From 65d579f50d2c6fcd6790b7951e756a8074e8a512 Mon Sep 17 00:00:00 2001 From: Gao Sun Date: Fri, 12 Aug 2022 23:29:19 +0800 Subject: [PATCH] chore: fix workflow (#1772) --- .github/workflows/update-pr-metadata.yml | 12 ++++-------- .github/workflows/upload-annotations.yml | 5 ++--- 2 files changed, 6 insertions(+), 11 deletions(-) diff --git a/.github/workflows/update-pr-metadata.yml b/.github/workflows/update-pr-metadata.yml index 081f9fe0e..d85546c11 100644 --- a/.github/workflows/update-pr-metadata.yml +++ b/.github/workflows/update-pr-metadata.yml @@ -3,6 +3,9 @@ name: Update Metadata on: pull_request: types: [opened, edited, synchronize, reopened] + # CAREFUL! https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ + pull_request_target: + types: [opened, edited, synchronize, reopened] concurrency: group: update-metadata-${{ github.ref }} @@ -12,10 +15,6 @@ jobs: update-metadata: runs-on: ubuntu-latest - permissions: - issues: write - pull-requests: write - steps: - name: Add labels uses: silverhand-io/actions-add-labels-run-steps@v1.1.2 @@ -36,14 +35,11 @@ jobs: pr-size-diff: runs-on: ubuntu-latest - permissions: - issues: write - pull-requests: write - steps: - uses: actions/checkout@v3 with: fetch-depth: 0 + persist-credentials: false - name: Prepare run: | diff --git a/.github/workflows/upload-annotations.yml b/.github/workflows/upload-annotations.yml index 9d8cca386..7508e1e05 100644 --- a/.github/workflows/upload-annotations.yml +++ b/.github/workflows/upload-annotations.yml @@ -15,9 +15,8 @@ jobs: # avoid out of memory issue since macOS has bigger memory # https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources runs-on: macos-latest - - permissions: - checks: write + # fork repos need to opt out + if: github.event.pull_request.head.repo.full_name == github.repository steps: - uses: actions/checkout@v3