11name : Report Preview URLs
22
33on :
4- pull_request :
4+ pull_request_target :
55 branches : ["develop"]
66 paths :
77 - ' docs/**.rst'
@@ -17,22 +17,55 @@ jobs:
1717 pull-requests : write
1818
1919 steps :
20- - name : Checkout repository
20+ - name : Checkout base branch (for trusted scripts)
2121 uses : actions/checkout@v4
2222 with :
23+ ref : develop
24+ path : base
25+
26+ - name : Checkout PR branch (for file diff)
27+ uses : actions/checkout@v4
28+ with :
29+ ref : ${{ github.event.pull_request.head.sha }}
2330 fetch-depth : 0
31+ path : pr
2432
2533 - name : Fetch base branch
2634 run : |
27- git fetch origin develop:develop
35+ cd pr
36+ git remote add upstream https://github.com/${{ github.repository }}.git || true
37+ git fetch upstream develop
38+ git branch -f develop upstream/develop
2839
2940name : Generate comment body
3041 id : generate-comment
3142 run : |
32- chmod +x ci_scripts/report_preview_url.sh
43+ TRUSTED_USERS=("ooooo-create" "SigureMo")
44+ PR_AUTHOR="${{ github.event.pull_request.user.login }}"
45+
46+ IS_TRUSTED=false
47+ for user in "${TRUSTED_USERS[@]}"; do
48+ if [ "$user" == "$PR_AUTHOR" ]; then
49+ IS_TRUSTED=true
50+ break
51+ fi
52+ done
53+
54+ if [ "$IS_TRUSTED" == "true" ]; then
55+ echo "✅ Using PR branch script (same repo or trusted user: $PR_AUTHOR)"
56+ chmod +x pr/ci_scripts/report_preview_url.sh
57+ cd pr
58+ SCRIPT_PATH="./ci_scripts/report_preview_url.sh"
59+ else
60+ echo "🔒 Using base branch script for security (fork from untrusted user: $PR_AUTHOR)"
61+ chmod +x base/ci_scripts/report_preview_url.sh
62+ cd pr
63+ SCRIPT_PATH="../base/ci_scripts/report_preview_url.sh"
64+ fi
65+
3366 {
3467 echo 'comment_body<<EOF'
35- ./ci_scripts/report_preview_url.sh ${{ github.event.pull_request.number }}
68+ $SCRIPT_PATH ${{ github.event.pull_request.number }}
3669 echo EOF
3770 } >> $GITHUB_OUTPUT
3871
0 commit comments