From 96440ab41ff82aa26e9953681257616e3024a6a5 Mon Sep 17 00:00:00 2001
From: motoki317 <motoki317@gmail.com>
Date: Mon, 18 Sep 2023 07:03:46 +0900
Subject: [PATCH 1/3] allow comment (write perm) on forked PR

---
 .github/workflows/preview_comment.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/preview_comment.yml b/.github/workflows/preview_comment.yml
index 48e031fa5..a0cad3f22 100644
--- a/.github/workflows/preview_comment.yml
+++ b/.github/workflows/preview_comment.yml
@@ -1,7 +1,7 @@
 name: Comment preview environment URL
 
 on:
-  pull_request:
+  pull_request_target:
     types:
       - opened
 

From aa8cee647d0ab3d3d93f1115d18c776b59e5b169 Mon Sep 17 00:00:00 2001
From: motoki317 <motoki317@gmail.com>
Date: Mon, 18 Sep 2023 07:10:51 +0900
Subject: [PATCH 2/3] allow (isolated) build and push of preview image from
 forked PR

---
 .github/workflows/preview.yml | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/preview.yml b/.github/workflows/preview.yml
index 7cba8352d..5134bb966 100644
--- a/.github/workflows/preview.yml
+++ b/.github/workflows/preview.yml
@@ -1,7 +1,7 @@
 name: preview
 
 on:
-  pull_request:
+  pull_request_target:
 
 permissions:
   packages: write
@@ -10,14 +10,17 @@ env:
   IMAGE_NAME: traq-ui
 
 jobs:
-  build-preview--image:
+  build-preview-image:
     name: Build Preview Image
     runs-on: ubuntu-latest
     steps:
       - name: Set PR_NUMBER env
-        run: echo "PR_NUMBER=$(echo $GITHUB_REF | sed -e 's/[^0-9]//g')" >> $GITHUB_ENV
+        run: echo "PR_NUMBER=${{ github.event.number }}" >> $GITHUB_ENV
 
       - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v2
@@ -36,6 +39,7 @@ jobs:
           username: traptitech
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      # 隔離された環境でビルドを行い、write perm付きトークンをユーザーのコードに与えないよう注意すること
       - name: Build
         uses: docker/build-push-action@v4
         with:

From 0740a5c74b18573cdb939efcdfb68e7d21350a9a Mon Sep 17 00:00:00 2001
From: motoki317 <motoki317@gmail.com>
Date: Mon, 18 Sep 2023 07:16:10 +0900
Subject: [PATCH 3/3] add blog ref

---
 .github/workflows/preview.yml         | 1 +
 .github/workflows/preview_comment.yml | 1 +
 2 files changed, 2 insertions(+)

diff --git a/.github/workflows/preview.yml b/.github/workflows/preview.yml
index 5134bb966..94396b144 100644
--- a/.github/workflows/preview.yml
+++ b/.github/workflows/preview.yml
@@ -1,6 +1,7 @@
 name: preview
 
 on:
+  # pull_request_target を使うにあたって https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ の一読を推奨
   pull_request_target:
 
 permissions:
diff --git a/.github/workflows/preview_comment.yml b/.github/workflows/preview_comment.yml
index a0cad3f22..f81f3f57f 100644
--- a/.github/workflows/preview_comment.yml
+++ b/.github/workflows/preview_comment.yml
@@ -1,6 +1,7 @@
 name: Comment preview environment URL
 
 on:
+  # pull_request_target を使うにあたって https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ の一読を推奨
   pull_request_target:
     types:
       - opened