mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-07-04 19:21:51 +00:00
fix(ci): harden pull_request_target workflows (persist-credentials + toJson) (#11747)
This commit is contained in:
@@ -37,8 +37,7 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
ref: ${{ github.event.pull_request.head.sha }}
|
ref: ${{ github.event.pull_request.head.sha }}
|
||||||
fetch-depth: 1
|
fetch-depth: 1
|
||||||
# zizmor: ignore[artipacked]
|
persist-credentials: false # No write token in the untrusted PR-head tree; public repo so base fetch/changed-files work unauthenticated
|
||||||
persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
|
|
||||||
|
|
||||||
- name: Fetch PR base ref for tj-actions/changed-files
|
- name: Fetch PR base ref for tj-actions/changed-files
|
||||||
env:
|
env:
|
||||||
|
|||||||
@@ -56,6 +56,6 @@ jobs:
|
|||||||
"PROWLER_PR_BODY": ${{ toJson(github.event.pull_request.body) }},
|
"PROWLER_PR_BODY": ${{ toJson(github.event.pull_request.body) }},
|
||||||
"PROWLER_PR_URL": ${{ toJson(github.event.pull_request.html_url) }},
|
"PROWLER_PR_URL": ${{ toJson(github.event.pull_request.html_url) }},
|
||||||
"PROWLER_PR_MERGED_BY": "${{ github.event.pull_request.merged_by.login }}",
|
"PROWLER_PR_MERGED_BY": "${{ github.event.pull_request.merged_by.login }}",
|
||||||
"PROWLER_PR_BASE_BRANCH": "${{ github.event.pull_request.base.ref }}",
|
"PROWLER_PR_BASE_BRANCH": ${{ toJson(github.event.pull_request.base.ref) }},
|
||||||
"PROWLER_PR_HEAD_BRANCH": "${{ github.event.pull_request.head.ref }}"
|
"PROWLER_PR_HEAD_BRANCH": ${{ toJson(github.event.pull_request.head.ref) }}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user