You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When a pull request is created from a fork and the workflow runs (via the pull_request event, it has no access to the secrets of the base repository. This is sensible for security, but there might be situations where you want to allow the pull request to run, for example after reviewing it and confirming it has no malicious changes.
We should document how to deal with this case in the README.md with all the risks invovled. Since this action doesn't make any assumptions or dictate your workflow, it's ultimately up to users of this actions to decide how to use it.
Problem
When a pull request is created from a fork and the workflow runs (via the
pull_requestevent, it has no access to the secrets of the base repository. This is sensible for security, but there might be situations where you want to allow the pull request to run, for example after reviewing it and confirming it has no malicious changes.Example PR: ipfs/ipfs-blog#707
What should we do?
We should document how to deal with this case in the README.md with all the risks invovled. Since this action doesn't make any assumptions or dictate your workflow, it's ultimately up to users of this actions to decide how to use it.
It may be possible to use the
pull_request_targetevent for this purpose.The text was updated successfully, but these errors were encountered: