1- name : Checkmarx One Scan
1+ name : Checkmarx One Scan (Fork-Friendly)
22
33# use only job-level permissions
44permissions : {}
55
66on :
7- pull_request :
7+ pull_request_target : # Changed from pull_request to pull_request_target
8+ types : [opened, synchronize, reopened]
89 branches : [ '**' ]
910 push :
1011 branches : [ 'main' ]
@@ -25,25 +26,27 @@ jobs:
2526 runs-on : ubuntu-latest
2627
2728 steps :
28- - name : Checkout
29- uses : actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
29+ # CRITICAL: DO NOT CHECKOUT THE PR CODE
30+ # This is what makes it safe with pull_request_target
3031
3132 # TODO: Remove this checkout step once upload-sarif-github-action repo is made public
3233 # Currently required because GitHub Actions can't directly reference private repos
3334 - name : Checkout Upload action repository
3435 uses : actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
3536 with :
3637 repository : midnightntwrk/upload-sarif-github-action
37- ref : 8202d2182e4c0ebec293f9d9140c3378a2afe16e
38+ ref : sean/PM-19431-fork-friendly-checkmarx # Use branch until merged
3839 path : upload-sarif-github-action
3940 token : ${{ secrets.MIDNIGHTCI_REPO }}
4041
41- # Once public, can simplify to: uses: midnightntwrk/upload-sarif-github-action/checkmarx-scan@8202d2182e4c0ebec293f9d9140c3378a2afe16e
42- - name : Checkmarx Full Scan
43- uses : ./upload-sarif-github-action/checkmarx-scan
42+ # Once public and merged, can simplify to:
43+ # uses: midnightntwrk/upload-sarif-github-action/checkmarx-scan-public@main
44+ - name : Checkmarx Full Scan (Fork-Friendly)
45+ uses : ./upload-sarif-github-action/checkmarx-scan-public
4446 with :
47+ project-name : midnightntwrk/midnight-node-docker
4548 cx-client-id : ${{ secrets.CX_CLIENT_ID }}
4649 cx-client-secret : ${{ secrets.CX_CLIENT_SECRET_EU }}
4750 cx-tenant : ${{ secrets.CX_TENANT }}
48- scs- repo-token : ${{ secrets.MIDNIGHTCI_REPO }}
51+ # repo-url and branch are auto-detected from PR context
4952 upload-to-github : ' true'
0 commit comments