Skip to content

ci: allows checkout from forks#12256

Merged
DariuszPorowski merged 1 commit into
mainfrom
dp/fork-pr-checkout
Jun 26, 2026
Merged

ci: allows checkout from forks#12256
DariuszPorowski merged 1 commit into
mainfrom
dp/fork-pr-checkout

Conversation

@DariuszPorowski

@DariuszPorowski DariuszPorowski commented Jun 25, 2026

Copy link
Copy Markdown
Member

Description

This pull request updates several GitHub Actions workflow files to add the allow-unsafe-pr-checkout: true option to various actions/checkout steps. This change ensures that workflows can check out pull request code even when GitHub's default protections would block it, which can be necessary for certain workflows or testing scenarios - PR checkout from forks.

Discovered in #12070 after #12246

Error: Refusing to check out fork pull request code from a 'pull_request_target' workflow. This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch cache scope, and runner access. Fetching and executing a fork's code in that trusted context commonly leads to "pwn request" vulnerabilities. To opt in, review the risks at https://gh.io/securely-using-pull_request_target and set 'allow-unsafe-pr-checkout: true' on the actions/checkout step.

Type of change

  • This pull request is a minor refactor, code cleanup, test improvement, or other maintenance task and doesn't change the functionality of Radius (issue link optional).

Contributor checklist

Please verify that the PR meets the following requirements, where applicable:

  • An overview of proposed schema changes is included in a linked GitHub issue.
    • Yes
    • Not applicable
  • A design document is added or updated under eng/design-notes/ in this repository, if new APIs are being introduced.
    • Yes
    • Not applicable
  • The design document has been reviewed and approved by Radius maintainers/approvers.
    • Yes
    • Not applicable
  • A PR for resource-types-contrib is created, if resource types or recipes are affected by the changes in this PR.
    • Yes
    • Not applicable
  • A PR for dashboard is created, if the Radius Dashboard is affected by the changes in this PR.
    • Yes
    • Not applicable
  • A PR for the documentation repository is created, if the changes in this PR affect the documentation or any user facing updates are made.
    • Yes
    • Not applicable

@DariuszPorowski DariuszPorowski self-assigned this Jun 25, 2026
Copilot AI review requested due to automatic review settings June 25, 2026 22:16
@DariuszPorowski DariuszPorowski requested review from a team as code owners June 25, 2026 22:16
@github-actions

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@radius-functional-tests

radius-functional-tests Bot commented Jun 25, 2026

Copy link
Copy Markdown

Radius functional test overview

🔍 Go to test action run

Click here to see the test run details
Name Value
Repository radius-project/radius
Commit ref 29036f7
Unique ID funce9048c581a
Image tag pr-funce9048c581a
  • Dapr: 1.14.4
  • Azure KeyVault CSI driver: 1.4.2
  • Azure Workload identity webhook: 1.3.0
  • Bicep recipe location ghcr.io/radius-project/dev/test/testrecipes/test-bicep-recipes/<name>:pr-funce9048c581a
  • Terraform recipe location http://tf-module-server.radius-test-tf-module-server.svc.cluster.local/<name>.zip (in cluster)
  • applications-rp test image location: ghcr.io/radius-project/dev/applications-rp:pr-funce9048c581a
  • dynamic-rp test image location: ghcr.io/radius-project/dev/dynamic-rp:pr-funce9048c581a
  • controller test image location: ghcr.io/radius-project/dev/controller:pr-funce9048c581a
  • ucp test image location: ghcr.io/radius-project/dev/ucpd:pr-funce9048c581a
  • deployment-engine test image location: ghcr.io/radius-project/deployment-engine:latest

Test Status

⌛ Building Radius and pushing container images for functional tests...
✅ Container images build succeeded
⌛ Publishing Bicep Recipes for functional tests...
✅ Recipe publishing succeeded
⌛ Starting corerp-cloud functional tests...
⌛ Starting ucp-cloud functional tests...
✅ ucp-cloud functional tests succeeded
✅ corerp-cloud functional tests succeeded

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates Radius GitHub Actions workflows to opt into actions/checkout v7’s allow-unsafe-pr-checkout so fork-based PRs can be checked out in contexts (notably pull_request_target) where checkout is otherwise blocked.

Changes:

  • Enable fork PR checkout in the cloud functional test workflow by adding allow-unsafe-pr-checkout to relevant actions/checkout steps.
  • Enable fork PR checkout in the shared __changes.yml reusable workflow checkout step.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.

File Description
.github/workflows/functional-test-cloud.yaml Adds allow-unsafe-pr-checkout to multiple checkout steps to permit fork PR checkouts in pull_request_target runs.
.github/workflows/__changes.yml Adds allow-unsafe-pr-checkout to the reusable workflow’s checkout step so callers can run change-detection against fork PR refs.

Comment thread .github/workflows/functional-test-cloud.yaml
Comment thread .github/workflows/functional-test-cloud.yaml
Comment thread .github/workflows/functional-test-cloud.yaml
Comment thread .github/workflows/functional-test-cloud.yaml
Comment thread .github/workflows/__changes.yml
@github-actions

Copy link
Copy Markdown

Unit Tests

    2 files  ±0    450 suites  ±0   7m 36s ⏱️ +2s
5 591 tests ±0  5 589 ✅ ±0  2 💤 ±0  0 ❌ ±0 
6 788 runs  ±0  6 786 ✅ ±0  2 💤 ±0  0 ❌ ±0 

Results for commit 29036f7. ± Comparison against base commit 62b741f.

@codecov

codecov Bot commented Jun 25, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 52.86%. Comparing base (62b741f) to head (29036f7).

Additional details and impacted files
@@            Coverage Diff             @@
##             main   #12256      +/-   ##
==========================================
- Coverage   52.87%   52.86%   -0.01%     
==========================================
  Files         751      751              
  Lines       48353    48353              
==========================================
- Hits        25566    25564       -2     
- Misses      20387    20388       +1     
- Partials     2400     2401       +1     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@DariuszPorowski DariuszPorowski added this pull request to the merge queue Jun 25, 2026
Merged via the queue into main with commit f703bc7 Jun 26, 2026
76 checks passed
@DariuszPorowski DariuszPorowski deleted the dp/fork-pr-checkout branch June 26, 2026 00:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants