-
-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
build(gha): Use pull_request_target
for acceptance workflow
#21600
build(gha): Use pull_request_target
for acceptance workflow
#21600
Conversation
This changes our visual snapshots/acceptance workflow to use the `pull_request_target` event instead of `pull_request` so that we can have Visual Snapshots working on fork PRs. By default, forks do not have write access tokens, but when using `pull_request_target`, forked PRs will use the base repository workflows as the source. This ensures that secrets/apis do not get exposed from by the fork changing workflows. See https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows\#pull_request_target for more information
This changes our visual snapshots/acceptance workflow to use the `pull_request_target` event instead of `pull_request` so that we can have Visual Snapshots working on fork PRs. By default, forks do not have write access tokens, but when using `pull_request_target`, forked PRs will use the base repository workflows as the source. This ensures that secrets/apis do not get exposed from by the fork changing workflows. See https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows\#pull_request_target for more information
Follow-up to #21489 - there are some subtleties that are described in the PR body. (Mainly: when testing and having this branch as the base branch, the workflow is cached when you create the PR, and will not be updated despite updating this branch. Also, it requires you to specify the repo + ref when checking out code). You can see test PR here: #21492 (Snapshots show the changes) |
Also this PR won't be able to run acceptance 2.7 because we changed the workflow target from |
Admin merging this as our |
This changes our visual snapshots/acceptance workflow to use the
pull_request_target
event instead ofpull_request
so that we can have Visual Snapshots working on fork PRs. By default, forks do not have write access tokens, but when usingpull_request_target
, forked PRs will use the base repository workflows as the source. This ensures that secrets/apis do not get exposed from by the fork changing workflows. See https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows#pull_request_target for more information.Important notes about
pull_request_target
: