-
Jed Fox authored
This PR moves the size comparison action back to a separate workflow which now uses the `pull_request_target` event. This event is triggered at all the same times as the `pull_request` action, except that the workflow file content comes from the target branch of the PR, and it is run in the context of the repo owning the target branch. Practically, this means that it will still have access to post a comment even if the PR comes from a fork. We don’t want the build actions to be run in a `pull_request_target` workflow because they would get access to the secrets and be able to perform arbitrary actions on the repository, even from fork PRs. See the current version failing here: https://github.com/actualbudget/actual/actions/runs/5395184895/jobs/9797388016?pr=1122
Jed Fox authoredThis PR moves the size comparison action back to a separate workflow which now uses the `pull_request_target` event. This event is triggered at all the same times as the `pull_request` action, except that the workflow file content comes from the target branch of the PR, and it is run in the context of the repo owning the target branch. Practically, this means that it will still have access to post a comment even if the PR comes from a fork. We don’t want the build actions to be run in a `pull_request_target` workflow because they would get access to the secrets and be able to perform arbitrary actions on the repository, even from fork PRs. See the current version failing here: https://github.com/actualbudget/actual/actions/runs/5395184895/jobs/9797388016?pr=1122
1214.md 99 B
category: Maintenance
authors: [j-f1]Fix the bundle size comparison workflow on fork PRs