Adding pull_request_target workflow for secure PR validation

bc3tech · Jun 13, 2024 · 8f81d98 · 8f81d98
1 parent 861ae79
commit 8f81d98
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 2 deletions.
diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
@@ -1,7 +1,8 @@
 name: Build and Test
 
 on:
-  pull_request:
+  workflow_run:
+    workflows: ["Publish Extension", "Receive PR"]
     branches:
       - main
   workflow_dispatch:

diff --git a/.github/workflows/publish-extension.yml b/.github/workflows/publish-extension.yml
@@ -44,7 +44,9 @@ jobs:
   publish-gh-release:
     needs: build-and-test
     runs-on: ubuntu-latest
-    permissions: write-all
+    permissions:
+        contents: write
+
     env:
       EXTENSION_VERSION: ${{ needs.build-and-test.outputs.extVersion }}
       GH_TOKEN: ${{ github.token }}

diff --git a/.github/workflows/receive-pr.yml b/.github/workflows/receive-pr.yml
@@ -0,0 +1,12 @@
+name: Receive PR
+
+on:
+  pull_request_target: 
+    branches:
+      - main
+    paths-ignore:
+    - '.github/**'
+
+jobs:
+    build-and-test:
+        uses: ./.github/workflows/build-and-test.yml