Ability to override commit SHA #23
Labels
🍩 enhancement
New feature or request
👶 good first issue
Good for newcomers
👋 help wanted
Extra attention is needed
I'm running a public open source project and I want to apply annotations to PRs from forked repos. As such, I can't run the CI job with
pull_request_target
because that is a security risk[1].The apparently correct way to do this is to let the CI job run in the forked repo's space, with the regular
pull_request
event, and then use theworkflow_run
event in my repo, to fetch artifacts from the PR run and process them.However, to do that and then push the comments back to the originating PR, I need to be able to forcibly set the commit SHA, or the PR number.
An example would be the "Support fork repositories and dependabot branches" section of https://github.com/marketplace/actions/publish-unit-test-results and if I could have the same
commit:
argument for this action, it would be awesome.[1] - https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
The text was updated successfully, but these errors were encountered: