From ae062434c5c4bdd943e32233de06806dcc7b45a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Mon, 16 Sep 2024 10:24:33 +0200 Subject: [PATCH] Ensure Trusted Code Checkout in GitHub Actions Workflow (#7034) * feat: Ensure Trusted Code Checkout in GitHub Actions Workflow * fix: update GitHub event name --- .github/workflows/build.yml | 2 +- .github/workflows/lighthouse.yml | 2 +- .github/workflows/lint-and-tests.yml | 4 ++-- .github/workflows/translations-pr.yml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ea6321e64705f..429e097ad6117 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -68,7 +68,7 @@ jobs: uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: # Provides the Pull Request commit SHA or the GitHub merge group ref - ref: ${{ github.event.pull_request.head.sha || github.ref }} + ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.ref }} # We only need to fetch the last commit from the head_ref # since we're not using the `--filter` operation from turborepo # We don't use the `--filter` as we always want to force builds regardless of having changes or not diff --git a/.github/workflows/lighthouse.yml b/.github/workflows/lighthouse.yml index 1af1b9395b57d..d4b48cb0326ab 100644 --- a/.github/workflows/lighthouse.yml +++ b/.github/workflows/lighthouse.yml @@ -46,7 +46,7 @@ jobs: uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: # Provides the Pull Request commit SHA or the GitHub merge group ref - ref: ${{ github.event.pull_request.head.sha || github.ref }} + ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.ref }} - name: Add Comment to PR # Signal that a lighthouse run is about to start diff --git a/.github/workflows/lint-and-tests.yml b/.github/workflows/lint-and-tests.yml index 8caf0fcdfc051..092527331bee4 100644 --- a/.github/workflows/lint-and-tests.yml +++ b/.github/workflows/lint-and-tests.yml @@ -73,7 +73,7 @@ jobs: uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: # Provides the Pull Request commit SHA or the GitHub merge group ref - ref: ${{ github.event.pull_request.head.sha || github.ref }} + ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.ref }} - name: Restore Lint Cache uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 @@ -167,7 +167,7 @@ jobs: uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: # Provides the Pull Request commit SHA or the GitHub merge group ref - ref: ${{ github.event.pull_request.head.sha || github.ref }} + ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.ref }} # The Chromatic (@chromaui/action) Action requires a full history of the current branch in order to be able to compare # previous changes and previous commits and determine which Storybooks should be tested against and what should be built fetch-depth: 0 diff --git a/.github/workflows/translations-pr.yml b/.github/workflows/translations-pr.yml index fa89f6dbb8495..54b312f846393 100644 --- a/.github/workflows/translations-pr.yml +++ b/.github/workflows/translations-pr.yml @@ -73,7 +73,7 @@ jobs: uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: # Provides the Pull Request commit SHA or the GitHub merge group ref - ref: ${{ github.event.pull_request.head.sha || github.ref }} + ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.ref }} - name: Restore Lint Cache uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2