ci: allows checkout from forks#12256
Conversation
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
Radius functional test overviewClick here to see the test run details
Test Status⌛ Building Radius and pushing container images for functional tests... |
There was a problem hiding this comment.
Pull request overview
This PR updates Radius GitHub Actions workflows to opt into actions/checkout v7’s allow-unsafe-pr-checkout so fork-based PRs can be checked out in contexts (notably pull_request_target) where checkout is otherwise blocked.
Changes:
- Enable fork PR checkout in the cloud functional test workflow by adding
allow-unsafe-pr-checkoutto relevantactions/checkoutsteps. - Enable fork PR checkout in the shared
__changes.ymlreusable workflow checkout step.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| .github/workflows/functional-test-cloud.yaml | Adds allow-unsafe-pr-checkout to multiple checkout steps to permit fork PR checkouts in pull_request_target runs. |
| .github/workflows/__changes.yml | Adds allow-unsafe-pr-checkout to the reusable workflow’s checkout step so callers can run change-detection against fork PR refs. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #12256 +/- ##
==========================================
- Coverage 52.87% 52.86% -0.01%
==========================================
Files 751 751
Lines 48353 48353
==========================================
- Hits 25566 25564 -2
- Misses 20387 20388 +1
- Partials 2400 2401 +1 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Description
This pull request updates several GitHub Actions workflow files to add the
allow-unsafe-pr-checkout: trueoption to variousactions/checkoutsteps. This change ensures that workflows can check out pull request code even when GitHub's default protections would block it, which can be necessary for certain workflows or testing scenarios - PR checkout from forks.Discovered in #12070 after #12246
Error: Refusing to check out fork pull request code from a 'pull_request_target' workflow. This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch cache scope, and runner access. Fetching and executing a fork's code in that trusted context commonly leads to "pwn request" vulnerabilities. To opt in, review the risks at https://gh.io/securely-using-pull_request_target and set 'allow-unsafe-pr-checkout: true' on the actions/checkout step.Type of change
Contributor checklist
Please verify that the PR meets the following requirements, where applicable:
eng/design-notes/in this repository, if new APIs are being introduced.