Support pull_request_target

Background

pull_request gets a readonly GITHUB_TOKEN when a pull request is opened by a user from another repository who doesn't have write permissions to the destination repository. Because it's readonly, the action can't even comment on the PR. This makes using a code-review action pretty painful.

To work around that restriction, this action used schedule instead.

pull_request_target

GitHub introduced pull_request_target as an improvement over pull_request.

For this action, the key value is:

This event allows you to do things like create workflows that label and comment on pull requests based on the contents of the event payload.

Implementation

Implementing this shouldn't be particularly hard.

The entry-point needs to support the event, and then it's just a couple of changes to the workflow yaml:

on:
  pull_request_target:

    - uses: actions/checkout@v2
      with:
        ref: ${{ github.event.pull_request.head.sha }}

Security considerations

I believe anyone using schedule today would be just as vulnerable as someone using pull_request_target once it's supported.

In general, from GitHub's perspective, there is a risk to this feature:

• https://securitylab.github.com/research/github-actions-preventing-pwn-requests

I don't believe that check-spelling is insecure (that's what everyone says, right?), although it'd be great if someone were to confirm. It does use shell and Perl which are a pair of languages which certainly don't have a great reputation in this area.

Feature schedule

Released in 0.0.17-alpha.

Breaking change: Dropping support for on: schedule should occur after v0.0.22.

---

FAQ | Showcase | Event descriptions | Configuration information | Known Issues | Possible features | Deprecations | Release notes | Helpful scripts