Created
March 9, 2023 12:56
-
-
Save mheap/2c66574509e90747b9fd885e2376935c to your computer and use it in GitHub Desktop.
Run steps with access to secrets on PRs from forks with GitHub Actions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Demo | |
| on: | |
| pull_request_target: | |
| types: [opened, synchronize, labeled] | |
| jobs: | |
| demo: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check access | |
| if: ${{ github.event.pull_request.author_association != 'COLLABORATOR' && github.event.pull_request.author_association != 'OWNER' && !contains(github.event.*.labels.*.name, 'ci:run-tests') }} | |
| run: | | |
| echo "Event not triggered by a collaborator. Please add the ci:run-tests label to trigger this workflow with the correct permissions" | |
| exit 1 | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} # This is dangerous without the first access check | |
| - name: Test | |
| run: | | |
| if [[ "x${{ secrets.MY_SECRET }}" == "xval" ]]; then | |
| echo "Access to secrets" | |
| else | |
| echo "No access to secrets" | |
| exit 1 | |
| fi | |
| - uses: actions-ecosystem/action-remove-labels@v1 | |
| if: ${{ contains(github.event.*.labels.*.name, 'ci:run-tests') }} | |
| with: | |
| labels: ci:run-tests |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment