-
-
Notifications
You must be signed in to change notification settings - Fork 241
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Listing modified files does not work when running on the pull_request_target
event
#2125
Comments
@vkucera thanks for reporting ! Any chance you'd be able to transpose your recommended updates here ? megalinter/megalinter/MegaLinter.py Line 643 in f1fb3d6
|
@vkucera, the GitHub docs you linked to advise against using the |
Hi @Kurt-von-Laven , I'm not sure I understand your question. I linked the GitHub docs as a reference for the context of the |
I am saying that this is a quote directly from the GitHub docs on the |
Maybe I am missing something. Running MegaLinter on
|
If, by dedicated GitHub account, you mean one that is not specifically associated with any identity, you should be warned that this is a known bad security practice. Imagine you are a hacker who intends to break into your own system. Which would you rather gain control of (a) an account actively used and monitored by a single individual concerned they may be held culpable for activity originating from that account or (b) an account (in many cases with a weak, shared password and no 2-fa) that is not associated with any single individual or logged into by a human on any regular basis? What you are proposing is, of course, theoretically possible, but GitHub Actions neither currently has nor plans to develop a sufficiently nuanced security model to permit it conveniently and securely. See, for example, pre-commit/action#164, which removed a convenience feature that opened GitHub pull requests containing the changes made by pre-commit hooks. At the time of that PR, the action had already been deprecated and untouched for over a year, and no modifications have been made since. Hopefully that gives a sense of the significance of the security risks posed by that feature.
In the spirit of "shifting left," meaning receiving feedback as early as possible in the development life-cycle, we run MegaLinter locally as a pre-commit hook for the purpose you described. We use ScribeMD/pre-commit-action to reuse our pre-commit configuration in CI, which includes MegaLinter and a number of other hooks. (Full disclosure: I am the author of this GitHub Action.) This also means that our mistakes are fixed before they are ever committed or pushed, which saves our reviewers time and helps us make better use of
Now that I understand what you are trying to do, I think I get the miscommunication. As you discovered, |
This issue has been automatically marked as stale because it has not had recent activity. If you think this issue should stay open, please remove the |
Thanks @Kurt-von-Laven for the detailed and very instructive reply. |
Those are certainly the most common use cases, yes. There are many other events, so I won't claim there is no value in running MegaLinter on any of the others, but
This can be achieved most easily by opening pull requests directly from the repository itself rather than from a fork. If your repository is public and you desire this feature when opening pull requests from forks, GitHub Actions is intentionally designed to create friction for you here, because this is an inherently an insecure objective. In that case, I recommend you give pre-commit a try instead and abandon this goal. Otherwise, your goal can only be achieved by exposing yourself to abuse, and again, none of this is specific to MegaLinter. If you remain deeply committed to this feature, you would need to investigate other CI services that may have different security models. You can enable workflows from forks of private repositories, but it's likely easier and safer to open pull requests directly from the repository itself in that scenario. See #2392 for additional context. |
This issue has been automatically marked as stale because it has not had recent activity. If you think this issue should stay open, please remove the |
Describe the bug
MegaLinter seems to be getting the list of modified files by diffing the checked out repo against the target branch. This does not work well when the action runs on
pull_request_target
, becausewhich results in getting no modified files to check.
If one sets the checkout action to checkout the HEAD of the PR source branch instead, using
the comparison against the target branch may include also unrelated files from commits present in the target branch but missing in the (not up-to-date) source branch.
This can be avoided by diffing against the most recent ancestor of the source and target branches instead, using
git diff --name-only --merge-base "$BASE_SHA"
where:
is the commit of the target branch.
Expected behavior
Only files modified by the PR should be checked.
The text was updated successfully, but these errors were encountered: