Actions to run on pull_request + push

The pull_request_target means "Run the actions from the PR target's primary branch" -- which means any new changes aren't present. So although that grants access to the secrets, it's not particularly useful in this context. So when we're not publishing the image, we don't log in. There is no way to make secrets available to PRs (which prevents all sorts of secret exfil problems) and not logging into dockerhub for this makes sense.
frison · Nov 28, 2023 · 1121268 · 1121268
1 parent 3185830
commit 1121268
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 1 deletion.
diff --git a/.github/actions/build-test-publish/action.yml b/.github/actions/build-test-publish/action.yml
@@ -28,6 +28,7 @@ runs:
     # https://github.com/docker/login-action
     -
       name: 🗝 Log into Dockerhub
+      if: ${{ inputs.publish == 'true' }}
       id: login
       uses: docker/login-action@v2
       with:

diff --git a/.github/bin/validate.sh b/.github/bin/validate.sh
@@ -9,5 +9,6 @@ LANGUAGES_TO_GO=$((100 - PUBLISHED_LANGUAGE_COUNT))
 if ! grep -q "${LANGUAGES_TO_GO}_to_go" $REPO_DIR/README.md; then
   ci_error "README.md does not have the correct language count! (${LANGUAGES_TO_GO} to go!)"
 fi
+ci_check "README.md has the correct language count! (${LANGUAGES_TO_GO} to go!)"
 
 
diff --git a/.github/workflows/on-push.yml b/.github/workflows/on-push.yml
@@ -7,7 +7,7 @@ concurrency:
 
 on:
   push:
-  pull_request_target:
+  pull_request:
 
 jobs:
   what-to-build:

diff --git a/.utils/dependencies.sh b/.utils/dependencies.sh
@@ -31,3 +31,7 @@ ci_error() {
   >&2 echo "::error::$@"
   exit 1
 }
+
+ci_pass() {
+  echo "✅ $@"
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -7,7 +7,7 @@ concurrency: @@
     on:
       push:
-      pull_request_target:
+      pull_request:
     jobs:
       what-to-build:
@@ Expand Down @@