Skip to content

fix: restore pull_request_target for fork PR secrets access #29

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
TooAngel wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: restore pull_request_target for fork PR secrets access #29

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 23 additions & 6 deletions .github/workflows/drift-detection.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
name: Repository Drift Detection

# Use pull_request_target to run trusted workflow from base repository
# This allows access to secrets while running code from main branch
on:
pull_request:
pull_request_target:

jobs:
detect-drift:
Expand All @@ -12,8 +14,25 @@ jobs:
contents: read

steps:
- name: Checkout code
# Checkout the base repository (main branch) - trusted code
- name: Checkout base repository
uses: actions/checkout@v4
with:
ref: main

# Checkout PR's REPOSITORIES.md to see what changes are proposed
- name: Checkout PR REPOSITORIES.md
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
sparse-checkout: |
REPOSITORIES.md
sparse-checkout-cone-mode: false
path: pr-files

# Copy PR's REPOSITORIES.md to working directory
- name: Use PR's REPOSITORIES.md
run: cp pr-files/REPOSITORIES.md REPOSITORIES.md

- name: Setup Node.js
uses: actions/setup-node@v4
Expand Down Expand Up @@ -63,8 +82,6 @@ jobs:
cat sync-preview.md >> $GITHUB_STEP_SUMMARY

- name: Comment PR with drift report and sync preview
# Skip commenting on fork PRs (no write permissions), but drift report is available in workflow summary above
if: github.event.pull_request.head.repo.full_name == github.repository
uses: actions/github-script@v7
with:
script: |
Expand Down Expand Up @@ -107,7 +124,7 @@ jobs:
- name: Check drift detection result
if: steps.drift.outputs.exit_code != '0'
run: |
echo "❌ Transfer blocked: worlddriven lacks admin permission on source repository"
echo "❌ Transfer blocked: worlddriven-migrate app not installed on source repository"
echo "Review the drift report in the workflow summary above"
echo "Grant worlddriven admin access to the source repository to unblock"
echo "Install the worlddriven-migrate app on the source repository to unblock"
exit 1