From dca11812c2add2c8ad81bfda606c95869fd8900a Mon Sep 17 00:00:00 2001 From: Riku Isokoski Date: Sat, 7 Jan 2023 20:17:18 +0200 Subject: [PATCH] workflows: Disable build size comment in fork PRs Due to a security concern, comments can only be created in the context of branches in the repo. PRs from forks can't get the comment. https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#restrictions-on-repository-forks https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ --- .github/workflows/main.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c2570627..b010ad91 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -138,7 +138,7 @@ jobs: . /opt/build.sh .github/workflows/getSize.sh "$BUILD_DIR"/src/pinetime-app-*.out >> $GITHUB_OUTPUT - leave-build-size-comment: + compare-build-size: if: github.event_name == 'pull_request' needs: [build-firmware, get-base-ref-size] runs-on: ubuntu-latest @@ -167,6 +167,9 @@ jobs: echo "bss_diff=$BSS_SIZE_DIFF" >> $GITHUB_OUTPUT - name: Find Comment + # Due to a security concern, comments can only be created in the context of branches in the repo. + # PRs from forks can't get the comment. + if: github.event.pull_request.head.repo.full_name == github.repository uses: peter-evans/find-comment@v2 id: build-size-comment with: @@ -175,6 +178,7 @@ jobs: body-includes: Build size and comparison to - name: Create or update comment + if: github.event.pull_request.head.repo.full_name == github.repository uses: peter-evans/create-or-update-comment@v2 with: comment-id: ${{ steps.build-size-comment.outputs.comment-id }}