Merge branch 'main' into repo-sync

EzequielYa · Apr 22, 2021 · 3e6ab94 · 3e6ab94
2 parents 1cd1aac + 9d0b96d
commit 3e6ab94
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 0 deletions.
diff --git a/assets/images/help/pull_requests/actions-approve-and-run-workflows-from-fork.png b/assets/images/help/pull_requests/actions-approve-and-run-workflows-from-fork.png
diff --git a/...ent/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks.md b/...ent/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks.md
@@ -0,0 +1,19 @@
+---
+title: Approving workflow runs from public forks
+intro: 'When a first-time contributor submits a pull request to a public repository, a maintainer with write access must approve any workflow runs.'
+product: '{% data reusables.gated-features.actions %}'
+versions:
+  free-pro-team: '*'
+---
+
+Forks of public repositories can submit pull requests that propose changes to a repository's {% data variables.product.prodname_actions %} workflows. Although workflows from forks do not have access to sensitive data such as secrets, they can be an annoyance for maintainers if they are modified for abusive purposes. To help prevent this, workflows on pull requests are not run automatically if they are received from first-time contributors, and must be approved first.
+
+Maintainers with write access to the repository can use the following procedure to review and run workflows on pull requests from first-time contributors. After a contributor has at least one pull request merged into a project's repository, any future pull requests from that contributor's fork will automatically run workflows.
+
+{% data reusables.repositories.sidebar-pr %}
+{% data reusables.repositories.choose-pr-review %}
+{% data reusables.repositories.changed-files %}
+1. Inspect the proposed changes in the pull request and ensure that you are comfortable running your workflows on the pull request branch. You should be especially alert to any proposed changes in the `.github/workflows/` directory that affect workflow files.
+1. If you are comfortable with running workflows on the pull request branch, return to the {% octicon "comment-discussion" aria-label="The discussion icon" %} **Conversation** tab, and under "Workflow(s) awaiting approval", click **Approve and run**.
+
+   ![Approve and run workflows](/assets/images/help/pull_requests/actions-approve-and-run-workflows-from-fork.png)
diff --git a/content/actions/managing-workflow-runs/index.md b/content/actions/managing-workflow-runs/index.md
@@ -26,6 +26,7 @@ versions:
 {% link_in_list /manually-running-a-workflow %}
 {% link_in_list /re-running-a-workflow %}
 {% link_in_list /canceling-a-workflow %}
+{% link_in_list /approving-workflow-runs-from-public-forks %}
 {% link_in_list /reviewing-deployments %}
 {% link_in_list /disabling-and-enabling-a-workflow %}
 {% link_in_list /deleting-a-workflow-run %}

diff --git a/data/reusables/developer-site/pull_request_forked_repos_link.md b/data/reusables/developer-site/pull_request_forked_repos_link.md
@@ -10,6 +10,10 @@ When you create a pull request from a forked repository to the base repository,
 
 Workflows don't run on forked repositories by default. You must enable GitHub Actions in the **Actions** tab of the forked repository.
 
+{% if currentVersion == "free-pro-team@latest"%}
+When a first-time contributor submits a pull request to a public repository, a maintainer with write access must approve running workflows on the pull request. For more information, see "[Approving workflow runs from public forks](/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks)."
+{% endif %}
+
 {% data reusables.actions.forked-secrets %} The permissions for the `GITHUB_TOKEN` in forked repositories is read-only. For more information, see "[Authenticating with the GITHUB_TOKEN](/actions/configuring-and-managing-workflows/authenticating-with-the-github_token)."
 
 {% note %}