From 3c35a41678f075e7cf758b041244eb8f304ef1a2 Mon Sep 17 00:00:00 2001 From: Helio Machado <0x2b3bfa0+git@googlemail.com> Date: Wed, 2 Jun 2021 18:40:56 +0200 Subject: [PATCH 1/3] Allow access to secrets for external contributors ...after requiring manual approval through GitHub Environments --- .github/workflows/test-deploy.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test-deploy.yml b/.github/workflows/test-deploy.yml index 7833ba152..f4286b96c 100644 --- a/.github/workflows/test-deploy.yml +++ b/.github/workflows/test-deploy.yml @@ -4,23 +4,27 @@ on: - cron: 0 0 * * * release: types: [published] - pull_request: + pull_request_target: jobs: lint: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha || github.ref }} - uses: actions/setup-node@v2 - run: npm ci - run: npm run lint test: environment: - ${{ (github.event_name == 'pull_request' && + ${{ (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository) && 'test-external' || 'test-internal' }} runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha || github.ref }} - uses: actions/setup-node@v2 - uses: actions/setup-python@v2 - run: pip install tensorboard @@ -42,6 +46,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha || github.ref }} - uses: actions/setup-node@v2 with: registry-url: https://registry.npmjs.org @@ -73,6 +79,7 @@ jobs: steps: - uses: actions/checkout@v2 with: + ref: ${{ github.event.pull_request.head.sha || github.ref }} fetch-depth: 0 - name: Metadata id: metadata From 648efc8b9206b11ef78fc89620a5bc0af00656ff Mon Sep 17 00:00:00 2001 From: Helio Machado <0x2b3bfa0+git@googlemail.com> Date: Wed, 2 Jun 2021 18:47:05 +0200 Subject: [PATCH 2/3] Protect lint job with GitHub Environments --- .github/workflows/test-deploy.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/test-deploy.yml b/.github/workflows/test-deploy.yml index f4286b96c..3820eec92 100644 --- a/.github/workflows/test-deploy.yml +++ b/.github/workflows/test-deploy.yml @@ -7,6 +7,10 @@ on: pull_request_target: jobs: lint: + environment: + ${{ (github.event_name == 'pull_request_target' && + github.event.pull_request.head.repo.full_name != github.repository) && + 'test-external' || 'test-internal' }} runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 From ce6bb16c9b0e53d59a83cc1381431f70002d3c9c Mon Sep 17 00:00:00 2001 From: Helio Machado <0x2b3bfa0+git@googlemail.com> Date: Wed, 2 Jun 2021 19:04:09 +0200 Subject: [PATCH 3/3] Move authorization to a separate job --- .github/workflows/test-deploy.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/test-deploy.yml b/.github/workflows/test-deploy.yml index 3820eec92..05bf502a7 100644 --- a/.github/workflows/test-deploy.yml +++ b/.github/workflows/test-deploy.yml @@ -6,11 +6,14 @@ on: types: [published] pull_request_target: jobs: - lint: + authorize: environment: ${{ (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository) && - 'test-external' || 'test-internal' }} + 'external' || 'internal' }} + runs-on: ubuntu-latest + lint: + needs: authorize runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 @@ -20,10 +23,7 @@ jobs: - run: npm ci - run: npm run lint test: - environment: - ${{ (github.event_name == 'pull_request_target' && - github.event.pull_request.head.repo.full_name != github.repository) && - 'test-external' || 'test-internal' }} + needs: authorize runs-on: ubuntu-latest steps: - uses: actions/checkout@v2