diff --git a/.README.md.swp b/.README.md.swp deleted file mode 100644 index 9656a508..00000000 Binary files a/.README.md.swp and /dev/null differ diff --git a/README.md b/README.md index 792f50db..0434bc27 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,6 @@ Error: Resource not accessible by integration | `pr-number` | No | | A pull request number, only required if triggered from a workflow_dispatch event. Typically this would be triggered by a script running in a separate CI provider. See [Trigger action from workflow_dispatch event](#trigger-action-from-workflow_dispatch-event) example. | | `skip-commit-verification` | No | `false` | If `true`, then the action will not expect the commits to have a verification signature. It is required to set this to `true` in GitHub Enterprise Server. | | `skip-verification` | No | `false` | If true, the action will not validate the user or the commit verification status | -| `event-name` | No | `pull_request` | Allows customizing the `github.event_name` that is used to sanity check the build and make sure its part of a Pull Request. Default is `pull_request`. Allowed values: `pull_request`, `pull_request_target`.| ## Output @@ -132,21 +131,6 @@ curl -X POST \ -d '{"ref":"{ref}", "inputs":{ "pr-number": "{number}"}}' ``` -### Trigger action from a `pull_request_target` instead of `pull_request` event - -[trigger_doc]: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows -[security_blog]: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ - -The action by default verifies that the [trigger][trigger_doc] is a `pull_request` event - which is the most secure and safest way to run your builds. If necessary, you can use the `event-name` property to reconfigure this verification check to support `pull_request_target` events. Make sure that you understand the [security risks][security_blog] of this behavior first. Additionally, ensure that your `checkout` action is configured properly to check out and test the right branch: - -```yaml -- name: Checkout - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.ref }} - repository: ${{ github.event.pull_request.head.repo.full_name }} -``` - ## How to upgrade from `2.x` to new `3.x` diff --git a/action.yml b/action.yml index b860ade4..1b35eb4b 100644 --- a/action.yml +++ b/action.yml @@ -40,14 +40,6 @@ inputs: type: boolean description: 'If true, the action will not validate the user or the commit verification status' default: false - event-name: - type: string - description: - default: pull_request - options: - - pull_request - - pull_request_target - runs: using: 'composite' @@ -55,7 +47,7 @@ runs: - name: Fetch metadata id: dependabot-metadata uses: dependabot/fetch-metadata@v1 - if: github.event_name == '${{ inputs.event-name }}' && (github.actor == 'dependabot[bot]' || inputs.skip-verification == 'true') + if: github.event_name == 'pull_request' && (github.actor == 'dependabot[bot]' || inputs.skip-verification == 'true') with: skip-commit-verification: ${{ inputs.skip-commit-verification }} skip-verification : ${{ inputs.skip-verification }}