We implement https://iterative.ai/blog/testing-external-contributions-using-github-actions-secrets to allow to run workflows that require GitHub secrets on external PRs. For that, one member of the external
group needs to approve the workflow.
The authorize
job should be required for all following jobs (needs: authorize
).
When using actions/checkout
, we would like to check out on the merge commit, as this is the default for the pull_request
event (but not of the pull_request_target
, refer to actions/checkout#518). However, this is in itself not safe as malicious code can be commited between the approval and checkout.
Thus the step
- name: Security - check PR SHA