🔧 (test.yml): update workflow to trigger on pull_request_target event…

…s instead of pull_request events for better control and security 🔧 (test.yml): add permissions for contents and pull-requests to ensure proper access rights 🔧 (test.yml): add an authorization step to differentiate between internal and external pull requests for enhanced security 🔧 (test.yml): set up a dependency between the authorization step and the build-test job for proper execution order
liquibase · Jun 14, 2024 · 917ab14 · 917ab14
1 parent aad8f96
commit 917ab14
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -2,14 +2,26 @@ name: Build and Test
 
 on:
   workflow_dispatch:
-  pull_request:
+  pull_request_target:
     types:
       - opened
       - reopened
       - synchronize
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
+
+  authorize:
+    environment: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
+    runs-on: ubuntu-latest
+    steps:
+      - run: true
+
   build-test:
+    needs: authorize
     uses: liquibase/build-logic/.github/workflows/[email protected]
     secrets: inherit
     with: