Change pr-labeler workflow trigger to pull_request_target #9
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When PR from public fork, Do not access configuration file in pull_request trigger. pull_request_target trigger is: - GITHUB_TOKEN is granted read/write repository permission unless the permissions key is specified and the workflow can access secrets, even when it is triggered from a fork - Runs in the context of the base of the pull request (NOT merge commit) refs: - TimonVS/pr-labeler-action#25 (comment) - https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
Kesin11
approved these changes
Apr 8, 2023
There was a problem hiding this comment.
LGTM
refs for other @DeNA/swet member
https://madogiwa0124.hatenablog.com/entry/2022/05/29/110148
forkされたリポジトリからのPRの場合、GITHUB_TOKENが読み取り専用の権限となりsecretにもアクセス出来ない。
https://pankona.github.io/blog/2021/03/29/github-actions-pull-request-target/
これで何が困るかというと、例えば fork 元で設定している secrets にアクセスできないという点。secrets にアクセスできないということは、たとえば普通 secrets に入れておいて github actions で用いたくなるような GITHUB_TOKEN だとか SLACK_TOKEN だとか、あるいは FIREBASE_SERVICE_ACCOUNT_XXX のようなものだとかが参照できないということが起こる。
|
Thx, @Kesin11 san! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When PR from public fork, Can not access configuration file in
pull_requesttrigger.e.g., https://github.com/DeNA/Anjin/actions/runs/4633726453
pull_request_targettrigger is:Refs:
Contribution License Agreement