Fix pull request permission by using pull_request_target

AnimMouse · AnimMouse · commit 6c49b7a1686a · 2021-04-10T23:18:14.000+08:00
diff --git a/.github/workflows/build-on-pull-request.yml b/.github/workflows/build-on-pull-request.yml
@@ -1,14 +1,17 @@
 name: Build FFmpeg on pull request
 on:
-  pull_request:
+  pull_request_target:
     branches:
       - main
     paths-ignore:
       - README.md
-      
+      - .github/dependabot.yml
+    types: [labeled]
+    
 jobs:
   build:
     runs-on: ubuntu-20.04
+    if: contains(github.event.pull_request.labels.*.name, 'dependencies')
     strategy:
       matrix:
         os: [win64, win32]
@@ -18,6 +21,9 @@ jobs:
         uses: actions/checkout@v2
         with:
           submodules: true
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          persist-credentials: false
           
       - name: Install dependencies
         run: ./dependencies.sh
diff --git a/.github/workflows/build-on-push.yml b/.github/workflows/build-on-push.yml
@@ -5,6 +5,8 @@ on:
       - main
     paths-ignore:
       - README.md
+      - .github/dependabot.yml
+      - .github/workflows/build-on-pull-request.yml
       
 jobs:
   build:
@@ -18,6 +20,7 @@ jobs:
         uses: actions/checkout@v2
         with:
           submodules: true
+          persist-credentials: false
           
       - name: Install dependencies
         run: ./dependencies.sh
