Remove pull_request support (#1109)

Author: xalvarez

.github/workflows/test.yml

@@ -1,8 +1,5 @@
 name: 'build-test'
 on:
-  pull_request:
-    branches:
-      - main
   pull_request_target:
     branches:
       - main

README.md

@@ -36,16 +36,12 @@ The action has the following inputs:
   If not provided or set to `false`, the action will fail if a pattern match is found.
 
 > [!IMPORTANT]
-> This Action supports pull_request and pull_request_target events only.
-
-> [!CAUTION]
-> If you are using the pull_request event, users can manipulate your workflow and add themselves as trusted authors,
-> change the pattern, or manipulate the protecting workflow otherwise.
->
-> pull_request_target always relies on the action of the target branch.
-> Please be aware that the protecting workflow should follow GitHub's security recommendations for pull_request_target.
-> You can find more information in the [docs](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target)
-> or [this blog post](https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/).
+> This Action supports `pull_request_target` events exclusively. Supporting `pull_request` events would enable users to
+> manipulate the workflow by potentially adding themselves as trusted authors, modifying the pattern, or otherwise
+> compromising the protective workflow. Please ensure that your protective workflow adheres to GitHub's security
+> recommendations for `pull_request_target`. For more detailed information, refer to the
+> [official documentation](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target)
+> or this [security blog post](https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/).
 
 ## GITHUB_TOKEN permissions
 

__tests__/main.test.ts

@@ -46,7 +46,7 @@ describe('main', () => {
     })
 
     isTrustedAuthorSpy = jest.spyOn(authorChecker, 'isTrustedAuthor').mockResolvedValue(false)
-    context.eventName = 'pull_request'
+    context.eventName = 'pull_request_target'
     context.payload = {
       pull_request: {
         number: 1
@@ -90,25 +90,14 @@ describe('main', () => {
     expect(core.setFailed).not.toHaveBeenCalled()
   })
 
-  it('Should support pull_request_target event', async () => {
-    context.eventName = 'pull_request_target'
-
-    await run()
-
-    expect(getChangedFilesSpy).toHaveBeenCalled()
-    expect(core.setFailed).not.toHaveBeenCalled()
-  })
-
-  it('Should fail when event name is not pull_request or pull_request_target', async () => {
+  it('Should fail when event name is not pull_request_target', async () => {
     context.eventName = 'push'
 
     await run()
 
     expect(getChangedFilesSpy).not.toHaveBeenCalled()
     expect(checkChangedFilesAgainstPatternSpy).not.toHaveBeenCalled()
-    expect(core.setFailed).toHaveBeenCalledWith(
-      'Only pull_request and pull_request_targets events are supported. Event was: push'
-    )
+    expect(core.setFailed).toHaveBeenCalledWith('Only pull_request_target events are supported. Event was: push')
   })
 
   it('Should fail when pull request payload is missing', async () => {

dist/index.js

@@ -12,6 +12,7 @@
     "lint-check": "eslint --max-warnings 0",
     "package": "ncc build src/index.ts -o dist --source-map --license LICENSE",
     "test": "jest",
+    "test-watch": "jest --watchAll",
     "all": "npm run build && npm run format-check && npm run lint-check && npm run package && npm test"
   },
   "repository": {

dist/index.js.map

@@ -12,12 +12,7 @@ export async function run(): Promise<void> {
     core.debug(`Event='${eventName}', Author='${pullRequestAuthor}', Trusted Authors='${trustedAuthors}'`)
     if (await isTrustedAuthor(pullRequestAuthor, trustedAuthors)) {
       core.info(`${pullRequestAuthor} is a trusted author and is allowed to modify any matching files.`)
-    } else if (eventName === 'pull_request' || eventName === 'pull_request_target') {
-      if (eventName === 'pull_request') {
-        core.warning(
-          "pull_request support is deprecated because it allows bypassing this action's checks when modifying the corresponding workflow within a pull request. Please switch to pull_request_target."
-        )
-      }
+    } else if (eventName === 'pull_request_target') {
       const githubToken: string = core.getInput('githubToken', {required: true})
       const gitHubService = new GitHubService(githubToken)
       const pullRequestNumber: number = context.payload.pull_request?.number || 0
@@ -44,7 +39,7 @@ export async function run(): Promise<void> {
         core.setFailed('Pull request number is missing in github event payload')
       }
     } else {
-      core.setFailed(`Only pull_request and pull_request_targets events are supported. Event was: ${eventName}`)
+      core.setFailed(`Only pull_request_target events are supported. Event was: ${eventName}`)
     }
   } catch (error: unknown) {
     if (error instanceof Error) {