forked from catherinedevlin/ipython-sql
-
Notifications
You must be signed in to change notification settings - Fork 76
34 lines (27 loc) · 1.09 KB
/
workflow-edits.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# NOTE: we need this as a security measure so PRs from forks cannot submit a PR and
# modify this file. The only way for this test to pass is to add the
# 'allow-workflow-edits' label and push again.
name: workflow-edited
# note that this triggers on 'pull_request_target' instead of 'pull_request'.
# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
# https://docs.boostsecurity.io/rules/cicd-gha-risky-pull-request-target-usage.html
on: [pull_request_target]
jobs:
workflow-edited:
runs-on: ubuntu-latest
if: ${{ !contains(github.event.pull_request.labels.*.name, 'allow-workflow-edits') }}
steps:
- name: Checkout
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v2
with:
python-version: '3.10'
- name: Check
id: check
run: |
BRANCH_NAME=master
git fetch --depth=1 origin $BRANCH_NAME:$BRANCH_NAME
git diff --exit-code "$BRANCH_NAME" .github/workflows/