gui.do
Barazo AppView backend
barazo.forum
fix(ci): use pull_request_target for Dependabot secret access (#137)
Dependabot PRs don't receive repo secrets under pull_request events,
causing DEPLOY_PAT to be empty. Switch to pull_request_target which
runs in the base branch context with full secret access. Safe because
the workflow only runs for dependabot[bot] and only executes pnpm
install -- no PR-supplied code is run.
authored by
Guido X Jansen
and committed by
GitHub
bf6ea21b
5d386d3d
+7
-2
+7
-2
.github/workflows/fix-lockfile.yml
+7
-2
.github/workflows/fix-lockfile.yml
···
4
4
# catalog: specifiers to concrete versions in the lockfile, causing
5
5
# a mismatch that fails `pnpm install --frozen-lockfile` in CI.
6
6
# This workflow regenerates the lockfile on Dependabot PRs.
7
+
#
8
+
# Uses pull_request_target so the workflow has access to repo secrets
9
+
# (Dependabot PRs don't get secrets with plain pull_request).
10
+
# Safe because: only runs for dependabot[bot], only executes pnpm install
11
+
# (no PR-supplied scripts), and only commits pnpm-lock.yaml.
7
12
8
13
on:
9
-
pull_request:
14
+
pull_request_target:
10
15
paths:
11
16
- 'package.json'
12
17
- 'pnpm-lock.yaml'
···
25
30
steps:
26
31
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
27
32
with:
28
-
ref: ${{ github.head_ref }}
33
+
ref: ${{ github.event.pull_request.head.ref }}
29
34
token: ${{ secrets.DEPLOY_PAT }}
30
35
31
36
- uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0