From d49ccb084e21efe1614dceb4e5cdc2dffd4f294d Mon Sep 17 00:00:00 2001 From: ylemkimon Date: Mon, 16 Nov 2020 00:11:40 +0900 Subject: [PATCH 1/6] Add warning regarding `pull_request_target` event --- content/actions/reference/events-that-trigger-workflows.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/content/actions/reference/events-that-trigger-workflows.md b/content/actions/reference/events-that-trigger-workflows.md index f4d23c9cae..0bda7e9372 100644 --- a/content/actions/reference/events-that-trigger-workflows.md +++ b/content/actions/reference/events-that-trigger-workflows.md @@ -574,6 +574,12 @@ on: This event is similar to `pull_request`, except that it runs in the context of the base repository of the pull request, rather than in the merge commit. This means that you can more safely make your secrets available to the workflows triggered by the pull request, because only workflows defined in the commit on the base repository are run. For example, this event allows you to create workflows that label and comment on pull requests, based on the contents of the event payload. +{% warning %} + +**Warning**: When using the `pull_request_target` event, be mindful that it runs in the context of the base repository. As a result, the `GITHUB_TOKEN` has write access to the repository and the cache shares the same scope with the base branch. It is recommended to not run untrusted code in the same context as it may access sensitive information and manipulate the enviroment of the workflow. Furthermore, do not save cache if cache contents could have been altered to prevent cache posioning. + +{% endwarning %} + | Webhook event payload | Activity types | `GITHUB_SHA` | `GITHUB_REF` | | --------------------- | -------------- | ------------ | -------------| | [`pull_request`](/webhooks/event-payloads/#pull_request) | - `assigned`
- `unassigned`
- `labeled`
- `unlabeled`
- `opened`
- `edited`
- `closed`
- `reopened`
- `synchronize`
- `ready_for_review`
- `locked`
- `unlocked`
- `review_requested`
- `review_request_removed` | Last commit on the PR base branch | PR base branch | From a8cab926e1ede039bc918668a0f636d69aca69b7 Mon Sep 17 00:00:00 2001 From: ylemkimon Date: Fri, 4 Dec 2020 15:43:47 +0900 Subject: [PATCH 2/6] Update content/actions/reference/events-that-trigger-workflows.md Co-authored-by: Martin Lopes <54248166+martin389@users.noreply.github.com> --- content/actions/reference/events-that-trigger-workflows.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/actions/reference/events-that-trigger-workflows.md b/content/actions/reference/events-that-trigger-workflows.md index 3e54682f44..add49eb6ca 100644 --- a/content/actions/reference/events-that-trigger-workflows.md +++ b/content/actions/reference/events-that-trigger-workflows.md @@ -580,7 +580,7 @@ This event is similar to `pull_request`, except that it runs in the context of t {% warning %} -**Warning**: When using the `pull_request_target` event, be mindful that it runs in the context of the base repository. As a result, the `GITHUB_TOKEN` has write access to the repository and the cache shares the same scope with the base branch. It is recommended to not run untrusted code in the same context as it may access sensitive information and manipulate the enviroment of the workflow. Furthermore, do not save cache if cache contents could have been altered to prevent cache posioning. +**Warning**: When using the `pull_request_target` event, be aware that it runs in the context of the base repository. This means that the `GITHUB_TOKEN` has write access to the repository, and the cache shares the same scope as the base branch. As a result, do not run untrusted code in the same context, as there is a risk that it may access sensitive information and unexpectedly manipulate the workflow environment. In addition, to help prevent cache poisoning, do not save the cache if there is a possibility that the cache contents were altered. {% endwarning %} From df09191c0f1d7d83e72618791d13d4093d3c4087 Mon Sep 17 00:00:00 2001 From: Rachael Sewell Date: Mon, 14 Dec 2020 16:09:13 -0800 Subject: [PATCH 3/6] fix some bugs in new workflow (#2094) --- .../triage-unallowed-contributions.yml | 25 ++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/.github/workflows/triage-unallowed-contributions.yml b/.github/workflows/triage-unallowed-contributions.yml index ab40b3232e..f28692580d 100644 --- a/.github/workflows/triage-unallowed-contributions.yml +++ b/.github/workflows/triage-unallowed-contributions.yml @@ -2,6 +2,8 @@ name: Check unallowed file changes on: push: + pull_request: + types: [opened, reopened] jobs: triage: @@ -20,8 +22,17 @@ jobs: ...context.repo, commit_sha: context.sha }) + const pullNumber = pulls.data + .map(pull => pull.number) + .shift() - return pulls.data.map(pull => pull.number).shift() + if (pullNumber) { + console.log(`Pull request number: ${pullNumber}`) + return pullNumber + } else { + console.log(`When this workflow ran, the associated pull request was not yet created. Pushing a new commit after you've created a pull request will automatically re-run this workflow, or you can manually re-run the workflow.`) + process.exit(1) + } - name: Check for existing requested changes id: requested-change uses: actions/github-script@626af12fe9a53dc2972b48385e7fe7dec79145c9 @@ -34,10 +45,16 @@ jobs: pull_number: ${{steps.pull-number.outputs.result}} }) - return pullReviews.data + const botReviews = pullReviews.data .filter(review => review.user.login === 'github-actions[bot]') .sort((a, b) => new Date(b.submitted_at) - new Date(a.submitted_at)) .shift() + + if (botReviews) { + console.log(`Pull request reviews authored by the github-action bot: ${botReviews}`) + } + return botReviews + - name: Get files changed uses: dorny/paths-filter@eb75a1edc117d3756a18ef89958ee59f9500ba58 id: filter @@ -104,7 +121,9 @@ jobs: # When the most recent review was CHANGES_REQUESTED and the existing # PR no longer contains unallowed changes, dismiss the previous review - name: Dismiss pull request review - if: ${{ steps.filter.outputs.notAllowed == 'false' && fromJson(steps.requested-change.outputs.result).state == 'CHANGES_REQUESTED' }} + # Check that unallowed files aren't modified and that a + # CHANGES_REQUESTED review already exists + if: ${{ steps.filter.outputs.notAllowed == 'false' && steps.requested-change.outputs.result && fromJson(steps.requested-change.outputs.result).state == 'CHANGES_REQUESTED' }} uses: actions/github-script@626af12fe9a53dc2972b48385e7fe7dec79145c9 with: github-token: ${{secrets.GITHUB_TOKEN}} From 7a9f4bfc922d01e4a86f24b2831cd68cb9a21b1d Mon Sep 17 00:00:00 2001 From: Rachael Sewell Date: Mon, 14 Dec 2020 16:25:55 -0800 Subject: [PATCH 4/6] Revert "fix some bugs in new workflow (#2094)" (#2098) This reverts commit df09191c0f1d7d83e72618791d13d4093d3c4087. --- .../triage-unallowed-contributions.yml | 25 +++---------------- 1 file changed, 3 insertions(+), 22 deletions(-) diff --git a/.github/workflows/triage-unallowed-contributions.yml b/.github/workflows/triage-unallowed-contributions.yml index f28692580d..ab40b3232e 100644 --- a/.github/workflows/triage-unallowed-contributions.yml +++ b/.github/workflows/triage-unallowed-contributions.yml @@ -2,8 +2,6 @@ name: Check unallowed file changes on: push: - pull_request: - types: [opened, reopened] jobs: triage: @@ -22,17 +20,8 @@ jobs: ...context.repo, commit_sha: context.sha }) - const pullNumber = pulls.data - .map(pull => pull.number) - .shift() - if (pullNumber) { - console.log(`Pull request number: ${pullNumber}`) - return pullNumber - } else { - console.log(`When this workflow ran, the associated pull request was not yet created. Pushing a new commit after you've created a pull request will automatically re-run this workflow, or you can manually re-run the workflow.`) - process.exit(1) - } + return pulls.data.map(pull => pull.number).shift() - name: Check for existing requested changes id: requested-change uses: actions/github-script@626af12fe9a53dc2972b48385e7fe7dec79145c9 @@ -45,16 +34,10 @@ jobs: pull_number: ${{steps.pull-number.outputs.result}} }) - const botReviews = pullReviews.data + return pullReviews.data .filter(review => review.user.login === 'github-actions[bot]') .sort((a, b) => new Date(b.submitted_at) - new Date(a.submitted_at)) .shift() - - if (botReviews) { - console.log(`Pull request reviews authored by the github-action bot: ${botReviews}`) - } - return botReviews - - name: Get files changed uses: dorny/paths-filter@eb75a1edc117d3756a18ef89958ee59f9500ba58 id: filter @@ -121,9 +104,7 @@ jobs: # When the most recent review was CHANGES_REQUESTED and the existing # PR no longer contains unallowed changes, dismiss the previous review - name: Dismiss pull request review - # Check that unallowed files aren't modified and that a - # CHANGES_REQUESTED review already exists - if: ${{ steps.filter.outputs.notAllowed == 'false' && steps.requested-change.outputs.result && fromJson(steps.requested-change.outputs.result).state == 'CHANGES_REQUESTED' }} + if: ${{ steps.filter.outputs.notAllowed == 'false' && fromJson(steps.requested-change.outputs.result).state == 'CHANGES_REQUESTED' }} uses: