Skip to content

Commit

Permalink
Merge pull request #3398 from camilamacedo86/fix-ci-run
Browse files Browse the repository at this point in the history
(ci/fix): allow prs done from bots OR from forks be executed ONLY when they have the label @actions/safe-to-test'
  • Loading branch information
camilamacedo86 authored Nov 10, 2022
2 parents ac888bc + bd500a9 commit 939172d
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 16 deletions.
12 changes: 12 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,32 +16,44 @@ updates:
directory: "/"
schedule:
interval: "daily"
labels:
- "@actions/safe-to-test'"

- package-ecosystem: "gomod"
directory: "/kurl_proxy"
schedule:
interval: "daily"
labels:
- "@actions/safe-to-test'"

## GitHub Actions

- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
labels:
- "@actions/safe-to-test'"

## Dockerfiles

- package-ecosystem: "docker"
directory: "/deploy"
schedule:
interval: "weekly"
labels:
- "@actions/safe-to-test'"

- package-ecosystem: "docker"
directory: "/kurl_proxy/deploy"
schedule:
interval: "weekly"
labels:
- "@actions/safe-to-test'"

- package-ecosystem: "docker"
directory: "/migrations/deploy"
schedule:
interval: "weekly"
labels:
- "@actions/safe-to-test'"
21 changes: 5 additions & 16 deletions .github/workflows/build-test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,27 +14,16 @@ concurrency:
jobs:
can-run-ci:
runs-on: ubuntu-20.04
# if the event is pull_request:
# - this is not a fork
# - and not dependabot
# if the event is pull_request_target:
# - this is dependabot
# - or this is a fork and has label '@actions/safe-to-test'
# if the event is pull_request and:
# - it is not a fork OR it is from the dependabot
# - Then must have the label '@actions/safe-to-test'
#
# The 'pull_request_target' workflow trigger may lead to malicious PR authors being able to obtain repository write permissions or stealing repository secrets.
# Please read https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
if: >
( github.event_name == 'pull_request' &&
( github.event.pull_request.head.repo.full_name == github.repository &&
github.event.pull_request.user.login != 'dependabot[bot]'
)
)
||
( github.event_name == 'pull_request_target' &&
( github.event.pull_request.user.login == 'dependabot[bot]' ||
( github.event.pull_request.head.repo.full_name != github.repository &&
contains(github.event.pull_request.labels.*.name, '@actions/safe-to-test')
)
( github.event.pull_request.head.repo.full_name == github.repository ||
contains(github.event.pull_request.labels.*.name, '@actions/safe-to-test' )
)
)
steps:
Expand Down

0 comments on commit 939172d

Please sign in to comment.