summaryrefslogtreecommitdiffstats
path: root/services
diff options
context:
space:
mode:
authorZettat123 <zettat123@gmail.com>2023-06-26 08:33:18 +0200
committerGitHub <noreply@github.com>2023-06-26 08:33:18 +0200
commit48e5a74f215d78813a816c57fc5a85a909a003d5 (patch)
treef0be66ae5111de6dc17ea7975e6a592a9b235f3c /services
parentFix CLI sub-command handling (#25501) (diff)
downloadforgejo-48e5a74f215d78813a816c57fc5a85a909a003d5.tar.xz
forgejo-48e5a74f215d78813a816c57fc5a85a909a003d5.zip
Support `pull_request_target` event (#25229)
Fix #25088 This PR adds the support for [`pull_request_target`](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target) workflow trigger. `pull_request_target` is similar to `pull_request`, but the workflow triggered by the `pull_request_target` event runs in the context of the base branch of the pull request rather than the head branch. Since the workflow from the base is considered trusted, it can access the secrets and doesn't need approvals to run.
Diffstat (limited to 'services')
-rw-r--r--services/actions/notifier_helper.go52
1 files changed, 44 insertions, 8 deletions
diff --git a/services/actions/notifier_helper.go b/services/actions/notifier_helper.go
index 69c23656f2..8e6cdcf680 100644
--- a/services/actions/notifier_helper.go
+++ b/services/actions/notifier_helper.go
@@ -142,13 +142,46 @@ func notify(ctx context.Context, input *notifyInput) error {
return fmt.Errorf("gitRepo.GetCommit: %w", err)
}
+ var detectedWorkflows []*actions_module.DetectedWorkflow
workflows, err := actions_module.DetectWorkflows(commit, input.Event, input.Payload)
if err != nil {
return fmt.Errorf("DetectWorkflows: %w", err)
}
-
if len(workflows) == 0 {
log.Trace("repo %s with commit %s couldn't find workflows", input.Repo.RepoPath(), commit.ID)
+ } else {
+ for _, wf := range workflows {
+ if wf.TriggerEvent != actions_module.GithubEventPullRequestTarget {
+ wf.Ref = ref
+ detectedWorkflows = append(detectedWorkflows, wf)
+ }
+ }
+ }
+
+ if input.PullRequest != nil {
+ // detect pull_request_target workflows
+ baseRef := git.BranchPrefix + input.PullRequest.BaseBranch
+ baseCommit, err := gitRepo.GetCommit(baseRef)
+ if err != nil {
+ return fmt.Errorf("gitRepo.GetCommit: %w", err)
+ }
+ baseWorkflows, err := actions_module.DetectWorkflows(baseCommit, input.Event, input.Payload)
+ if err != nil {
+ return fmt.Errorf("DetectWorkflows: %w", err)
+ }
+ if len(baseWorkflows) == 0 {
+ log.Trace("repo %s with commit %s couldn't find pull_request_target workflows", input.Repo.RepoPath(), baseCommit.ID)
+ } else {
+ for _, wf := range baseWorkflows {
+ if wf.TriggerEvent == actions_module.GithubEventPullRequestTarget {
+ wf.Ref = baseRef
+ detectedWorkflows = append(detectedWorkflows, wf)
+ }
+ }
+ }
+ }
+
+ if len(detectedWorkflows) == 0 {
return nil
}
@@ -172,18 +205,19 @@ func notify(ctx context.Context, input *notifyInput) error {
}
}
- for id, content := range workflows {
+ for _, dwf := range detectedWorkflows {
run := &actions_model.ActionRun{
Title: strings.SplitN(commit.CommitMessage, "\n", 2)[0],
RepoID: input.Repo.ID,
OwnerID: input.Repo.OwnerID,
- WorkflowID: id,
+ WorkflowID: dwf.EntryName,
TriggerUserID: input.Doer.ID,
- Ref: ref,
- CommitSHA: commit.ID.String(),
+ Ref: dwf.Ref,
+ CommitSHA: dwf.Commit.ID.String(),
IsForkPullRequest: isForkPullRequest,
Event: input.Event,
EventPayload: string(p),
+ TriggerEvent: dwf.TriggerEvent,
Status: actions_model.StatusWaiting,
}
if need, err := ifNeedApproval(ctx, run, input.Repo, input.Doer); err != nil {
@@ -193,7 +227,7 @@ func notify(ctx context.Context, input *notifyInput) error {
run.NeedApproval = need
}
- jobs, err := jobparser.Parse(content)
+ jobs, err := jobparser.Parse(dwf.Content)
if err != nil {
log.Error("jobparser.Parse: %v", err)
continue
@@ -259,8 +293,10 @@ func notifyPackage(ctx context.Context, sender *user_model.User, pd *packages_mo
}
func ifNeedApproval(ctx context.Context, run *actions_model.ActionRun, repo *repo_model.Repository, user *user_model.User) (bool, error) {
- // don't need approval if it's not a fork PR
- if !run.IsForkPullRequest {
+ // 1. don't need approval if it's not a fork PR
+ // 2. don't need approval if the event is `pull_request_target` since the workflow will run in the context of base branch
+ // see https://docs.github.com/en/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks#about-workflow-runs-from-public-forks
+ if !run.IsForkPullRequest || run.TriggerEvent == actions_module.GithubEventPullRequestTarget {
return false, nil
}