Skip to content

Allow GitHub PR reporting for a forked repository iff it's triggered by pull_request_target #888

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
haya14busa merged 3 commits into from
Feb 20, 2021
Merged

Allow GitHub PR reporting for a forked repository iff it's triggered by pull_request_target #888

haya14busa merged 3 commits into from
Feb 20, 2021

Conversation

@jmatsu
Copy link
Contributor

@jmatsu jmatsu commented Feb 20, 2021
edited
Loading

  • Updated Unreleased section in CHANGELOG or it's not notable changes.

Related to #706, #759

This PR just allows the pull_request_target trigger even if it's from a forked repo. GITHUB_TOKEN via the trigger has enough read/write permission to call review APIs.

@jmatsu jmatsu marked this pull request as ready for review February 20, 2021 09:05
haya14busa
haya14busa approved these changes Feb 20, 2021
View reviewed changes
Copy link
Member

@haya14busa haya14busa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! 👍

@haya14busa haya14busa merged commit 0772915 into reviewdog:master Feb 20, 2021
@review-dog
Copy link
Member

review-dog commented Feb 20, 2021

Hi, @jmatsu! We merged your PR to reviewdog! 🐶
Thank you for your contribution! ✨

We just invited you to join the @reviewdog organization on GitHub.
Accept the invite by visiting https://github.com/orgs/reviewdog/invitation.
By joining the team, you'll be a part of reviewdog community and can help the maintainance of reviewdog.

Thanks again!

@haya14busa
Copy link
Member

haya14busa commented Feb 20, 2021

btw, how do you use reviewdog with pull_request_target event?
I'm curious that what's the best way to run reviewdog with write permission for forked-repo in a safe way.

@jmatsu
Copy link
Contributor Author

jmatsu commented Feb 20, 2021

Thanks for approval!

I think code owners should download the reviewdog binary every-run (i.e. avoid caching it) or verify the integrity of the binary before executing it, i'm not really sure it's the best though.

And also, code owners should take care of the safety when using pull_request_target. This is not limited to the case using reviewdog.

  • Verify the linter command as well
  • To avoid leaks, never pass any secrets to a step that runs linters if possible
  • Run only linters and reviewdog in the workflow

In my use-case, it's possible cuz the linter is a single binary. However, I can imagine it's difficult if the linter is embedded or plugged into build automation tools.

Honestly speaking, workflow_run sounds safer, it's a bit more complicated though. 😄

@jmatsu jmatsu deleted the feature/support_pr_target branch February 20, 2021 13:56
@haya14busa
Copy link
Member

haya14busa commented Feb 21, 2021

Ok, does it mean you just check out the merge commit with pull_request_target?

KikeE36 added a commit to KikeE36/reviewdog that referenced this pull request Feb 22, 2021
@KikeE36
https://github.com/reviewdog/reviewdog/tree/reviewdog:master
e9f3c00 
https://github.com/reviewdog/reviewdog/tree/reviewdog:master
# Changelog
All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [Unreleased]

### ✨ Release Note <!-- optional -->

### 🚀 Enhancements
- [reviewdog#888](reviewdog#888) Allow GitHub PR reporting for a forked repository iff it's triggered by `pull_request_target`

### 🐛 Fixes
- ...

### 🚨 Breaking changes
- ...

---

## [v0.11.0] - 2020-10-25

### ✨ Release Note
reviewdog v0.11 introduced [Reviewdog Diagnostic Format (RDFormat)](./README.md#reviewdog-diagnostic-format-rdformat)
as generic machine-readable diagnostic format and it unlocks new rich features like code suggestions.

### 🚀 Enhancements
- [reviewdog#629](reviewdog#629) Introduced Reviewdog Diagnostic Format.
 - [reviewdog#674](reviewdog#674) [reviewdog#703](reviewdog#703) Support rdjsonl/rdjson as input format
 - [reviewdog#680](reviewdog#680) github-pr-review: Support multiline comments
 - [reviewdog#675](reviewdog#675) [reviewdog#698](reviewdog#698) github-pr-review: Support suggested changes
 - [reviewdog#699](reviewdog#699) Support diff input format (`-f=diff`). Useful for suggested changes.
 - [reviewdog#700](reviewdog#700) Support to show code(rule), code URL and severity in GitHub and GitLab reporters.
- [reviewdog#678](reviewdog#678) github-pr-review: Support Code Suggestions
  - Introduced [reviewdog/action-suggester](https://github.com/reviewdog/action-suggester) action.
- Introduced [reviewdog/action-setup](https://github.com/reviewdog/action-setup) GitHub Action which installs reviewdog easily including nightly release.
- [reviewdog#769](reviewdog#769) Integration with [Bitbucket Code Insights](https://support.atlassian.com/bitbucket-cloud/docs/code-insights/) and [Bitbucket Pipelines](https://bitbucket.org/product/ru/features/pipelines)

