From 4d4d5960754a00f5a9b52b2e109aead6ad6e7bb6 Mon Sep 17 00:00:00 2001 From: Diego Marquez Date: Thu, 5 Sep 2024 10:28:55 -0400 Subject: [PATCH] chore: fix hermetic_library_generation fork check This inlines the `repo.full_name` as an env var when checking if the PR is coming from a fork in order to prevent script injections. The current state doesn't work properly because `github.env` cannot be accessed in the `if` statement. --- .github/workflows/hermetic_library_generation.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml index ab23b9fec..51a087f8e 100644 --- a/.github/workflows/hermetic_library_generation.yaml +++ b/.github/workflows/hermetic_library_generation.yaml @@ -20,11 +20,10 @@ on: env: HEAD_REF: ${{ github.head_ref }} REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }} + GITHUB_REPOSITORY: ${{ github.repository }} jobs: library_generation: - # skip pull requests coming from a forked repository - if: github.env.REPO_FULL_NAME == github.repository runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -35,6 +34,10 @@ jobs: shell: bash run: | set -ex + if [[ "${GITHUB_REPOSITORY}" != "${REPO_FULL_NAME}" ]]; then + echo "This PR comes from a fork. Generation will be skipped" + exit 0 + fi [ -z "$(git config user.email)" ] && git config --global user.email "cloud-java-bot@google.com" [ -z "$(git config user.name)" ] && git config --global user.name "cloud-java-bot" bash .github/scripts/hermetic_library_generation.sh \