Skip to content

Commit 1366736

Browse files
subhashkhileriZaperex
subhashkhileri
and
Zaperex
authored
chore(ci): switch PR workflow from pull_request to pull_request_target for secrets (#3242)
* Update PR workflow: modify .github/workflows/pr.yaml to pull_request_target in order to access secrets * Update PR workflow: modify .github/workflows/pr.yaml to pull_request_target in order to access secrets * Update .github/workflows/pr.yaml Co-authored-by: Frank Kong <[email protected]> * Update .github/workflows/pr.yaml Co-authored-by: Frank Kong <[email protected]> * Update .github/workflows/pr.yaml Co-authored-by: Frank Kong <[email protected]> --------- Co-authored-by: Frank Kong <[email protected]>
1 parent d0e30d3 commit 1366736

File tree

1 file changed

+23
-1
lines changed

1 file changed

+23
-1
lines changed

.github/workflows/pr.yaml

Lines changed: 23 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,11 @@
1515
name: PR
1616

1717
on:
18-
pull_request:
18+
pull_request_target:
19+
types: [opened, synchronize, reopened, ready_for_review]
20+
branches:
21+
- main
22+
- release-1.[0-9]+
1923

2024
env:
2125
TURBO_SCM_BASE: ${{ github.event.pull_request.base.sha }}
@@ -26,12 +30,29 @@ concurrency:
2630
cancel-in-progress: true
2731

2832
jobs:
33+
authorize:
34+
# The 'external' environment is configured with the maintainers team as required reviewers.
35+
# All the subsequent jobs in this workflow 'need' this job, which will require manual approval for PRs coming from external forks.
36+
# see list of approvers in OWNERS file
37+
environment:
38+
${{ github.event.pull_request.head.repo.full_name == github.repository && 'internal' || 'external' }}
39+
runs-on: ubuntu-latest
40+
steps:
41+
- name: Check if internal PR
42+
id: check
43+
run: |
44+
if [[ "${{ github.event.pull_request.head.repo.full_name }}" == "${{ github.repository }}" ]]; then
45+
echo "✓ Internal PR - will run with PR code"
46+
else
47+
echo "✓ External PR - will run with base branch code for security"
48+
fi
2949
build:
3050
name: Build with Node.js ${{ matrix.node-version }}
3151
runs-on: ubuntu-latest
3252
strategy:
3353
matrix:
3454
node-version: [22]
55+
needs: authorize
3556
steps:
3657
- name: Checkout
3758
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
@@ -74,6 +95,7 @@ jobs:
7495
strategy:
7596
matrix:
7697
node-version: [22]
98+
needs: authorize
7799
steps:
78100
- name: Checkout
79101
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

0 commit comments

Comments
 (0)