Update workflow to work with PRs. #149
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This updates the workflow to work with PRs. Specifically, it allows external branches PRing against this repository to access the binary archive repository deploy key.
While this is potentially vulnerable, testing has determined that it is not. As described in
pr.yaml, thepull_request_targetworkflow trigger can only activate the workflow in the base repository, not the workflow files in the PR. This means the only point of "vulnerability" would be the build script. However, the github token used in theprworkflow has read only access to this repository, and the SSH key to the archive repository is both used withpersist-credentials: false, and is also read only. The only reason the archive repository is private is to not explicitly just redistribute base Hollow Knight assets publicly. It is not actually a catastrophic security vulnerability for the files in that repository to be leaked, considering anyone who has bought hollow knight could do the same.56 and I tested these things and we determined it is safe to use.