From 48b87ad1b5f053017c63eb62b01efe07d5cb2543 Mon Sep 17 00:00:00 2001 From: Konrad Windszus Date: Wed, 21 Jul 2021 15:14:25 +0200 Subject: [PATCH 1/5] Run PRs from forked repos with readwrite token This closes #2653 --- .github/workflows/maven.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml index 6d473287ae..65c658da73 100644 --- a/.github/workflows/maven.yml +++ b/.github/workflows/maven.yml @@ -1,13 +1,33 @@ name: Java CI on: + # for regular master build (after the merge) push: branches: - master + # for PRs from forked repos + # in order to write status info to the PR we require write repository token (https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/) + pull_request_target: + branches: + - master + # for PRs from ACS AEM Commons repository directly (non-forked repo) pull_request: branches: - master +# restrict privileges except for setting commit status +permissions: + actions: read + checks: read + contents: read + deployments: read + issues: read + packages: read + pull-requests: read + repository-projects: read + security-events: read + statuses: write + jobs: build: strategy: @@ -28,6 +48,12 @@ jobs: steps: - name: Checkout uses: actions/checkout@v2 + # always act on the modified source code (even for event pull_request_target) + # is considered potentially unsafe (https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) but actions are only executed after approval from committers + with: + ref: ${{ github.event.pull_request.head.sha }} + # no additional git operations after checkout triggered in workflow, no need to store credentials + persist-credentials: false - name: Set up cache for ~/.m2/repository uses: actions/cache@v2 From bccfbbe7f9821d1facadb32f94913a7eebf8ae63 Mon Sep 17 00:00:00 2001 From: Konrad Windszus Date: Wed, 21 Jul 2021 16:47:11 +0200 Subject: [PATCH 2/5] grant some more privileges --- .github/workflows/maven.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml index 65c658da73..75b9f04e6b 100644 --- a/.github/workflows/maven.yml +++ b/.github/workflows/maven.yml @@ -15,15 +15,15 @@ on: branches: - master -# restrict privileges except for setting commit status +# restrict privileges except for setting commit status, adding PR comments and writing statuses permissions: actions: read - checks: read + checks: write contents: read deployments: read issues: read packages: read - pull-requests: read + pull-requests: write repository-projects: read security-events: read statuses: write From 762b73af5c0d1a7598e42fffdf5a869ff870f0a1 Mon Sep 17 00:00:00 2001 From: Konrad Windszus Date: Thu, 22 Jul 2021 07:52:51 +0200 Subject: [PATCH 3/5] don't restrict branches for PR event --- .github/workflows/maven.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml index 75b9f04e6b..1e8345dd52 100644 --- a/.github/workflows/maven.yml +++ b/.github/workflows/maven.yml @@ -8,12 +8,6 @@ on: # for PRs from forked repos # in order to write status info to the PR we require write repository token (https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/) pull_request_target: - branches: - - master - # for PRs from ACS AEM Commons repository directly (non-forked repo) - pull_request: - branches: - - master # restrict privileges except for setting commit status, adding PR comments and writing statuses permissions: From f5701242cb921d4a9a39d9d673d6d49a13fb3efc Mon Sep 17 00:00:00 2001 From: Konrad Windszus Date: Thu, 22 Jul 2021 08:01:59 +0200 Subject: [PATCH 4/5] add step for debugging event --- .github/workflows/maven.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml index 1e8345dd52..0cf6d27423 100644 --- a/.github/workflows/maven.yml +++ b/.github/workflows/maven.yml @@ -8,6 +8,8 @@ on: # for PRs from forked repos # in order to write status info to the PR we require write repository token (https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/) pull_request_target: + # for PRs from ACS AEM Commons repository directly (non-forked repo) + pull_request: # restrict privileges except for setting commit status, adding PR comments and writing statuses permissions: @@ -40,6 +42,10 @@ jobs: runs-on: ${{ matrix.os }} steps: + - name: Debug Event + shell: bash + run: + echo "Event that triggered action: ${{ github.event }}" - name: Checkout uses: actions/checkout@v2 # always act on the modified source code (even for event pull_request_target) From 2cae45b350c25e22e0a91822c2f93b85495bcde5 Mon Sep 17 00:00:00 2001 From: Konrad Windszus Date: Thu, 22 Jul 2021 08:07:40 +0200 Subject: [PATCH 5/5] try to trigger for more action types --- .github/workflows/maven.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml index 0cf6d27423..f150661cca 100644 --- a/.github/workflows/maven.yml +++ b/.github/workflows/maven.yml @@ -8,8 +8,10 @@ on: # for PRs from forked repos # in order to write status info to the PR we require write repository token (https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/) pull_request_target: + types: [opened, synchronize, reopened] # for PRs from ACS AEM Commons repository directly (non-forked repo) pull_request: + types: [opened, synchronize, reopened] # restrict privileges except for setting commit status, adding PR comments and writing statuses permissions: