From 3215860a47f1fff1436a94669e24523bf9627b02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 3 Apr 2023 18:16:52 +0200 Subject: [PATCH] gha: Set ci-on-push to run on `pull_request_target` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is less secure than running the PR on `pull_request`, and will require using an additional `ok-to-test` label to make sure someone deliverately ran the actions coming from a forked repo. Signed-off-by: Fabiano FidĂȘncio --- .github/workflows/ci-on-push.yaml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci-on-push.yaml b/.github/workflows/ci-on-push.yaml index 8e9d6d078..cbab26837 100644 --- a/.github/workflows/ci-on-push.yaml +++ b/.github/workflows/ci-on-push.yaml @@ -1,14 +1,21 @@ name: Kata Containers CI on: - pull_request + pull_request_target: + types: + - opened + - reopened + - labeled + - synchronize jobs: build-kata-static-tarball-amd64: + if: contains(github.event.pull_request.labels.*.name, 'ok-to-test') uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml with: tarball-suffix: -${{ github.event.pull_request.number}}-${{ github.sha }} publish-kata-deploy-payload-amd64: + if: contains(github.event.pull_request.labels.*.name, 'ok-to-test') needs: build-kata-static-tarball-amd64 uses: ./.github/workflows/publish-kata-deploy-payload-amd64.yaml with: @@ -20,6 +27,7 @@ jobs: secrets: inherit run-k8s-tests-on-aks: + if: contains(github.event.pull_request.labels.*.name, 'ok-to-test') needs: publish-kata-deploy-payload-amd64 uses: ./.github/workflows/run-k8s-tests-on-aks.yaml with: