docs-bot
@@ -339,7 +339,9 @@ Caches have branch scope restrictions in place, which means some caches have lim
|
||||
|
||||
For example, a repository could have many new pull requests opened, each with their own caches that are restricted to that branch. These caches could take up the majority of the cache storage for that repository. {% data reusables.actions.cache-eviction-policy %} In order to prevent cache thrashing when this happens, you can set up workflows to delete caches on a faster cadence than the cache eviction policy will. You can use the [`gh-actions-cache`](https://github.com/actions/gh-actions-cache/) CLI extension to delete caches for specific branches.
|
||||
|
||||
This example workflow uses `gh-actions-cache` to delete up to 100 caches created by a branch once a pull request is closed.
|
||||
The following example workflow uses `gh-actions-cache` to delete up to 100 caches created by a branch once a pull request is closed.
|
||||
|
||||
To run the following example on cross-repository pull requests or pull requests from forks, you can trigger the workflow with the `pull_request_target` event. If you do use `pull_request_target` to trigger the workflow, there are security considerations to keep in mind. For more information, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#pull_request_target)."
|
||||
|
||||
```yaml
|
||||
name: cleanup caches by a branch
|
||||
|
||||
@@ -814,11 +814,7 @@ This event runs in the context of the base of the pull request, rather than in t
|
||||
|
||||
To ensure repository security, branches with names that match certain patterns (such as those which look similar to SHAs) may not trigger workflows with the `pull_request_target` event.
|
||||
|
||||
{% warning %}
|
||||
|
||||
**Warning:** For workflows that are triggered by the `pull_request_target` event, the `GITHUB_TOKEN` is granted read/write repository permission unless the `permissions` key is specified and the workflow can access secrets, even when it is triggered from a fork. Although the workflow runs in the context of the base of the pull request, you should make sure that you do not check out, build, or run untrusted code from the pull request with this event. Additionally, any caches share the same scope as the base branch. To help prevent cache poisoning, you should not save the cache if there is a possibility that the cache contents were altered. For more information, see "[Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests)" on the GitHub Security Lab website.
|
||||
|
||||
{% endwarning %}
|
||||
{% data reusables.actions.pull-request-target-permissions-warning %}
|
||||
|
||||
For example, you can run a workflow when a pull request has been `assigned`, `opened`, `synchronize`, or `reopened`.
|
||||
|
||||
|
||||
@@ -0,0 +1,5 @@
|
||||
{% warning %}
|
||||
|
||||
**Warning:** For workflows that are triggered by the `pull_request_target` event, the `GITHUB_TOKEN` is granted read/write repository permission unless the `permissions` key is specified and the workflow can access secrets, even when it is triggered from a fork. Although the workflow runs in the context of the base of the pull request, you should make sure that you do not check out, build, or run untrusted code from the pull request with this event. Additionally, any caches share the same scope as the base branch. To help prevent cache poisoning, you should not save the cache if there is a possibility that the cache contents were altered. For more information, see "[Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests)" on the GitHub Security Lab website.
|
||||
|
||||
{% endwarning %}
|
||||
Reference in New Issue
Block a user