From 9da4f5baf4d2a499800581db411a8bd2bc347b45 Mon Sep 17 00:00:00 2001 From: chris baker Date: Sat, 28 Dec 2024 12:15:30 -0500 Subject: [PATCH] Try to use pull_request_target-triggered actions in a secure way, given those actions have access to repo secrets --- .github/workflows/R-CMD-check.yaml | 34 ++++++++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/.github/workflows/R-CMD-check.yaml b/.github/workflows/R-CMD-check.yaml index 53eddc6f..b2ad92fa 100644 --- a/.github/workflows/R-CMD-check.yaml +++ b/.github/workflows/R-CMD-check.yaml @@ -1,11 +1,37 @@ # For help debugging build failures open an issue on the RStudio community with the 'github-actions' tag. # https://community.rstudio.com/new-topic?category=Package%20development&tags=github-actions -on: [push, pull_request] + +# Details on pull_request_target and why it's insecure: +# https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/ +# Post describing a workaround, from which we take inspiration: +# https://michaelheap.com/access-secrets-from-forks/ name: R-CMD-check +on: + push: + branches: + - master + - 'feature/**' + - 'bugfix/**' + pull_request_target: + types: [opened, synchronize] + jobs: + pre-check: + runs-on: ubuntu-latest + steps: + - name: Confirm crew102 triggered the build + run: | + if [ "${{ github.actor }}" == "crew102" ]; then + echo "Actor is crew102" + else + echo "Actor is ${{ github.actor }}, failing build." + exit 1 + fi + R-CMD-check: + needs: [pre-check] runs-on: ${{ matrix.config.os }} name: ${{ matrix.config.os }} (${{ matrix.config.r }}) @@ -29,7 +55,11 @@ jobs: PATENTSVIEW_API_KEY: ${{ secrets.PATENTSVIEW_API_KEY }} steps: - - uses: actions/checkout@v2 + - name: Checkout code + uses: actions/checkout@v3 + with: + # Use the head SHA for pull requests + ref: ${{ github.event.pull_request.head.sha || github.sha }} - uses: r-lib/actions/setup-r@v1 with: