72b909b5e8
> Due to the dangers inherent to automatic processing of PRs, GitHub’s standard pull_request workflow trigger by default prevents write permissions and secrets access to the target repository. However, in some scenarios such access is needed to properly process the PR. To this end the pull_request_target workflow trigger was introduced. According to the article [Keeping your GitHub Actions and workflows secure](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) , the trigger condition in `shellcheck.yml` which is `pull_request` can't comment the PR due to the lack of write permissions of the workflow. Despite the `ShellCheck` workflow checkouts the source, but it doesn't build and test the source code. I think it is safe to change the trigger condition from `pull_request` to `pull_request_target` which can make the workflow have write permissions to comment the PR.
14 lines
519 B
Diff
14 lines
519 B
Diff
diff --git a/entrypoint.sh b/entrypoint.sh
|
|
index d3399e3..5c8ee7b 100755
|
|
--- a/entrypoint.sh
|
|
+++ b/entrypoint.sh
|
|
@@ -202,7 +202,7 @@ if ((CHECKBASHISMS_ENABLE == 1)); then
|
|
fi
|
|
|
|
if ((shellcheck_code != 0 || shfmt_code != 0)); then
|
|
- if [ "$GITHUB_EVENT_NAME" == "pull_request" ] && ((SH_CHECKER_COMMENT == 1)); then
|
|
+ if [[ "$GITHUB_EVENT_NAME" == "pull_request" || "$GITHUB_EVENT_NAME" == "pull_request_target" ]] && ((SH_CHECKER_COMMENT == 1)); then
|
|
_comment_on_github "$shellcheck_error" "$shfmt_error"
|
|
fi
|
|
fi
|