From 07ba9aac81debf881c2d0eaa798821cf14e83b3a Mon Sep 17 00:00:00 2001
From: casswedson <casswedson@users.noreply.github.com>
Date: Thu, 10 Nov 2022 20:25:48 -0500
Subject: [PATCH] fix: incorrect workflow checkout ref

we have a litte linter/reviewer workflow that's supposed to test the
incoming code and spit out a review if there are easy to fix errors
say whitespace, indentation etc

it can't do that at the moment cause pull_request_target will make the
checkout action checkout master; master is always linted so we aren't
doing anything

force it to check the incoming code, a little trick

references:
https://semgrep.dev/r?q=yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout
---
 .github/workflows/linter.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
index 8082d30c9d51d..70d30c7af2d56 100644
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@@ -1,9 +1,12 @@
 name: Code Style Reviewer
 
-on: pull_request_target
+on:
+  pull_request_target:
+  pull_request:
 
 jobs:
   skip-duplicates:
+    if: ${{ github.event_name == 'pull_request_target' }}
     continue-on-error: true
     runs-on: ubuntu-latest
     # Map a step output to a job output
@@ -18,12 +21,14 @@ jobs:
 
   style-code:
     needs: skip-duplicates
-    if: ${{ needs.skip-duplicates.outputs.should_skip != 'true' }}
+    if: ${{ needs.skip-duplicates.outputs.should_skip != 'true' && github.event_name == 'pull_request_target' }}
 
     runs-on: ubuntu-latest
 
     steps:
     - uses: actions/checkout@v3
+      with:
+        ref: '${{ github.event.pull_request.head.sha }}'
 
     - name: install dependencies
       run: sudo apt-get install astyle