Skip to content

Bump the actions group across 1 directory with 9 updates #73

Bump the actions group across 1 directory with 9 updates

Bump the actions group across 1 directory with 9 updates #73

name: Workflow Changes Warnings
on:
# Note: potential security risk from this action using pull_request_target.
# Do not add actions in here which need a checkout of the repo, and do not use any caching in here.
# See: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
pull_request_target:
types:
- opened
- reopened
- synchronize
paths:
- .github/workflows/*.yml
permissions:
contents: read
jobs:
comment-concerning-workflow-changes:
name: Comment Concerning Workflow Changes
runs-on: ubuntu-latest
if: |
(github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name)
permissions:
pull-requests: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
- name: Find Warning Comment
uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0
id: fc_warning
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: 'github-actions[bot]'
body-includes: |
This Pull Request modifies GitHub workflows and is coming from a fork.
- name: Create comment
if: |
(steps.fc_warning.outputs.comment-id == '') &&
(!contains(github.event.pull_request.labels.*.name, 'approved')) &&
(github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name)
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
with:
comment-id: ${{ steps.fc_warning.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
body: |
> [!WARNING]
> This Pull Request modifies GitHub Workflows and is coming from a fork.
**It is very important for the reviewer to ensure that the workflow changes are appropriate.**
edit-mode: replace
- name: Find Note Comment
uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0
id: fc_note
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: 'github-actions[bot]'
body-includes: Workflow changes in this Pull Request have been approved!
- name: Update Comment
if: |
contains(github.event.pull_request.labels.*.name, 'approved')
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
with:
comment-id: ${{ steps.fc_note.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
body: |
> [!NOTE]
> Workflow changes in this Pull Request have been approved!
reactions: |
hooray
edit-mode: append