PublicArchive/SpacetimeDB
2
0
Fork 0
mirror of https://github.com/clockworklabs/SpacetimeDB.git synced 2026-05-06 07:26:43 -04:00
Code Issues Packages Projects Releases Wiki Activity

CI: Use pull_request_target for PR approval check (#4615)

Browse Source 
The PR approval check workflow uses `pull_request`, which does not grant
the `GITHUB_TOKEN` write permissions for commit statuses on fork PRs.
This causes the check to silently fail on external contributions.

Switches to `pull_request_target`, which runs in the context of the base
branch and has the necessary permissions.

**Security notes** (also documented as comments in the workflow file):
- `pull_request_target` grants write access to the repository. This is
safe here because the workflow **only reads PR metadata via the GitHub
API** and never checks out, builds, or executes code from the PR branch.
- A clear `SECURITY` comment block at the top of the file explains why
`pull_request_target` is used and warns against adding a checkout step.
- An additional inline comment on the job warns against adding checkout
steps.

Co-authored-by: clockwork-labs-bot <clockwork-labs-bot@users.noreply.github.com>
This commit is contained in:
clockwork-labs-bot
2026-03-11 15:57:19 -04:00
committed by GitHub
parent 4d7db102fc
commit 3c60481d82
1 changed files with 12 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/pr_approval_check.yml
+12 -1
View File
@@ -1,7 +1,17 @@
name: Review Checks
# SECURITY: This workflow uses pull_request_target so that it has write access to
# set commit statuses on external (fork) PRs. pull_request_target runs in the
# context of the base branch, which grants the GITHUB_TOKEN write permissions
# that a regular pull_request event on a fork would not have.
#
# IMPORTANT: This workflow must NEVER check out, build, or execute code from the
# PR branch. Doing so would allow a malicious fork to run arbitrary code with
# write access to the repository. This workflow only reads PR metadata via the
# GitHub API, which is safe.
on:
pull_request:
pull_request_target:
types: [opened, synchronize, reopened]
pull_request_review:
types: [submitted, dismissed]
@@ -21,6 +31,7 @@ jobs:
name: Set approval status
runs-on: ubuntu-latest
# SECURITY: Do not add a checkout step to this job. See comment at the top of this file.
steps:
- name: Evaluate and publish approval status
uses: actions/github-script@v7