fix: permissions of validate pipelines (#1316)

* Fix permission in validate-filenames pipeline * Run Github Actions for script validation on pull_request_target with right permissions
2025-11-04 10:22:50 +00:00 · 2025-01-07 20:34:37 +01:00
parent 29b98b450b
commit 4da57bd76c
3 changed files with 43 additions and 8 deletions
--- a/.github/workflows/validate-filenames.yml
+++ b/.github/workflows/validate-filenames.yml
@@ -1,23 +1,36 @@
 name: Validate filenames

 on:
-  pull_request:
+  pull_request_target:
    paths:
      - "ct/*.sh"
      - "install/*.sh"
      - "json/*.json"
-      - ".github/workflows/validate-filenames.yml"

 jobs:
  check-files:
    name: Check changed files
    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write

    steps:
+      - name: Get pull request information
+        uses: actions/github-script@v7
+        id: pr
+        with:
+          script: |
+            const { data: pullRequest } = await github.rest.pulls.get({
+              ...context.repo,
+              pull_number: context.payload.pull_request.number,
+            });
+            return pullRequest;
+
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0 # Ensure the full history is fetched for accurate diffing
+          ref: ${{ fromJSON(steps.pr.outputs.result).merge_commit_sha }}

      - name: Get changed files
        id: changed-files
--- a/.github/workflows/validate-formatting.yaml
+++ b/.github/workflows/validate-formatting.yaml
@@ -4,11 +4,10 @@ on:
  push:
    branches:
      - main
-  pull_request:
+  pull_request_target:
    paths:
      - "**/*.sh"
      - "**/*.func"
-      - ".github/workflows/validate-formatting.yaml"

 jobs:
  shfmt:
@@ -18,10 +17,22 @@ jobs:
      pull-requests: write

    steps:
+      - name: Get pull request information
+        uses: actions/github-script@v7
+        id: pr
+        with:
+          script: |
+            const { data: pullRequest } = await github.rest.pulls.get({
+              ...context.repo,
+              pull_number: context.payload.pull_request.number,
+            });
+            return pullRequest;
+
      - name: Checkout code
        uses: actions/checkout@v4
        with:
-          fetch-depth: 0
+          fetch-depth: 0 # Ensure the full history is fetched for accurate diffing
+          ref: ${{ fromJSON(steps.pr.outputs.result).merge_commit_sha }}

      - name: Get changed files
        id: changed-files
--- a/.github/workflows/validate-scripts.yml
+++ b/.github/workflows/validate-scripts.yml
@@ -3,11 +3,10 @@ on:
  push:
    branches:
      - main
-  pull_request:
+  pull_request_target:
    paths:
      - "ct/*.sh"
      - "install/*.sh"
-      - ".github/workflows/validate-scripts.yml"

 jobs:
  check-scripts:
@@ -17,10 +16,22 @@ jobs:
      pull-requests: write

    steps:
+      - name: Get pull request information
+        uses: actions/github-script@v7
+        id: pr
+        with:
+          script: |
+            const { data: pullRequest } = await github.rest.pulls.get({
+              ...context.repo,
+              pull_number: context.payload.pull_request.number,
+            });
+            return pullRequest;
+
      - name: Checkout code
        uses: actions/checkout@v4
        with:
-          fetch-depth: ${{ github.event_name == 'pull_request' && 2 || 0 }}
+          fetch-depth: 0 # Ensure the full history is fetched for accurate diffing
+          ref: ${{fromJSON(steps.pr.outputs.result).merge_commit_sha}}
          
      - name: Set execute permission for .sh files
        run: |