ci(repo): Use pull_request_target event by triggering actor permissions

[LauraBeatris]

Description

#4702 needs to be merged first

This PR ensures that when a new untrusted PR is submitted, it verifies the triggering actor permissions, to proceed with the next steps that rely on repository secrets.

Context

Currently, CI steps that rely on secrets get skipped once it detects that it's an external fork. It's also using pull_request event which doesn't provide access to secrets. This is bringing a ton of friction to merge external contributions.

Security considerations with pull_request_target

Any automated processing of PRs from an external fork is potentially dangerous and such PRs should be treated like untrusted input. Malicious changes could be such as:

• make or powershell files or redefine the build script in the package.json file
• npm packages may have custom preinstall and postinstall scripts, so running npm install would already trigger any malicious code if the attackers added a new package reference

With the pull_request event, as per the documentation, with the exception of GITHUB_TOKEN, secrets are not passed to the runner when a workflow is triggered from a forked repository.

On the other hand, workflows triggered via pull_request_targe have write permission to the target repository. They also have access to target repository secrets.

pull_request_target + checking trigger actor permissions

GitHub Actions provides a triggering actor field that lets you know who ran (or re-ran) a workflow. This allows maintainers to check the changes manually, and proceed by re-running the jobs.

The workflow is:

1. Check permissions
2. Checkout code
3. Run CI with secrets

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

[changeset-bot]

🦋 Changeset detected

Latest commit: ceb4277

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 0 packages

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
clerk-js-sandbox	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Dec 10, 2024 7:26pm

[LauraBeatris]

This wasn't being used at all, it was introduced in a previous PR with the attempt to continue using pull_request event with workflow_run