Skip to content

Commit

Permalink
add pull_request_target support (#1024)
Browse files Browse the repository at this point in the history
* add pull_request_target support

* fix typo in readme

* Fix broken unit test

* Add pull_request_target to test workflow

* Update README

* Prepare version 1.7.0

---------

Co-authored-by: Xavier Alvarez <[email protected]>
  • Loading branch information
dp-sgr and xalvarez authored Oct 11, 2024
1 parent ccbe483 commit b4af752
Show file tree
Hide file tree
Showing 10 changed files with 3,333 additions and 2,544 deletions.
7 changes: 7 additions & 0 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ on:
pull_request:
branches:
- main
pull_request_target:
branches:
- main

permissions:
pull-requests: read
Expand All @@ -13,6 +16,8 @@ jobs:
steps:
- name: Clone git repository
uses: actions/[email protected]
with:
ref: ${{ github.event.pull_request.head.sha || github.sha }}
- name: Set up Node.js
uses: actions/[email protected]
with:
Expand All @@ -27,6 +32,8 @@ jobs:
steps:
- name: Clone git repository
uses: actions/[email protected]
with:
ref: ${{ github.event.pull_request.head.sha || github.sha }}
- name: Run action locally
uses: ./
with:
Expand Down
19 changes: 14 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,21 +19,30 @@ Syntax:

The action has the following inputs:

* `githubToken`: (**Required**) The GitHub token used to authenticate with the GitHub API.
- `githubToken`: (**Required**) The GitHub token used to authenticate with the GitHub API.
This is typically the `GITHUB_TOKEN` secret provided by GitHub Actions.
* `pattern`: (**Required**) A JavaScript [regular expression](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)
- `pattern`: (**Required**) A JavaScript [regular expression](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)
that matches the filenames (including path) of files which must not be changed. For example,
`.*\.example` would match any file with the `.example` extension.
* `trustedAuthors`: (**Optional**) A comma-separated list of GitHub usernames. If a pull request is
- `trustedAuthors`: (**Optional**) A comma-separated list of GitHub usernames. If a pull request is
opened by any of these authors, the action will not fail even if the pull request modifies a file
that matches the pattern.
* `allowNewFiles`: (**Optional**) A boolean value that determines whether new files that match the
- `allowNewFiles`: (**Optional**) A boolean value that determines whether new files that match the
pattern should be allowed in the pull request. If set to `true`, the action will not fail even if
a new file that matches the pattern is added in the pull request. If not provided or set to
`false`, the action will fail if a new file that matches the pattern is added.

> [!IMPORTANT]
> This Action supports pull request events only.
> This Action supports pull_request and pull_request_target events only.
> [!CAUTION]
> If you are using the pull_request event, users can manipulate your workflow and add themselves as trusted authors,
> change the pattern, or manipulate the protecting workflow otherwise.
>
> pull_request_target always relies on the action of the target branch.
> Please be aware that the protecting workflow should follow GitHub's security recommendations for pull_request_target.
> You can find more information in the [docs](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target)
> or [this blog post](https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/).
## GITHUB_TOKEN permissions

Expand Down
15 changes: 13 additions & 2 deletions __tests__/main.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -80,14 +80,25 @@ describe('main', () => {
expect(core.setFailed).not.toHaveBeenCalled()
})

it('Should fail when event name is not pull_request', async () => {
it('Should support pull_request_target event', async () => {
context.eventName = 'pull_request_target'

await run()

expect(getChangedFilesSpy).toHaveBeenCalled()
expect(core.setFailed).not.toHaveBeenCalled()
})

it('Should fail when event name is not pull_request or pull_request_target', async () => {
context.eventName = 'push'

await run()

expect(getChangedFilesSpy).not.toHaveBeenCalled()
expect(checkChangedFilesAgainstPatternSpy).not.toHaveBeenCalled()
expect(core.setFailed).toHaveBeenCalledWith('Only pull_request events are supported. Event was: push')
expect(core.setFailed).toHaveBeenCalledWith(
'Only pull_request and pull_request_targets events are supported. Event was: push'
)
})

it('Should fail when pull request payload is missing', async () => {
Expand Down
37 changes: 24 additions & 13 deletions dist/LICENSE

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit b4af752

Please sign in to comment.