(ci/fix): allow prs done from bots and forks be executed when the lab…

…el safe is added
replicatedhq · Nov 10, 2022 · bd500a9 · bd500a9
1 parent ac888bc
commit bd500a9
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 16 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -16,32 +16,44 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    labels:
+      - "@actions/safe-to-test'"
 
   - package-ecosystem: "gomod"
     directory: "/kurl_proxy"
     schedule:
       interval: "daily"
+    labels:
+      - "@actions/safe-to-test'"
 
   ## GitHub Actions
 
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
+    labels:
+      - "@actions/safe-to-test'"
 
   ## Dockerfiles
 
   - package-ecosystem: "docker"
     directory: "/deploy"
     schedule:
       interval: "weekly"
+    labels:
+      - "@actions/safe-to-test'"
 
   - package-ecosystem: "docker"
     directory: "/kurl_proxy/deploy"
     schedule:
       interval: "weekly"
+    labels:
+      - "@actions/safe-to-test'"
 
   - package-ecosystem: "docker"
     directory: "/migrations/deploy"
     schedule:
       interval: "weekly"
+    labels:
+      - "@actions/safe-to-test'"
diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml
@@ -14,27 +14,16 @@ concurrency:
 jobs:
   can-run-ci:
     runs-on: ubuntu-20.04
-    # if the event is pull_request:
-    #   - this is not a fork
-    #   - and not dependabot
-    # if the event is pull_request_target:
-    #   - this is dependabot
-    #   - or this is a fork and has label '@actions/safe-to-test'
+    # if the event is pull_request and:
+    #   - it is not a fork OR it is from the dependabot
+    #   - Then must have the label '@actions/safe-to-test'
     #
     # The 'pull_request_target' workflow trigger may lead to malicious PR authors being able to obtain repository write permissions or stealing repository secrets.
     # Please read https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
     if: >
       ( github.event_name == 'pull_request' &&
-        ( github.event.pull_request.head.repo.full_name == github.repository &&
-          github.event.pull_request.user.login != 'dependabot[bot]'
-        )
-      )
-      ||
-      ( github.event_name == 'pull_request_target' &&
-        ( github.event.pull_request.user.login == 'dependabot[bot]' ||
-          ( github.event.pull_request.head.repo.full_name != github.repository &&
-            contains(github.event.pull_request.labels.*.name, '@actions/safe-to-test')
-          )
+        ( github.event.pull_request.head.repo.full_name == github.repository ||
+          contains(github.event.pull_request.labels.*.name, '@actions/safe-to-test' ) 
         )
       )
     steps: