fix: permissions of validate pipelines (#1316)

se-bastiaan · web-flow · commit 4da57bd76ca1 · 2025-01-07T20:34:37.000+01:00
* Fix permission in validate-filenames pipeline

* Run Github Actions for script validation on pull_request_target with right permissions
diff --git a/.github/workflows/validate-filenames.yml b/.github/workflows/validate-filenames.yml
@@ -1,23 +1,36 @@
 name: Validate filenames
 
 on:
-  pull_request:
+  pull_request_target:
     paths:
       - "ct/*.sh"
       - "install/*.sh"
       - "json/*.json"
-      - ".github/workflows/validate-filenames.yml"
 
 jobs:
   check-files:
     name: Check changed files
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
 
     steps:
+      - name: Get pull request information
+        uses: actions/github-script@v7
+        id: pr
+        with:
+          script: |
+            const { data: pullRequest } = await github.rest.pulls.get({
+              ...context.repo,
+              pull_number: context.payload.pull_request.number,
+            });
+            return pullRequest;
+
       - name: Checkout code
         uses: actions/checkout@v4
         with:
           fetch-depth: 0 # Ensure the full history is fetched for accurate diffing
+          ref: ${{ fromJSON(steps.pr.outputs.result).merge_commit_sha }}
 
       - name: Get changed files
         id: changed-files
diff --git a/.github/workflows/validate-formatting.yaml b/.github/workflows/validate-formatting.yaml
@@ -4,11 +4,10 @@ on:
   push:
     branches:
       - main
-  pull_request:
+  pull_request_target:
     paths:
       - "**/*.sh"
       - "**/*.func"
-      - ".github/workflows/validate-formatting.yaml"
 
 jobs:
   shfmt:
@@ -18,10 +17,22 @@ jobs:
       pull-requests: write
 
     steps:
+      - name: Get pull request information
+        uses: actions/github-script@v7
+        id: pr
+        with:
+          script: |
+            const { data: pullRequest } = await github.rest.pulls.get({
+              ...context.repo,
+              pull_number: context.payload.pull_request.number,
+            });
+            return pullRequest;
+
       - name: Checkout code
         uses: actions/checkout@v4
         with:
-          fetch-depth: 0
+          fetch-depth: 0 # Ensure the full history is fetched for accurate diffing
+          ref: ${{ fromJSON(steps.pr.outputs.result).merge_commit_sha }}
 
       - name: Get changed files
         id: changed-files
diff --git a/.github/workflows/validate-scripts.yml b/.github/workflows/validate-scripts.yml
@@ -3,11 +3,10 @@ on:
   push:
     branches:
       - main
-  pull_request:
+  pull_request_target:
     paths:
       - "ct/*.sh"
       - "install/*.sh"
-      - ".github/workflows/validate-scripts.yml"
 
 jobs:
   check-scripts:
@@ -17,10 +16,22 @@ jobs:
       pull-requests: write
 
     steps:
+      - name: Get pull request information
+        uses: actions/github-script@v7
+        id: pr
+        with:
+          script: |
+            const { data: pullRequest } = await github.rest.pulls.get({
+              ...context.repo,
+              pull_number: context.payload.pull_request.number,
+            });
+            return pullRequest;
+
       - name: Checkout code
         uses: actions/checkout@v4
         with:
-          fetch-depth: ${{ github.event_name == 'pull_request' && 2 || 0 }}
+          fetch-depth: 0 # Ensure the full history is fetched for accurate diffing
+          ref: ${{fromJSON(steps.pr.outputs.result).merge_commit_sha}}
           
       - name: Set execute permission for .sh files
         run: |
