From 917ab14aa1fe5d78478792b06bae72594bfcb173 Mon Sep 17 00:00:00 2001 From: jandroav Date: Fri, 14 Jun 2024 09:24:24 +0200 Subject: [PATCH 1/2] =?UTF-8?q?=F0=9F=94=A7=20(test.yml):=20update=20workf?= =?UTF-8?q?low=20to=20trigger=20on=20pull=5Frequest=5Ftarget=20events=20in?= =?UTF-8?q?stead=20of=20pull=5Frequest=20events=20for=20better=20control?= =?UTF-8?q?=20and=20security=20=F0=9F=94=A7=20(test.yml):=20add=20permissi?= =?UTF-8?q?ons=20for=20contents=20and=20pull-requests=20to=20ensure=20prop?= =?UTF-8?q?er=20access=20rights=20=F0=9F=94=A7=20(test.yml):=20add=20an=20?= =?UTF-8?q?authorization=20step=20to=20differentiate=20between=20internal?= =?UTF-8?q?=20and=20external=20pull=20requests=20for=20enhanced=20security?= =?UTF-8?q?=20=F0=9F=94=A7=20(test.yml):=20set=20up=20a=20dependency=20bet?= =?UTF-8?q?ween=20the=20authorization=20step=20and=20the=20build-test=20jo?= =?UTF-8?q?b=20for=20proper=20execution=20order?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/test.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 28decf16..0ca4cdc2 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -2,14 +2,26 @@ name: Build and Test on: workflow_dispatch: - pull_request: + pull_request_target: types: - opened - reopened - synchronize +permissions: + contents: write + pull-requests: write + jobs: + + authorize: + environment: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }} + runs-on: ubuntu-latest + steps: + - run: true + build-test: + needs: authorize uses: liquibase/build-logic/.github/workflows/os-extension-test.yml@v0.7.8 secrets: inherit with: From 2bf3bc18fd5c06176a8e9d9c3c21c81c8a244336 Mon Sep 17 00:00:00 2001 From: jandroav Date: Fri, 14 Jun 2024 09:26:02 +0200 Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=94=A7=20(test-harness.yml):=20switch?= =?UTF-8?q?=20from=20'pull=5Frequest'=20to=20'pull=5Frequest=5Ftarget'=20e?= =?UTF-8?q?vent=20to=20trigger=20workflow=20on=20pull=20requests=20from=20?= =?UTF-8?q?forks=20for=20better=20security=20=F0=9F=94=A7=20(test-harness.?= =?UTF-8?q?yml):=20add=20permissions=20for=20contents=20and=20pull-request?= =?UTF-8?q?s=20to=20write=20to=20enable=20necessary=20actions=20in=20the?= =?UTF-8?q?=20workflow=20=F0=9F=94=A7=20(test-harness.yml):=20introduce=20?= =?UTF-8?q?an=20'authorize'=20job=20to=20handle=20external=20pull=20reques?= =?UTF-8?q?ts=20and=20set=20up=20necessary=20permissions=20=F0=9F=94=A7=20?= =?UTF-8?q?(test-harness.yml):=20add=20a=20'needs'=20directive=20to=20ensu?= =?UTF-8?q?re=20'authorize'=20job=20runs=20before=20'setup'=20job=20for=20?= =?UTF-8?q?proper=20workflow=20execution?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/test-harness.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test-harness.yml b/.github/workflows/test-harness.yml index cbcbb195..fa9fc2f7 100644 --- a/.github/workflows/test-harness.yml +++ b/.github/workflows/test-harness.yml @@ -1,6 +1,6 @@ name: Liquibase Test Harness for BigQuery on: - pull_request: + pull_request_target: branches: - '*' push: @@ -14,8 +14,20 @@ on: env: tf_version: 'latest' +permissions: + contents: write + pull-requests: write + jobs: + + authorize: + environment: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }} + runs-on: ubuntu-latest + steps: + - run: true + setup: + needs: authorize runs-on: ubuntu-latest permissions: contents: 'read'