Skip to content

Add example workflow to push to public PR#49

Closed
manics wants to merge 1 commit intopre-commit:masterfrom
manics:pull_request_target
Closed

Add example workflow to push to public PR#49
manics wants to merge 1 commit intopre-commit:masterfrom
manics:pull_request_target

Conversation

@manics
Copy link

@manics manics commented Sep 25, 2020

This uses https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows#pull_request_target which is triggered by the events as pull_request, but the action runs in the context of the base repository.
This should be safe to run as long as the workflow code does not execute any code from the PR since this would otherwise expose the GITHUB_TOKEN

Note this will only work if the PR submitter enables Allow edits and access to secrets by maintainers.

I've created a test repository https://github.com/manicstreetpreacher/test-precommit-push-pr
Feel free to open a PR to try the workflow.

@manics
Add example workflow to push to public PR
3baaef6 
This uses https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows#pull_request_target which is triggered by the events as `pull_request`, but the action runs in the context of the _base_ repository.
This should be safe to run as long as the workflow code does not execute any code from the PR since this would otherwise expose the `GITHUB_TOKEN`

Note this will only work if the PR submitter enables `Allow edits and access to secrets by maintainers`
manics
manics commented Sep 25, 2020
View reviewed changes
README.md
repository: ${{ github.event.pull_request.head.repo.full_name }}
# Use sha instead of ref because pre-commit attempts to checkout a branch with the same name
# https://github.com/pre-commit/action/blob/20242c769824ac7e54269ee9242da5bfae19c1c8/index.js#L77
ref: ${{ github.event.pull_request.head.sha }}
Copy link
Author

@manics manics Sep 25, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Originally I used ${{ github.event.pull_request.head.sha }} which checks out the branch. This led to an error because

action/index.js

Line 77 in 20242c7

await exec.exec('git', ['checkout', 'HEAD', '-b', branch]);

checks out the branch again, leading to a name clash. Using pull_request.head.sha avoids this.

@asottile
Copy link
Member

asottile commented Sep 25, 2020

this is not safe, a person could edit the github action and write code to your repository

@asottile asottile closed this Sep 25, 2020
@manics
Copy link
Author

manics commented Sep 25, 2020

Please read https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows#pull_request_target
It runs in the context of the parent repository, so any changes made to the workflow in the PR have no effect.

@asottile
Copy link
Member

asottile commented Sep 25, 2020

there's arbitrary code execution involved, they can take that token and do whatever they want with it

@asottile
Copy link
Member

asottile commented Sep 25, 2020

please trust me, I've spent a lot of time thinking about this and there's really no way to do this without a dedicated separate service

@manics
Copy link
Author

manics commented Sep 25, 2020

Could you explain a bit more about where the arbitary code execution occurs?

@asottile
Copy link
Member

asottile commented Sep 25, 2020

in the hook executables themselves

@manics
Copy link
Author

manics commented Sep 25, 2020

OK, thanks for explaining.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@manics @asottile