Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ability to override commit SHA #23

Open
cmsj opened this issue Apr 23, 2021 · 1 comment · May be fixed by #49
Open

Ability to override commit SHA #23

cmsj opened this issue Apr 23, 2021 · 1 comment · May be fixed by #49
Labels
🍩 enhancement New feature or request 👶 good first issue Good for newcomers 👋 help wanted Extra attention is needed

Comments

@cmsj
Copy link

cmsj commented Apr 23, 2021

I'm running a public open source project and I want to apply annotations to PRs from forked repos. As such, I can't run the CI job with pull_request_target because that is a security risk[1].

The apparently correct way to do this is to let the CI job run in the forked repo's space, with the regular pull_request event, and then use the workflow_run event in my repo, to fetch artifacts from the PR run and process them.

However, to do that and then push the comments back to the originating PR, I need to be able to forcibly set the commit SHA, or the PR number.

An example would be the "Support fork repositories and dependabot branches" section of https://github.com/marketplace/actions/publish-unit-test-results and if I could have the same commit: argument for this action, it would be awesome.

[1] - https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

@ggrossetie
Copy link
Member

Sounds reasonable, I think we will need to add a case here:

annotations-action/index.js

Lines 142 to 148 in a651a74

const pullRequest = context.payload.pull_request
let ref
if (pullRequest) {
ref = pullRequest.head.sha
} else {
ref = context.sha
}

We can use getInput to get the value of the (new) commit argument:

const commit = getInput('commit', { required: false })

Feel free to submit a pull request and make sure to update the README and action.yml file with this new argument.

@ggrossetie ggrossetie added 🍩 enhancement New feature or request 👶 good first issue Good for newcomers 👋 help wanted Extra attention is needed labels Apr 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🍩 enhancement New feature or request 👶 good first issue Good for newcomers 👋 help wanted Extra attention is needed
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants