Skip to content
/ Anjin Public
forked from DeNA/Anjin

Commit

Permalink
Mod PR labeler workflow trigger to pull_request_target
Browse files Browse the repository at this point in the history 
When PR from public fork, Do not access configuration file in
pull_request trigger.

pull_request_target trigger is:

- GITHUB_TOKEN is granted read/write repository permission unless the permissions key is specified and the workflow can access secrets, even when it is triggered from a fork
- Runs in the context of the base of the pull request (NOT merge commit)

refs:

- TimonVS/pr-labeler-action#25 (comment)
- https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
  • Loading branch information
@nowsprinting
nowsprinting committed Apr 8, 2023
1 parent e3ea7a0 commit dd60640
Showing 1 changed file with 6 additions and 2 deletions.
8 changes: 6 additions & 2 deletions .github/workflows/pr-labeler.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,14 @@
name: PR Labeler

on:
pull_request:
pull_request_target:
types: [ opened ]
# Do NOT check out, build, or run untrusted code from the pull request with this event.

permissions:
contents: read
pull-requests: write

permissions: write-all
jobs:
pr-labeler:
runs-on: ubuntu-latest
Expand Down

0 comments on commit dd60640

Please sign in to comment.