build(gha): Use pull_request_target for acceptance workflow (#21600)

This changes our visual snapshots/acceptance workflow to use the `pull_request_target` event instead of `pull_request` so that we can have Visual Snapshots working on fork PRs. By default, forks do not have write access tokens, but when using `pull_request_target`, forked PRs will use the base repository workflows as the source. This ensures that secrets/apis do not get exposed from by the fork changing workflows. See https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows#pull_request_target for more information. Important notes about `pull_request_target`: - Used to allow forks to have write-access tokens + secrets - Ensures safety by only running workflow from the main branch - You can test workflow changes by making your branch the base branch in a Pull Request - Note that the workflow seems to be cached after opening the PR - e.g. if you make a pull request against a feature branch, the workflow that will be used is the workflow in the base branch at the point when you create the PR. From there on, you won't be able to change the workflow that is run - You must specify the ref + repository when using the checkout action
getsentry · Oct 28, 2020 · d7b28d6 · d7b28d6
1 parent e63cce2
commit d7b28d6
Showing 1 changed file with 28 additions and 1 deletion.
diff --git a/.github/workflows/acceptance.yml b/.github/workflows/acceptance.yml
@@ -11,7 +11,12 @@ on:
     branches:
       - master
       - releases/**
-  pull_request:
+  # XXX: We are using `pull_request_target` instead of `pull_request` because we want
+  # Visual Snapshots to run on forks.  It allows forks to access secrets safely by
+  # only running workflows from the main branch. Prefer to use `pull_request` when possible.
+  #
+  # See https://github.com/getsentry/sentry/pull/21600 for more details
+  pull_request_target:
 
 jobs:
   frontend:
@@ -23,6 +28,17 @@ jobs:
       VISUAL_HTML_ENABLE: 1
     steps:
       - uses: actions/checkout@v2
+        name: Checkout sentry (pull_request_target)
+        if: github.event.pull_request.head.ref != ''
+        with:
+          # Note this is required because of `pull_request_target`, which allows
+          # forks to access secrets safely by only running workflows from the main branch.
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+
+      - uses: actions/checkout@v2
+        name: Checkout sentry (push)
+        if: github.event.pull_request.head.ref == ''
 
       - uses: volta-cli/action@v1
 
@@ -80,6 +96,17 @@ jobs:
 
     steps:
       - uses: actions/checkout@v2
+        name: Checkout sentry (pull_request_target)
+        if: github.event.pull_request.head.ref != ''
+        with:
+          # Note this is required because of `pull_request_target`, which allows
+          # forks to access secrets safely by only running workflows from the main branch.
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+
+      - uses: actions/checkout@v2
+        name: Checkout sentry (push)
+        if: github.event.pull_request.head.ref == ''
 
       - uses: volta-cli/action@v1