From 8a30bdff926343fd7220286ed0438da22fb7bc43 Mon Sep 17 00:00:00 2001 From: Edward McFarlane Date: Tue, 20 Aug 2024 16:33:08 -0400 Subject: [PATCH 1/3] Disable PR comment by default from forks Forked PRs can fail to access the secrets for the repository. This can fail on trying to comment the results from CI on the PR. Disable comments for all forked by default. --- action.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 3566fad..632fab0 100644 --- a/action.yml +++ b/action.yml @@ -56,8 +56,9 @@ inputs: pr_comment: description: |- Comment on the pull request with the results of each step. The workflow and job name combination must be unique. + Only runs on pull requests from non forked repositories. required: false - default: ${{ github.event_name == 'pull_request' }} + default: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository }} input: description: |- From 68932c92e9d991c6ffc685decab1603a03c44c7b Mon Sep 17 00:00:00 2001 From: Edward McFarlane Date: Tue, 20 Aug 2024 16:38:20 -0400 Subject: [PATCH 2/3] Cover push and archive steps --- README.md | 6 +++--- action.yml | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 7c7d9d6..54195da 100644 --- a/README.md +++ b/README.md @@ -67,14 +67,14 @@ Add these parameters under the `with` section of the `uses` step in the workflow | `paths` | Limit to specific files or directories (separated by newlines). | | | `exclude_imports` | Exclude files imported by the target modules. | False | | `exclude_paths` | Exclude specific files or directories, e.g. "proto/a/a.proto", "proto/a" (separated by newlines). | | -| `pr_comment` | Comment the results on the pull request. The workflow and job name combination must be unique. | Only on pull requests | +| `pr_comment` | Comment the results on the pull request. The workflow and job name combination must be unique. | Only on pull requests (non forks) | | `format` | Whether to run the formatting step. | Runs on pushes to Git PR | | `lint` | Whether to run the linting step. | Runs on pushes to Git PR | | `breaking` | Whether to run the breaking change detection step. | Runs on pushes to Git PR | | `breaking_against` | [Input](https://buf.build/docs/reference/inputs) to compare against. | Base of the PR or the commit before the event | -| `push` | Whether to run the push step. | Runs on Git pushes | +| `push` | Whether to run the push step. | Runs on Git pushes (non forks) | | `push_disable_create` | Disables repository creation if it does not exist. | False | -| `archive` | Whether to run the archive step. | Runs on Git deletes | +| `archive` | Whether to run the archive step. | Runs on Git deletes (non forks) | | `setup_only` | Setup only the `buf` environment, optionally logging into the BSR, but without executing other commands. | | | `github_actor` | GitHub actor for API requests. | Actor from GitHub context | | `github_token` | GitHub token for API requests. Ensures requests aren't rate limited | Token from GitHub context | diff --git a/action.yml b/action.yml index 632fab0..2592eb0 100644 --- a/action.yml +++ b/action.yml @@ -116,9 +116,9 @@ inputs: push: description: |- - Whether to run the push step. Runs by default on pushes. + Whether to run the push step. Runs by default on pushes, for non forked repositories. required: false - default: ${{ github.event_name == 'push' }} + default: ${{ github.event_name == 'push' && github.event.pull_request.head.repo.full_name == github.repository }} push_disable_create: description: |- Disables repository creation if it does not exist. Defaults to false. @@ -127,9 +127,9 @@ inputs: archive: description: |- - Whether to run the archive step. Runs by default on deletes. + Whether to run the archive step. Runs by default on deletes, for non forked repositories. required: false - default: ${{ github.event_name == 'delete' }} + default: ${{ github.event_name == 'delete' && github.event.pull_request.head.repo.full_name == github.repository }} outputs: buf_version: From ef87d13a7112fc98da174616a859c502aacfa493 Mon Sep 17 00:00:00 2001 From: Edward McFarlane Date: Tue, 20 Aug 2024 17:09:07 -0400 Subject: [PATCH 3/3] Revert push & delete by default don't run on forks --- action.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/action.yml b/action.yml index 2592eb0..aac3a10 100644 --- a/action.yml +++ b/action.yml @@ -56,7 +56,7 @@ inputs: pr_comment: description: |- Comment on the pull request with the results of each step. The workflow and job name combination must be unique. - Only runs on pull requests from non forked repositories. + Only runs on pull requests, for non forked repositories. required: false default: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository }} @@ -118,7 +118,7 @@ inputs: description: |- Whether to run the push step. Runs by default on pushes, for non forked repositories. required: false - default: ${{ github.event_name == 'push' && github.event.pull_request.head.repo.full_name == github.repository }} + default: ${{ github.event_name == 'push' }} push_disable_create: description: |- Disables repository creation if it does not exist. Defaults to false. @@ -129,7 +129,7 @@ inputs: description: |- Whether to run the archive step. Runs by default on deletes, for non forked repositories. required: false - default: ${{ github.event_name == 'delete' && github.event.pull_request.head.repo.full_name == github.repository }} + default: ${{ github.event_name == 'delete' }} outputs: buf_version: