Skip to content

Commit f7fb200

Browse files
rbx-open-source-docs[bot]rbx-open-source-docs[bot]
committed
update Open Source Docs from Roblox internal teams
1 parent 742286b commit f7fb200

File tree

1 file changed

+13
-3
lines changed

1 file changed

+13
-3
lines changed

.github/workflows/content-checks.yml

Lines changed: 13 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,10 @@
11
name: Content Checks
22
on:
3+
# Use `pull_request_target` to run the workflow on the PR base branch (e.g. `origin/main`)
4+
# Avoid using `pull_request` because it runs the workflow on the PR head branch (e.g. `origin/pr-branch`)
5+
# Don't run any code from the PR head branch because it's untrusted and could be malicious.
6+
# See: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
7+
# See: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
38
pull_request_target:
49
types:
510
- opened
@@ -28,6 +33,7 @@ jobs:
2833
with:
2934
fetch-depth: 2
3035

36+
# Avoid checking out any code outside of content/
3137
- name: Sparse checkout of content directory from fork to temp directory
3238
if: ${{ github.event_name == 'pull_request_target' }}
3339
uses: actions/checkout@v3
@@ -61,14 +67,18 @@ jobs:
6167
echo "Event name: ${{ github.event_name }}"
6268
echo "Pull request number: ${{ github.event.pull_request.number }}"
6369
echo "Pull request user login: ${{ github.event.pull_request.user.login }}"
64-
echo "Base ref: ${{ github.event.pull_request.base.ref }}"
65-
echo "Head sha: ${{ github.event.pull_request.head.sha }}"
70+
echo "Base (target) ref: ${{ github.event.pull_request.base.ref }}"
71+
echo "Base (target) sha: ${{ github.event.pull_request.base.sha }}"
72+
echo "Head (source) ref: ${{ github.event.pull_request.head.ref }}"
73+
echo "Head (source) sha: ${{ github.event.pull_request.head.sha }}"
6674
git status
6775
git remote -v
6876
git log --oneline -n 10
6977
7078
- name: Run quality checks
71-
# Don't run local code for security reasons
79+
# The local code is untrusted and could be malicious. Don't run it.
80+
# See: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
81+
# See: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
7282
uses: Roblox/creator-docs/.github/actions/quality-checks@main
7383
with:
7484
GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}

0 commit comments

Comments
 (0)