-
Notifications
You must be signed in to change notification settings - Fork 400
60 lines (54 loc) · 2.07 KB
/
record_pr.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
name: Record PR details
# PROCESS
#
# 1. Runs in fork location upon PR creation or changes
# 2. Saves GitHub Pull Request Webhook payload
# 3. Uploads as a temporary GitHub Action Artifact with shortest retention
# USAGE
#
# see .github/workflows/on_merged_pr.yml and related for full example.
#
# on:
# workflow_run:
# workflows: ["Record PR details"]
# types:
# - completed
#
# Security Note:
#
# For security, this is intended to be a 2-step process: (1) collect PR, (2) act on PR.
# Do not ever use `pull_request_target` to "simplify", as it sends a write-token to the fork. Our linter should catch it.
#
# The first step runs in untrusted location (fork), therefore we limit permissions to only check out code.
#
# The second step will be workflows that want to act on a given PR, this time with intended permissions, and
# it runs on its base location (this repo!).
#
# This enforces zero trust where this workflow always runs on fork with zero permissions on GH_TOKEN.
# When this workflow completes, X workflows run in our repository with the appropriate permissions and sanitize inputs.
#
# Coupled with "Approve GitHub Action to run on forks", we have confidence no privilege can be escalated,
# since any malicious change would need to be approved, and upon social engineering, it'll have zero permissions.
on:
pull_request:
types: [opened, edited, closed, labeled]
permissions:
contents: read
jobs:
record_pr:
runs-on: ubuntu-latest
permissions:
contents: read # NOTE: treat as untrusted location
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: "Extract PR details"
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
const script = require('.github/scripts/save_pr_details.js')
await script({github, context, core})
- uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: pr
path: pr.txt
retention-days: 1