mirror of
https://github.com/emilk/egui.git
synced 2026-06-27 07:03:14 -04:00
c09a8723b4
Before, a crafted branch name could be used to exfiltrate the github
token and wreak havoc 😅
42 lines
1.6 KiB
YAML
42 lines
1.6 KiB
YAML
name: PR Branch Name Check
|
|
|
|
on:
|
|
pull_request_target:
|
|
types: [opened, reopened, synchronize]
|
|
|
|
permissions:
|
|
issues: write
|
|
|
|
jobs:
|
|
check-source-branch:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 10
|
|
steps:
|
|
- name: Check PR source branch
|
|
env:
|
|
IS_FORK: ${{ github.event.pull_request.head.repo.fork }}
|
|
HEAD_REF: ${{ github.event.pull_request.head.ref }}
|
|
run: |
|
|
# Check if PR is from a fork
|
|
if [[ "$IS_FORK" == "true" ]]; then
|
|
# Check if PR is from the master/main branch of a fork
|
|
if [[ "$HEAD_REF" == "master" || "$HEAD_REF" == "main" ]]; then
|
|
echo "ERROR: Pull requests from the master/main branch of forks are not allowed, because it prevents maintainers from contributing to your PR"
|
|
echo "Please create a feature branch in your fork and submit the PR from that branch instead."
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
- name: Leave comment if PR is from master/main branch of fork d
|
|
if: ${{ failure() }}
|
|
uses: actions/github-script@v6
|
|
with:
|
|
github-token: ${{ secrets.GITHUB_TOKEN }}
|
|
script: |
|
|
github.rest.issues.createComment({
|
|
issue_number: context.issue.number,
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
body: '⚠️ **ERROR:** Pull requests from the `master`/`main` branch of forks are not allowed, because it prevents maintainers from contributing to your PR. Please create a feature branch in your fork and submit the PR from that branch instead.'
|
|
})
|