Skip to content

Instantly share code, notes, and snippets.

@mheap
Created March 9, 2023 12:56
Show Gist options
  • Save mheap/2c66574509e90747b9fd885e2376935c to your computer and use it in GitHub Desktop.
Save mheap/2c66574509e90747b9fd885e2376935c to your computer and use it in GitHub Desktop.
Run steps with access to secrets on PRs from forks with GitHub Actions
name: Demo
on:
pull_request_target:
types: [opened, synchronize, labeled]
jobs:
demo:
runs-on: ubuntu-latest
steps:
- name: Check access
if: ${{ github.event.pull_request.author_association != 'COLLABORATOR' && github.event.pull_request.author_association != 'OWNER' && !contains(github.event.*.labels.*.name, 'ci:run-tests') }}
run: |
echo "Event not triggered by a collaborator. Please add the ci:run-tests label to trigger this workflow with the correct permissions"
exit 1
- name: Checkout code
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }} # This is dangerous without the first access check
- name: Test
run: |
if [[ "x${{ secrets.MY_SECRET }}" == "xval" ]]; then
echo "Access to secrets"
else
echo "No access to secrets"
exit 1
fi
- uses: actions-ecosystem/action-remove-labels@v1
if: ${{ contains(github.event.*.labels.*.name, 'ci:run-tests') }}
with:
labels: ci:run-tests
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment