Fix permissions for the dependabot contraintlayout check #14570
Conversation
malinajirka
added
the
category: tooling
📲 You can test the changes from this Pull Request in WooCommerce-Wear Android by scanning the QR code below to install the corresponding build.
|
|
📲 You can test the changes from this Pull Request in WooCommerce Android by scanning the QR code below to install the corresponding build.
|
There was a problem hiding this comment.
Pull Request Overview
This PR fixes permissions for a GitHub Actions workflow that posts warning comments on Dependabot constraint-layout updates. The workflow was failing due to insufficient permissions when attempting to write comments on pull requests.
- Changed trigger from
pull_requesttopull_request_targetto enable write access - Added explicit
pull-requests: writepermission to allow comment posting
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
|
|
||
| on: | ||
| pull_request: | ||
| pull_request_target: |
There was a problem hiding this comment.
Using pull_request_target with Dependabot creates a security risk as it runs with write permissions in the context of the target repository. Consider adding explicit checks to verify the PR author is dependabot[bot] before any sensitive operations, or explore using pull_request with a GitHub token that has appropriate permissions.
Copilot uses AI. Check for mistakes.
There was a problem hiding this comment.
Maybe this is indeed it @malinajirka and we could use something like @wzieba did here: #14556
- Adding the permission at the top level instead:
permissions:
pull-requests: write- Using the
GH_TOKENenvironmental variable:
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}- And running the step with
- name: Xyz
...
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"Then keep pull_request as is for now, then test it, wdyt? 🤔
3 participants
This PR is an attempt at fixing the github action that drops a warning comment on dependabot contraint-layout updates. Since there is no way how to verify it works, I believe we just need to merge it and then test it on #14400.