Open cmsj opened 3 years ago
Sounds reasonable, I think we will need to add a case here:
We can use getInput
to get the value of the (new) commit
argument:
const commit = getInput('commit', { required: false })
Feel free to submit a pull request and make sure to update the README and action.yml file with this new argument.
I'm running a public open source project and I want to apply annotations to PRs from forked repos. As such, I can't run the CI job with
pull_request_target
because that is a security risk[1].The apparently correct way to do this is to let the CI job run in the forked repo's space, with the regular
pull_request
event, and then use theworkflow_run
event in my repo, to fetch artifacts from the PR run and process them.However, to do that and then push the comments back to the originating PR, I need to be able to forcibly set the commit SHA, or the PR number.
An example would be the "Support fork repositories and dependabot branches" section of https://github.com/marketplace/actions/publish-unit-test-results and if I could have the same
commit:
argument for this action, it would be awesome.[1] - https://securitylab.github.com/research/github-actions-preventing-pwn-requests/