qq on pull_request.yaml

Question

qq on pull_request.yaml

chrislin22 opened this issue a year ago · comments

I have noticed that for PR: #467
https://github.com/PatrickSpies/stakater-reloader/blob/feat/chart-netpol/.github/workflows/pull_request.yaml#L4
actually changed pull_request to pull_request_target
https://github.com/stakater/Reloader/blob/master/.github/workflows/pull_request.yaml#L4
which allows fork PR be able to use base repo's secrets.
Is this a common practice? Otherwise the secret values are invisible to the fork PR.
Thanks

-cl

Karl Johan Grahn · Answer 1 · Fri Jun 30 2023 02:51:00 GMT+0800 (China Standard Time)

pull_request_target has some weird side effects, and it is only first-time contributors that require approval to run workflows, subsequent runs should work without approval. You can switch back still if you like.

Chris Lin · Answer 2 · Sat Jul 01 2023 04:17:35 GMT+0800 (China Standard Time)

follow up question please:

The PR did not container the modified file pull_request.yaml, even there is modifcation there, any reason why?
if using pull_request_target, then will it trigger some special approval then after that github action runs?
after the first PR got proved, for future PR just use pull_request the github action behavior will be just like treating PR from a branch (able to use base secret)?
thanks - I have a repo facing the similar issue