forked from aws-powertools/powertools-lambda-python
-
Notifications
You must be signed in to change notification settings - Fork 0
43 lines (38 loc) · 1.47 KB
/
on_opened_pr.yml
File metadata and controls
43 lines (38 loc) · 1.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
name: On new PR
# PROCESS
#
# 1. Fetch PR details previously saved from untrusted location
# 2. Parse details for safety
# 3. Confirm there is a related issue for newly opened PR
# 4. Verify if PR template is used and legal acknowledgement hasn't been removed
# USAGE
#
# NOTE: meant to be used with ./.github/workflows/record_pr.yml
#
# Security Note:
#
# This workflow depends on "Record PR" workflow that runs in an untrusted location (forks) instead of `pull_request_target`.
# This enforces zero trust where "Record PR" workflow always runs on fork with zero permissions on GH_TOKEN.
# When "Record PR" completes, this workflow runs in our repository with the appropriate permissions and sanitize inputs.
#
# Coupled with "Approve GitHub Action to run on forks", we have confidence no privilege can be escalated,
# since any malicious change would need to be approved, and upon social engineering, it'll have zero permissions.
on:
workflow_run:
workflows: ["Record PR details"]
types:
- completed
permissions:
contents: read
jobs:
get_pr_details:
permissions:
actions: read # download PR artifact
contents: read # checkout code
if: ${{ github.event.workflow_run.conclusion == 'success' }}
uses: ./.github/workflows/reusable_export_pr_details.yml
with:
record_pr_workflow_id: ${{ github.event.workflow_run.id }}
workflow_origin: ${{ github.event.repository.full_name }}
secrets:
token: ${{ secrets.GITHUB_TOKEN }}