diff options
author | Zettat123 <zettat123@gmail.com> | 2023-06-26 14:33:18 +0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-06-26 14:33:18 +0800 |
commit | 48e5a74f215d78813a816c57fc5a85a909a003d5 (patch) | |
tree | f0be66ae5111de6dc17ea7975e6a592a9b235f3c /services/actions | |
parent | e409e14bdfb56767c9048076f4e818757aab73b9 (diff) | |
download | gitea-48e5a74f215d78813a816c57fc5a85a909a003d5.tar.gz gitea-48e5a74f215d78813a816c57fc5a85a909a003d5.zip |
Support `pull_request_target` event (#25229)
Fix #25088
This PR adds the support for
[`pull_request_target`](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target)
workflow trigger. `pull_request_target` is similar to `pull_request`,
but the workflow triggered by the `pull_request_target` event runs in
the context of the base branch of the pull request rather than the head
branch. Since the workflow from the base is considered trusted, it can
access the secrets and doesn't need approvals to run.
Diffstat (limited to 'services/actions')
-rw-r--r-- | services/actions/notifier_helper.go | 52 |
1 files changed, 44 insertions, 8 deletions
diff --git a/services/actions/notifier_helper.go b/services/actions/notifier_helper.go index 69c23656f2..8e6cdcf680 100644 --- a/services/actions/notifier_helper.go +++ b/services/actions/notifier_helper.go @@ -142,13 +142,46 @@ func notify(ctx context.Context, input *notifyInput) error { return fmt.Errorf("gitRepo.GetCommit: %w", err) } + var detectedWorkflows []*actions_module.DetectedWorkflow workflows, err := actions_module.DetectWorkflows(commit, input.Event, input.Payload) if err != nil { return fmt.Errorf("DetectWorkflows: %w", err) } - if len(workflows) == 0 { log.Trace("repo %s with commit %s couldn't find workflows", input.Repo.RepoPath(), commit.ID) + } else { + for _, wf := range workflows { + if wf.TriggerEvent != actions_module.GithubEventPullRequestTarget { + wf.Ref = ref + detectedWorkflows = append(detectedWorkflows, wf) + } + } + } + + if input.PullRequest != nil { + // detect pull_request_target workflows + baseRef := git.BranchPrefix + input.PullRequest.BaseBranch + baseCommit, err := gitRepo.GetCommit(baseRef) + if err != nil { + return fmt.Errorf("gitRepo.GetCommit: %w", err) + } + baseWorkflows, err := actions_module.DetectWorkflows(baseCommit, input.Event, input.Payload) + if err != nil { + return fmt.Errorf("DetectWorkflows: %w", err) + } + if len(baseWorkflows) == 0 { + log.Trace("repo %s with commit %s couldn't find pull_request_target workflows", input.Repo.RepoPath(), baseCommit.ID) + } else { + for _, wf := range baseWorkflows { + if wf.TriggerEvent == actions_module.GithubEventPullRequestTarget { + wf.Ref = baseRef + detectedWorkflows = append(detectedWorkflows, wf) + } + } + } + } + + if len(detectedWorkflows) == 0 { return nil } @@ -172,18 +205,19 @@ func notify(ctx context.Context, input *notifyInput) error { } } - for id, content := range workflows { + for _, dwf := range detectedWorkflows { run := &actions_model.ActionRun{ Title: strings.SplitN(commit.CommitMessage, "\n", 2)[0], RepoID: input.Repo.ID, OwnerID: input.Repo.OwnerID, - WorkflowID: id, + WorkflowID: dwf.EntryName, TriggerUserID: input.Doer.ID, - Ref: ref, - CommitSHA: commit.ID.String(), + Ref: dwf.Ref, + CommitSHA: dwf.Commit.ID.String(), IsForkPullRequest: isForkPullRequest, Event: input.Event, EventPayload: string(p), + TriggerEvent: dwf.TriggerEvent, Status: actions_model.StatusWaiting, } if need, err := ifNeedApproval(ctx, run, input.Repo, input.Doer); err != nil { @@ -193,7 +227,7 @@ func notify(ctx context.Context, input *notifyInput) error { run.NeedApproval = need } - jobs, err := jobparser.Parse(content) + jobs, err := jobparser.Parse(dwf.Content) if err != nil { log.Error("jobparser.Parse: %v", err) continue @@ -259,8 +293,10 @@ func notifyPackage(ctx context.Context, sender *user_model.User, pd *packages_mo } func ifNeedApproval(ctx context.Context, run *actions_model.ActionRun, repo *repo_model.Repository, user *user_model.User) (bool, error) { - // don't need approval if it's not a fork PR - if !run.IsForkPullRequest { + // 1. don't need approval if it's not a fork PR + // 2. don't need approval if the event is `pull_request_target` since the workflow will run in the context of base branch + // see https://docs.github.com/en/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks#about-workflow-runs-from-public-forks + if !run.IsForkPullRequest || run.TriggerEvent == actions_module.GithubEventPullRequestTarget { return false, nil } |