diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 92ec2119f6..4f728ed2cf 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -16,11 +16,15 @@ updates: directory: "/" schedule: interval: "daily" + labels: + - "@actions/safe-to-test'" - package-ecosystem: "gomod" directory: "/kurl_proxy" schedule: interval: "daily" + labels: + - "@actions/safe-to-test'" ## GitHub Actions @@ -28,6 +32,8 @@ updates: directory: "/" schedule: interval: "weekly" + labels: + - "@actions/safe-to-test'" ## Dockerfiles @@ -35,13 +41,19 @@ updates: directory: "/deploy" schedule: interval: "weekly" + labels: + - "@actions/safe-to-test'" - package-ecosystem: "docker" directory: "/kurl_proxy/deploy" schedule: interval: "weekly" + labels: + - "@actions/safe-to-test'" - package-ecosystem: "docker" directory: "/migrations/deploy" schedule: interval: "weekly" + labels: + - "@actions/safe-to-test'" \ No newline at end of file diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml index d8f9f74630..8eb38230db 100644 --- a/.github/workflows/build-test.yaml +++ b/.github/workflows/build-test.yaml @@ -14,27 +14,16 @@ concurrency: jobs: can-run-ci: runs-on: ubuntu-20.04 - # if the event is pull_request: - # - this is not a fork - # - and not dependabot - # if the event is pull_request_target: - # - this is dependabot - # - or this is a fork and has label '@actions/safe-to-test' + # if the event is pull_request and: + # - it is not a fork OR it is from the dependabot + # - Then must have the label '@actions/safe-to-test' # # The 'pull_request_target' workflow trigger may lead to malicious PR authors being able to obtain repository write permissions or stealing repository secrets. # Please read https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ if: > ( github.event_name == 'pull_request' && - ( github.event.pull_request.head.repo.full_name == github.repository && - github.event.pull_request.user.login != 'dependabot[bot]' - ) - ) - || - ( github.event_name == 'pull_request_target' && - ( github.event.pull_request.user.login == 'dependabot[bot]' || - ( github.event.pull_request.head.repo.full_name != github.repository && - contains(github.event.pull_request.labels.*.name, '@actions/safe-to-test') - ) + ( github.event.pull_request.head.repo.full_name == github.repository || + contains(github.event.pull_request.labels.*.name, '@actions/safe-to-test' ) ) ) steps: