diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index eb61745258..61e006512c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,6 +4,7 @@ on: workflow_dispatch: merge_group: pull_request_target: + types: [opened, synchronize] branches: - main - release/v4 @@ -13,7 +14,7 @@ concurrency: cancel-in-progress: true jobs: - # Check triggering actor permissions to prevent PRs from forks accessing secrets by default, preventing them from exfiltrating secrets for malicious purposes + # We must first check whether it is a external contribution, before processing to checkout the code and running jobs with access to secrets check-permissions: runs-on: 'blacksmith-8vcpu-ubuntu-2204' steps: @@ -34,7 +35,7 @@ jobs: exit 1 formatting-linting: - needs: [check-approval] + needs: [check-permissions] name: Formatting, linting & changeset checks runs-on: 'blacksmith-8vcpu-ubuntu-2204' timeout-minutes: ${{ vars.TIMEOUT_MINUTES_NORMAL && fromJSON(vars.TIMEOUT_MINUTES_NORMAL) || 10 }} @@ -48,6 +49,7 @@ jobs: with: fetch-depth: 0 show-progress: false + ref: ${{ github.event.pull_request.head.sha }} - name: Setup id: config @@ -101,7 +103,7 @@ jobs: retention-days: 5 unit-tests: - needs: [check-approval] + needs: [check-permissions] name: Unit Tests runs-on: 'blacksmith-8vcpu-ubuntu-2204' timeout-minutes: ${{ vars.TIMEOUT_MINUTES_NORMAL && fromJSON(vars.TIMEOUT_MINUTES_NORMAL) || 10 }} @@ -119,6 +121,7 @@ jobs: with: fetch-depth: 0 show-progress: false + ref: ${{ github.event.pull_request.head.sha }} - name: Setup id: config @@ -153,7 +156,7 @@ jobs: retention-days: 5 integration-tests: - needs: [check-approval] + needs: [check-permissions] name: Integration Tests runs-on: 'blacksmith-8vcpu-ubuntu-2204' timeout-minutes: ${{ vars.TIMEOUT_MINUTES_LONG && fromJSON(vars.TIMEOUT_MINUTES_LONG) || 15 }} @@ -180,6 +183,7 @@ jobs: with: fetch-depth: 0 show-progress: false + ref: ${{ github.event.pull_request.head.sha }} - name: Setup id: config