From 3737fc294e8290a80163d298eed89e7675bd3e32 Mon Sep 17 00:00:00 2001 From: Veronika Gnilitska Date: Tue, 2 Sep 2025 20:07:35 +0300 Subject: [PATCH 1/3] featL support pull_request_target case --- action.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/action.yaml b/action.yaml index f7ddd59..d2dacec 100644 --- a/action.yaml +++ b/action.yaml @@ -33,6 +33,10 @@ runs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: token: ${{ inputs.github_token }} + # For pull_request_target: checkout the actual PR code, not the base branch + ref: ${{ github.event.pull_request.head.sha || github.sha }} + # Support forks by using the head repository when available + repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }} - name: Aqua Cache uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 From 45ff4bbc5fe37db4bdd19ba82e11ec997af8202a Mon Sep 17 00:00:00 2001 From: Veronika Gnilitska Date: Tue, 2 Sep 2025 20:08:20 +0300 Subject: [PATCH 2/3] chore: reusable trunk-upgrade --- .github/workflows/trunk-upgrade.yaml | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/.github/workflows/trunk-upgrade.yaml b/.github/workflows/trunk-upgrade.yaml index 3ba9de2..0c52f50 100644 --- a/.github/workflows/trunk-upgrade.yaml +++ b/.github/workflows/trunk-upgrade.yaml @@ -19,16 +19,10 @@ jobs: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Create Token for MasterpointBot App - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a #v2.1.0 - id: generate-token + - name: Run Trunk Upgrade + uses: masterpointio/github-action-trunk-upgrade@fix/admin-permissions with: - app_id: ${{ secrets.MP_BOT_APP_ID }} - private_key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }} - - - name: Upgrade - uses: trunk-io/trunk-action/upgrade@75699af9e26881e564e9d832ef7dc3af25ec031b # v1.2.4 - with: - github-token: ${{ steps.generate-token.outputs.token }} - reviewers: "@masterpointio/masterpoint-internal" - prefix: "chore: " + app-id: ${{ secrets.MP_BOT_APP_ID }} + app-private-key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }} + github-token: ${{ secrets.MASTERPOINT_TEAM_PAT }} + reviewers: "@masterpointio/masterpoint-open-source" From 240cb37cb645b2aa7d3b04ebe63a05550eaac3f3 Mon Sep 17 00:00:00 2001 From: Veronika Gnilitska Date: Wed, 3 Sep 2025 18:08:39 +0300 Subject: [PATCH 3/3] chore: CR feedback --- action.yaml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/action.yaml b/action.yaml index d2dacec..97b2512 100644 --- a/action.yaml +++ b/action.yaml @@ -33,10 +33,15 @@ runs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: token: ${{ inputs.github_token }} - # For pull_request_target: checkout the actual PR code, not the base branch - ref: ${{ github.event.pull_request.head.sha || github.sha }} - # Support forks by using the head repository when available - repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }} + # In pull_request_target, use the base repo's synthetic merge ref to avoid cross-repo clones + # and to prevent running fork code with elevated credentials. Otherwise, fall back to sha. + ref: ${{ (github.event_name == 'pull_request_target' && format('refs/pull/{0}/merge', github.event.number)) || github.event.pull_request.head.sha || github.sha }} + # Always clone from the base repository to avoid permission issues with forks + repository: ${{ github.repository }} + # Do not persist credentials into the repo's local config (reduces risk of token exfiltration) + persist-credentials: false + # Faster, smaller checkout + fetch-depth: 1 - name: Aqua Cache uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3