Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Checking out a merge commit in `pull_request_target` workflows
See original GitHub issueI am coming from https://github.com/dependabot/dependabot-core/issues/3253, where there is a lot of confusion of how to safely run actions with secrets when untrusted code from external PRs comes into play.
The bottom line is that there may be situations where you – after you understood the risks – might want to use the pull_request_target event because it has access to secrets; but combine that with a checkout of the PR.
One suggested way of doing this is with
- name: Checkout
uses: actions/checkout@v2
with:
ref: ${{ github.event.pull_request.head.sha }}
which will check out the PR head commit.
This is, however, not 100% what you’d get for a simple uses: actions/checkout@v2 on a pull_request event, because that would check out a merge commit.
I wonder whether it would be possible for this action here to also support checking out such a merge commit on pull_request_target events?
I don’t know if creating such a merge commit involves advanced Git trickery to get-it-right™️ , so I thought this was the best place to ask.
Issue Analytics
- State:
- Created 2 years ago
- Reactions:11
- Comments:7
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
this should work as you expected I think.
yeah, I mean there is probably other ways to achieve the merge and test against the merged state. But using
refs/pull/${{ github.event.number }}/merge"alone is not exactly the safest way since it references a ref that can be updated by the outside contributor.