Merge pull request #4072 from traPtitech/forked-workflow-perm

ForkのPRでもpreview/preview-commentが動くように
traPtitech · Sep 18, 2023 · f6d5d90 · f6d5d90
2 parents 3615f6e + 0740a5c
commit f6d5d90
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 4 deletions.
diff --git a/.github/workflows/preview.yml b/.github/workflows/preview.yml
@@ -1,7 +1,8 @@
 name: preview
 
 on:
-  pull_request:
+  # pull_request_target を使うにあたって https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ の一読を推奨
+  pull_request_target:
 
 permissions:
   packages: write
@@ -10,14 +11,17 @@ env:
   IMAGE_NAME: traq-ui
 
 jobs:
-  build-preview--image:
+  build-preview-image:
     name: Build Preview Image
     runs-on: ubuntu-latest
     steps:
       - name: Set PR_NUMBER env
-        run: echo "PR_NUMBER=$(echo $GITHUB_REF | sed -e 's/[^0-9]//g')" >> $GITHUB_ENV
+        run: echo "PR_NUMBER=${{ github.event.number }}" >> $GITHUB_ENV
 
       - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v2
@@ -36,6 +40,7 @@ jobs:
           username: traptitech
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      # 隔離された環境でビルドを行い、write perm付きトークンをユーザーのコードに与えないよう注意すること
       - name: Build
         uses: docker/build-push-action@v4
         with:

diff --git a/.github/workflows/preview_comment.yml b/.github/workflows/preview_comment.yml
@@ -1,7 +1,8 @@
 name: Comment preview environment URL
 
 on:
-  pull_request:
+  # pull_request_target を使うにあたって https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ の一読を推奨
+  pull_request_target:
     types:
       - opened