had not considered before.

In terms of implementation this is something that should be carefully analysed as it might include a number of changes.

Regarding releases, this would be a breaking change. I believe it would be better to start with a version that supports both events, while deprecating pull_request until it is eventually removed.

Unless you or someone else wishes to work on this, I would take care of it next week.

dp-sgr commented 4 weeks ago

I've provided a PR for this #1024

xalvarez commented 3 weeks ago

Support for pull_request_target has been released under version 1.7.0 thanks to @dp-sgr in PR https://github.com/xalvarez/prevent-file-change-action/pull/1024.

If no unexpected issues arise, pull_request support will be deprecated and eventually removed in a future release. Since pull_request support hasn't been dropped yet, I'll leave this issue open for now.