From 961ad82a6e1cb4f8d625162403d2fb3a5f123115 Mon Sep 17 00:00:00 2001 From: Nick Charlton Date: Fri, 26 Jan 2024 12:57:48 +0000 Subject: [PATCH] Enable running workflows from forks (#2498) The simple `push` event doesn't support pull requests from forks where the author doesn't already have write access to the repository. This adds the default set of events on the `pull_request` event which lets forks run the test suite. In addition, this expands that pattern to our other workflows (`bundle-audit` and `codeql-analysis`), whilst restricting the `push` workflow to only occur on `main` (which should mean re-triggering workflows on merge). This is to stop duplicating the builds when triggered by an actor with write access. https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request https://securitylab.github.com/research/github-actions-preventing-pwn-requests --- .github/workflows/bundle-audit.yml | 7 ++++++- .github/workflows/codeql-analysis.yml | 7 +++++-- .github/workflows/main.yml | 9 +++++++-- 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/.github/workflows/bundle-audit.yml b/.github/workflows/bundle-audit.yml index 7fc6e17341..b3d81f91f0 100644 --- a/.github/workflows/bundle-audit.yml +++ b/.github/workflows/bundle-audit.yml @@ -1,6 +1,11 @@ --- name: Bundler Audit -on: [push] +on: + push: + branches: + - 'main' + pull_request: + types: [opened, synchronize, reopened] jobs: audit: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 9bc723b6e0..61e90e737d 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,8 +1,11 @@ --- -name: "CodeQL" - +name: CodeQL on: push: + branches: + - 'main' + pull_request: + types: [opened, synchronize, reopened] schedule: - cron: '44 6 * * 4' diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 4e8bfb500c..c9cf2e7fa5 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,6 +1,11 @@ --- -name: CI -on: [push] +name: Tests +on: + push: + branches: + - 'main' + pull_request: + types: [opened, synchronize, reopened] jobs: test: