44 workflow_dispatch :
55 schedule :
66 - cron : " 0 17 * * *"
7- pull_request :
7+ pull_request_target :
88 types : [opened, synchronize]
99
10+ permissions :
11+ contents : read # Restrict GITHUB_TOKEN
12+
1013jobs :
11- changes :
14+ vt-plugin-scan-changes-check :
15+ if : github.event_name == 'pull_request_target'
1216 runs-on : ubuntu-latest
1317 outputs :
1418 plugins : ${{ steps.filter.outputs.plugins }}
19+ non_plugin_files : ${{ steps.filter.outputs.non_plugin_files }}
1520 steps :
1621 - name : Check out repository code
1722 uses : actions/checkout@v6
23+ with :
24+ ref : ${{ github.event.pull_request.head.sha }}
1825 - uses : dorny/paths-filter@v4
19- if : github.event_name == 'pull_request'
2026 id : filter
2127 with :
28+ predicate-quantifier : ' every'
2229 filters : |
2330 plugins:
24- - 'plugins/**'
31+ - 'plugins/*.json'
32+ non_plugin_files:
33+ - '**'
34+ - '!plugins/*.json'
35+ - name : Fail if non-plugin files changed
36+ if : github.event_name == 'pull_request_target' && steps.filter.outputs.plugins == 'true' && steps.filter.outputs.non_plugin_files == 'true'
37+ run : |
38+ echo "This PR contains changes to files outside the plugins directory."
39+ echo "Plugin submission PRs must only create/modify plugin manifest files in the plugins directory."
40+ exit 1
2541
2642 vt-plugin-scan :
27- needs : changes
28- if : needs.changes.outputs.plugins == 'true' || github.event_name == 'workflow_dispatch' || github.event_name == 'schedule'
43+ needs : vt-plugin-scan-changes-check
44+ if : |
45+ always() && (
46+ (github.event_name == 'pull_request_target' && needs.vt-plugin-scan-changes-check.outputs.plugins == 'true' && needs.vt-plugin-scan-changes-check.outputs.non_plugin_files == 'false') ||
47+ github.event_name == 'workflow_dispatch' ||
48+ github.event_name == 'schedule'
49+ )
2950 runs-on : ubuntu-latest
3051 steps :
3152 - name : Check out repository code
3253 uses : actions/checkout@v6
54+ # To actually check out and run the plugin downloader from the fork's PR
55+ with :
56+ ref : ${{ github.event.pull_request.head.sha }}
3357
3458 - name : Set up Python
3559 uses : actions/setup-python@v6
4468 uses : actions/cache/restore@v5
4569 # No need to restore cache, PR's plugin is downloaded and scanned each time.
4670 # Plugin dev may repeatedly only update one version
47- if : github.event_name != 'pull_request '
71+ if : github.event_name != 'pull_request_target '
4872 with :
4973 path : |
5074 scan-files/
@@ -53,21 +77,17 @@ jobs:
5377 restore-keys : plugin-zips-
5478
5579 - name : Download plugin submitted in this PR
56- if : github.event_name == 'pull_request '
80+ if : github.event_name == 'pull_request_target '
5781 run : python ci/src/download_plugins.py --mode new --output-dir scan-files
58- env :
59- GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
6082
6183 - name : Download all plugins with cache metadata
62- if : github.event_name != 'pull_request '
84+ if : github.event_name != 'pull_request_target '
6385 run : python ci/src/download_plugins.py --output-dir scan-files --cache-meta plugin-download-cache.json
64- env :
65- GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
6686
6787 - name : Restore VirusTotal scan cache from previous runs
6888 uses : actions/cache/restore@v5
6989 # Don't use cache, upload/retrieve report from VirustTotal each time for new submissions
70- if : github.event_name != 'pull_request '
90+ if : github.event_name != 'pull_request_target '
7191 with :
7292 path : vt_cache.json
7393 key : vt-cache-restore-not-used
@@ -91,15 +111,15 @@ jobs:
91111 - name : Save VirusTotal scan cache for future runs
92112 uses : actions/cache/save@v5
93113 # Cache not used for PR plugin submissions
94- if : always() && github.event_name != 'pull_request '
114+ if : always() && github.event_name != 'pull_request_target '
95115 with :
96116 path : vt_cache.json
97117 key : vt-cache-${{ hashFiles('vt_cache.json') }}
98118
99119 - name : Save plugin ZIPs and cache metadata for future runs
100120 uses : actions/cache/save@v5
101121 # Upload even if scan fails
102- if : always() && github.event_name != 'pull_request '
122+ if : always() && github.event_name != 'pull_request_target '
103123 with :
104124 path : |
105125 scan-files/
@@ -116,15 +136,15 @@ jobs:
116136 - name : Upload VirusTotal scan cache as viewable artifact
117137 uses : actions/upload-artifact@v7
118138 # Cache not used for PR plugin submissions
119- if : always() && github.event_name != 'pull_request '
139+ if : always() && github.event_name != 'pull_request_target '
120140 with :
121141 path : vt_cache.json
122142 archive : false
123143
124144 - name : Upload plugin download cache metadata as viewable artifact
125145 uses : actions/upload-artifact@v7
126146 # Upload even if scan fails
127- if : always() && github.event_name != 'pull_request '
147+ if : always() && github.event_name != 'pull_request_target '
128148 with :
129149 path : plugin-download-cache.json
130- archive : false
150+ archive : false
0 commit comments