From c7f14700fb3c5420de4722c621dc7e227862c4a1 Mon Sep 17 00:00:00 2001 From: Okinea Dev Date: Sat, 18 Jan 2025 21:30:20 +0200 Subject: [PATCH 1/4] =?UTF-8?q?fix(ci):=20=F0=9F=9A=91=20use=20`pull=5Freq?= =?UTF-8?q?uest=5Ftarget`=20instead=20of=20`pull=5Frequest`?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This will fix the falling workflows `pull_request_target` unlike `pull_request` grants write access to `GITHUB_TOKEN`¹ `pull_request_target` is recommended to be used only where tasks such as commenting and labeling² are very necessary, which is what we need You can read more about my discovery of the problem starting from this comment in #2365: https://github.com/material-extensions/vscode-material-icon-theme/pull/2365#issuecomment-2599772182 2: https://stackoverflow.com/questions/74957218/what-is-the-difference-between-pull-request-and-pull-request-target-event-in-git#:~:text=The%20pull_request_tar get%20event%20grants%20workflows%20triggered%20by%20pull%20requests%20from%20forks%20access%20to%20repository%20secrets%20and%20a%20read/write%20GITHUB_TOKEN 2: https://stackoverflow.com/questions/74957218/what-is-the-difference-between-pull-request-and-pull-request-target-event-in-git#:~:text=only%20use%20pull_request_target %20for%20workflow ws%20where%20access%20to%20secrets%20or%20write%20permissions%20is%20strictly%20necessary%2C%20such%20as%20commenting%2C%20labeling%2C%20or%20status%20updates%20on%20pull%20requests. Helped-by: Eli --- .github/workflows/build.yml | 2 +- .github/workflows/color-check.yml | 2 +- .github/workflows/pr-closed.yml | 2 +- .github/workflows/pr-title.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 04ed149560..f1a567e2b6 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -13,7 +13,7 @@ on: - 'sheriff.config.ts' - '!*.md' - pull_request: + pull_request_target: paths: - 'build/**' - 'icons/*.svg' diff --git a/.github/workflows/color-check.yml b/.github/workflows/color-check.yml index 3c6810c120..aba74a483c 100644 --- a/.github/workflows/color-check.yml +++ b/.github/workflows/color-check.yml @@ -1,7 +1,7 @@ name: 🎨 Check SVG icon colors on: - pull_request: + pull_request_target: paths: - "icons/*.svg" diff --git a/.github/workflows/pr-closed.yml b/.github/workflows/pr-closed.yml index 8165e097dc..7190a833d3 100644 --- a/.github/workflows/pr-closed.yml +++ b/.github/workflows/pr-closed.yml @@ -1,7 +1,7 @@ name: 🎉 PR closed on: - pull_request: + pull_request_target: types: - closed diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index 181c3bd457..863597136c 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -1,7 +1,7 @@ name: ✅ Check PR Title on: - pull_request: + pull_request_target: types: [opened, edited] permissions: From 926cc3c7bd0391b9bd948ca706fa3f399d90d22f Mon Sep 17 00:00:00 2001 From: Okinea Dev Date: Sat, 18 Jan 2025 21:34:04 +0200 Subject: [PATCH 2/4] fix pr title triggers --- .github/workflows/pr-title.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index 863597136c..181c3bd457 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -1,7 +1,7 @@ name: ✅ Check PR Title on: - pull_request_target: + pull_request: types: [opened, edited] permissions: From 0349d2d07854615061a77de94b8a14e700cd7542 Mon Sep 17 00:00:00 2001 From: Okinea Dev Date: Sun, 19 Jan 2025 19:49:57 +0200 Subject: [PATCH 3/4] fix pr title triggers I did this because this workflow does a label adding step that requires write permissions Signed-off-by: Okinea Dev --- .github/workflows/pr-title.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index 181c3bd457..863597136c 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -1,7 +1,7 @@ name: ✅ Check PR Title on: - pull_request: + pull_request_target: types: [opened, edited] permissions: From 11cbe0d7c25f8ee02821f51d407fa4ed167516a3 Mon Sep 17 00:00:00 2001 From: Okinea Dev Date: Sun, 19 Jan 2025 20:01:07 +0200 Subject: [PATCH 4/4] fix triggers Signed-off-by: Okinea Dev --- .github/workflows/pr-title.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index 863597136c..181c3bd457 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -1,7 +1,7 @@ name: ✅ Check PR Title on: - pull_request_target: + pull_request: types: [opened, edited] permissions: