Skip to content

Commit 62fc26f

Browse files
author
Jonathan Visser
committed
fix: allow fork PRs to access secrets in deploy workflow
Use pull_request_target instead of pull_request to run the workflow in the context of the base repository, enabling secrets access for fork PRs. Explicitly checkout PR head SHA to build the correct code.
1 parent 9785bd7 commit 62fc26f

1 file changed

Lines changed: 3 additions & 1 deletion

File tree

.github/workflows/deploy.yaml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
name: Deploy application
22

33
on:
4-
pull_request:
4+
pull_request_target:
55
push:
66
branches:
77
- 'master'
@@ -17,6 +17,7 @@ jobs:
1717
- uses: actions/checkout@v3
1818
with:
1919
fetch-depth: 0
20+
ref: ${{ github.event.pull_request.head.sha || github.sha }}
2021
# Declares the repository safe and not under dubious ownership.
2122
- name: Add repository to git safe directories
2223
run: git config --global --add safe.directory $GITHUB_WORKSPACE
@@ -52,6 +53,7 @@ jobs:
5253
- uses: actions/checkout@v3
5354
with:
5455
fetch-depth: 0
56+
ref: ${{ github.event.pull_request.head.sha || github.sha }}
5557
- name: download build artifact
5658
uses: actions/download-artifact@v4
5759
with:

0 commit comments

Comments
 (0)