Skip to content

Commit 8e30bd2

Browse files
committed
Harden deploy workflow_run trust checks
1 parent 033347f commit 8e30bd2

1 file changed

Lines changed: 3 additions & 2 deletions

File tree

.github/workflows/deploy.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ jobs:
1010
publish-vscode-extension:
1111
name: Publish VSCode extension
1212
runs-on: ubuntu-latest
13-
if: ${{ github.event.workflow_run.conclusion == 'success' }}
13+
if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'push' && github.event.workflow_run.head_repository.full_name == github.repository }}
1414
environment: production
1515
env:
1616
CURSORLESS_REPO_ROOT: ${{ github.workspace }}
@@ -50,7 +50,7 @@ jobs:
5050
publish-neovim-extension:
5151
name: Publish Neovim extension
5252
runs-on: ubuntu-latest
53-
if: ${{ github.event.workflow_run.conclusion == 'success' }}
53+
if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'push' && github.event.workflow_run.head_repository.full_name == github.repository }}
5454
environment: production
5555
env:
5656
CURSORLESS_REPO_ROOT: ${{ github.workspace }}
@@ -99,6 +99,7 @@ jobs:
9999
push-cursorless-talon:
100100
name: Push cursorless-talon subrepo
101101
runs-on: ubuntu-latest
102+
if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'push' && github.event.workflow_run.head_repository.full_name == github.repository }}
102103
needs: publish-vscode-extension
103104
environment: production
104105
env:

0 commit comments

Comments
 (0)