---

## [v0.10.2] - 2020-08-04

### 🐛 Fixes
- [reviewdog#709](reviewdog#709) Check for GITHUB_ACTIONS instead of GITHUB_ACTION

---

## [v0.10.1] - 2020-06-30

### 🚀 Enhancements
- [reviewdog#563](reviewdog#563) Use `CI_API_V4_URL` environment variable when present.

### 🐛 Fixes
- [reviewdog#609](reviewdog#609) reviewdog command will fail with unexpected tool's error for github-check/github-pr-check reporters as well. ([@haya14busa])
- [reviewdog#603](reviewdog#603) Fixed detection of Pull Requests from forked repo. ([@haya14busa])

---

## [v0.10.0] - 2020-05-07

### ✨ Release Note

With v0.10.0 release, now reviewdog can find issues outside diff by controlling
filtering behavior with `-filter-mode`. Also, you can ensure to check reported
results by exit 1 with `-fail-on-error`.

Example
```shell
$ cd subdir/ && reviewdog -filter-mode=file -fail-on-error -reporter=github-pr-review
```

### 🚀 Enhancements
- [reviewdog#446](reviewdog#446)
  Added `-fail-on-error` flag
  ([document](https://github.com/reviewdog/reviewdog/tree/e359505275143ec85e9b114fc1ab4a4e91d04fb5#exit-codes))
  and improved exit code handling. ([@DmitryLanda](https://github.com/DmitryLanda), [@haya14busa])
- [reviewdog#187](reviewdog#187)
  Added `-filter-mode` flag [`added`, `diff_context`, `file`, `nofilter`]
  ([document](https://github.com/reviewdog/reviewdog/tree/e359505275143ec85e9b114fc1ab4a4e91d04fb5#filter-mode))
  which controls how reviewdog filter results. ([@Le6ow5k1](https://github.com/Le6ow5k1), [@haya14busa])
- [reviewdog#69](reviewdog#69) Support gerrit! ([@staticmukesh](https://github.com/staticmukesh))
- [reviewdog#548](reviewdog#548) Introduced nightly release ([reviewdog/nightly](https://github.com/reviewdog/nightly)). ([@haya14busa])

### 🐛 Fixes
- [reviewdog#461](reviewdog#461) All reporters now supports sub-directory run. ([@haya14busa])

### 🚨 Breaking changes
- `github-check` reporter won't report results outside diff by default now. You
  need to use `-filter-mode=nofilter` to keep the same bahavior.

---

See https://github.com/reviewdog/reviewdog/releases for older release note.

[Unreleased]: reviewdog/reviewdog@v0.10.0...HEAD
[v0.10.0]: reviewdog/reviewdog@v0.9.17...v0.10.0
[v0.10.1]: reviewdog/reviewdog@v0.10.0...v0.10.1
[v0.10.2]: reviewdog/reviewdog@v0.10.1...v0.10.2
[v0.11.0]: reviewdog/reviewdog@v0.10.2...v0.11.0
[@haya14busa]: https://github.com/haya14busa
@jmatsu
Copy link
Contributor Author

jmatsu commented Feb 25, 2021

Yes for now.

@venkuppu-chn venkuppu-chn mentioned this pull request Jun 21, 2021
Open
@venkuppu-chn
Copy link

venkuppu-chn commented Jun 21, 2021

@haya14busa I see that this change is not landing to releases. In order to avail this PR in reviewdog/action-alex, what would be the necessary workarounds? Any suggestion would be of great help.

@LeoMcA LeoMcA mentioned this pull request Aug 2, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@haya14busa haya14busa haya14busa approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jmatsu @review-dog @haya14busa @venkuppu-chn