-
Notifications
You must be signed in to change notification settings - Fork 300
32 lines (29 loc) · 1.46 KB
/
receive-fork-review.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# Description: This workflow verifies that the PR is from a fork and is approved.
#
# Triggered by: PR is reviewed
name: Receive Fork Review
on:
pull_request_review:
types: [submitted]
jobs:
fetch-commit:
# only run the workflow when PR is from a fork and when the PR is reviewed and approved, and is targeting `main`.
if: |
(github.event.pull_request.head.repo.full_name != github.repository) &&
(github.event.review.state == 'approved') &&
(github.event.pull_request.base.ref == 'main')
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b80ff79f1755d06ba70441c368a6fe801f5f3a62 # v4.1.3 https://github.com/actions/checkout/commit/cd7d8d697e10461458bc61a30d094dc601a8b017
# This is intended to pass commit id, base_sha, and pr number to run-e2e-on-fork workflow.
# Reference: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
- name: Save commit ID, base sha, and pull request number
run: |
mkdir -p ./commit
echo ${{ github.event.pull_request.base.sha }} > ./commit/base_sha
echo ${{ github.event.review.commit_id }} > ./commit/commit_id
echo ${{ github.event.pull_request.number }} > ./commit/pr_number
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 https://github.com/actions/upload-artifact/commit/0b7f8abb1508181956e8e162db84b466c27e18ce
with:
name: commit
path: commit/