actions/github-script@626af12fe9a53dc2972b48385e7fe7dec79145c9 with: github-token: ${{secrets.GITHUB_TOKEN}} From f1f7c95df2ecbea3843ec56c59bf199ca9e63348 Mon Sep 17 00:00:00 2001 From: Nick Schonning Date: Tue, 15 Dec 2020 01:36:40 -0500 Subject: [PATCH 5/6] fix: Links to localhost addresses (#1505) Co-authored-by: Lucas Costi --- content/developers/apps/authorizing-oauth-apps.md | 4 +++- content/developers/apps/using-content-attachments.md | 2 +- lib/excluded-links.js | 4 ---- 3 files changed, 4 insertions(+), 6 deletions(-) diff --git a/content/developers/apps/authorizing-oauth-apps.md b/content/developers/apps/authorizing-oauth-apps.md index 655d7d41b8..dfb7888112 100644 --- a/content/developers/apps/authorizing-oauth-apps.md +++ b/content/developers/apps/authorizing-oauth-apps.md @@ -272,7 +272,9 @@ The optional `redirect_uri` parameter can also be used for localhost URLs. If th For the `http://localhost/path` callback URL, you can use this `redirect_uri`: - http://localhost:1234/path +``` +http://localhost:1234/path +``` ### Creating multiple tokens for OAuth Apps diff --git a/content/developers/apps/using-content-attachments.md b/content/developers/apps/using-content-attachments.md index 035324a0db..3bbe27bf11 100644 --- a/content/developers/apps/using-content-attachments.md +++ b/content/developers/apps/using-content-attachments.md @@ -166,7 +166,7 @@ To create a Probot App, follow these steps: } ``` -4. [Run the GitHub App locally](https://probot.github.io/docs/development/#running-the-app-locally). Navigate to [localhost:3000](http://localhost:3000), and click the **Register GitHub App** button: +4. [Run the GitHub App locally](https://probot.github.io/docs/development/#running-the-app-locally). Navigate to `http://localhost:3000`, and click the **Register GitHub App** button: ![Register a Probot GitHub App](/assets/images/github-apps/github_apps_probot-registration.png) diff --git a/lib/excluded-links.js b/lib/excluded-links.js index 7301a5b6b9..e0f8a2c44e 100644 --- a/lib/excluded-links.js +++ b/lib/excluded-links.js @@ -9,10 +9,6 @@ module.exports = [ 'https://github.com/github/docs/edit', 'https://github.com/github/insights-releases/releases/latest', - // Developer content uses these for examples; they should not be checked. - 'http://localhost:1234', - 'localhost:3000', - // Oneoff links that link checkers think are broken but are not. 'https://haveibeenpwned.com/', 'https://www.ilo.org/dyn/normlex/en/f\\?p=NORMLEXPUB:12100:0::NO::P12100_ILO_CODE:P029' From d7ccef709b8b31800d4a79cab0ea9196685df0ad Mon Sep 17 00:00:00 2001 From: Lucas Costi Date: Tue, 15 Dec 2020 16:46:30 +1000 Subject: [PATCH 6/6] Fix GITHUB_{HEAD|BASE}_REF env var descriptions (#1955) --- content/actions/reference/environment-variables.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/actions/reference/environment-variables.md b/content/actions/reference/environment-variables.md index 0d2a15674f..c0d9339973 100644 --- a/content/actions/reference/environment-variables.md +++ b/content/actions/reference/environment-variables.md @@ -51,8 +51,8 @@ We strongly recommend that actions use environment variables to access the files | `GITHUB_WORKSPACE` | The {% data variables.product.prodname_dotcom %} workspace directory path. The workspace directory is a copy of your repository if your workflow uses the [actions/checkout](https://github.com/actions/checkout) action. If you don't use the `actions/checkout` action, the directory will be empty. For example, `/home/runner/work/my-repo-name/my-repo-name`. | | `GITHUB_SHA` | The commit SHA that triggered the workflow. For example, `ffac537e6cbbf934b08745a378932722df287a53`. | | `GITHUB_REF` | The branch or tag ref that triggered the workflow. For example, `refs/heads/feature-branch-1`. If neither a branch or tag is available for the event type, the variable will not exist. | -| `GITHUB_HEAD_REF` | Only set for forked repositories. The branch of the head repository. -| `GITHUB_BASE_REF` | Only set for forked repositories. The branch of the base repository. +| `GITHUB_HEAD_REF` | Only set for pull request events. The name of the head branch. +| `GITHUB_BASE_REF` | Only set for pull request events. The name of the base branch. | `GITHUB_SERVER_URL`| Returns the URL of the {% data variables.product.product_name %} server. For example: `https://{% data variables.product.product_url %}`. | `GITHUB_API_URL` | Returns the API URL. For example: `{% data variables.product.api_url_code %}`. | `GITHUB_GRAPHQL_URL` | Returns the GraphQL API URL. For example: `{% data variables.product.graphql_url_code %}`.