4 files changed
@@ -7,6 +7,9 @@ on: | |||
| 7 | 7 | - synchronize | |
| 8 | 8 | - labeled | |
| 9 | 9 | ||
| 10 | + permissions: | ||
| 11 | + pull-requests: read | ||
| 12 | + | ||
| 10 | 13 | jobs: | |
| 11 | 14 | lint-java: | |
| 12 | 15 | # when using pull_request_target, all jobs MUST have this if check for 'ok-to-test' or 'approved' for security purposes. | |
@@ -23,6 +26,7 @@ jobs: | |||
| 23 | 26 | # code from the PR. | |
| 24 | 27 | ref: refs/pull/${{ github.event.pull_request.number }}/merge | |
| 25 | 28 | submodules: recursive | |
| 29 | + persist-credentials: false | ||
| 26 | 30 | - name: Lint java | |
| 27 | 31 | run: make lint-java | |
| 28 | 32 | ||
@@ -42,6 +46,7 @@ jobs: | |||
| 42 | 46 | # code from the PR. | |
| 43 | 47 | ref: refs/pull/${{ github.event.pull_request.number }}/merge | |
| 44 | 48 | submodules: recursive | |
| 49 | + persist-credentials: false | ||
| 45 | 50 | - name: Set up JDK 11 | |
| 46 | 51 | uses: actions/setup-java@v1 | |
| 47 | 52 | with: | |
@@ -84,6 +89,7 @@ jobs: | |||
| 84 | 89 | - uses: actions/checkout@v4 | |
| 85 | 90 | with: | |
| 86 | 91 | submodules: 'true' | |
| 92 | + persist-credentials: false | ||
| 87 | 93 | - name: Setup Python | |
| 88 | 94 | uses: actions/setup-python@v5 | |
| 89 | 95 | id: setup-python | |
@@ -120,6 +126,7 @@ jobs: | |||
| 120 | 126 | # code from the PR. | |
| 121 | 127 | ref: refs/pull/${{ github.event.pull_request.number }}/merge | |
| 122 | 128 | submodules: recursive | |
| 129 | + persist-credentials: false | ||
| 123 | 130 | - name: Set up JDK 11 | |
| 124 | 131 | uses: actions/setup-java@v1 | |
| 125 | 132 | with: | |
@@ -1,20 +1,16 @@ | |||
| 1 | 1 | name: lint-pr | |
| 2 | 2 | ||
| 3 | 3 | on: | |
| 4 | - pull_request_target: | ||
| 4 | + pull_request: | ||
| 5 | 5 | types: | |
| 6 | 6 | - opened | |
| 7 | 7 | - edited | |
| 8 | 8 | - synchronize | |
| 9 | 9 | ||
| 10 | - permissions: | ||
| 11 | - # read-only perms specified due to use of pull_request_target in lieu of security label check | ||
| 12 | - pull-requests: read | ||
| 13 | - | ||
| 14 | 10 | jobs: | |
| 15 | 11 | validate-title: | |
| 16 | 12 | if: | |
| 17 | - github.repository == 'feast-dev/feast' | ||
| 13 | + github.event.pull_request.base.repo.full_name == 'feast-dev/feast' | ||
| 18 | 14 | name: Validate PR title | |
| 19 | 15 | runs-on: ubuntu-latest | |
| 20 | 16 | steps: | |
@@ -11,6 +11,9 @@ on: | |||
| 11 | 11 | #concurrency: | |
| 12 | 12 | # group: pr-integration-tests-${{ github.event.pull_request.number }} | |
| 13 | 13 | # cancel-in-progress: true | |
| 14 | + permissions: | ||
| 15 | + actions: write | ||
| 16 | + pull-requests: read | ||
| 14 | 17 | ||
| 15 | 18 | jobs: | |
| 16 | 19 | integration-test-python: | |
@@ -46,6 +49,7 @@ jobs: | |||
| 46 | 49 | # code from the PR. | |
| 47 | 50 | ref: refs/pull/${{ github.event.pull_request.number }}/merge | |
| 48 | 51 | submodules: recursive | |
| 52 | + persist-credentials: false | ||
| 49 | 53 | - name: Setup Python | |
| 50 | 54 | uses: actions/setup-python@v5 | |
| 51 | 55 | id: setup-python | |
@@ -2,19 +2,18 @@ name: pr-local-integration-tests | |||
| 2 | 2 | # This runs local tests with containerized stubs of online stores. This is the main dev workflow | |
| 3 | 3 | ||
| 4 | 4 | on: | |
| 5 | - pull_request_target: | ||
| 5 | + pull_request: | ||
| 6 | 6 | types: | |
| 7 | 7 | - opened | |
| 8 | 8 | - synchronize | |
| 9 | 9 | - labeled | |
| 10 | 10 | ||
| 11 | 11 | jobs: | |
| 12 | 12 | integration-test-python-local: | |
| 13 | - # when using pull_request_target, all jobs MUST have this if check for 'ok-to-test' or 'approved' for security purposes. | ||
| 14 | 13 | if: | |
| 15 | 14 | ((github.event.action == 'labeled' && (github.event.label.name == 'approved' || github.event.label.name == 'lgtm' || github.event.label.name == 'ok-to-test')) || | |
| 16 | 15 | (github.event.action != 'labeled' && (contains(github.event.pull_request.labels.*.name, 'ok-to-test') || contains(github.event.pull_request.labels.*.name, 'approved') || contains(github.event.pull_request.labels.*.name, 'lgtm')))) && | |
| 17 | - github.repository == 'feast-dev/feast' | ||
| 16 | + github.event.pull_request.base.repo.full_name == 'feast-dev/feast' | ||
| 18 | 17 | runs-on: ${{ matrix.os }} | |
| 19 | 18 | strategy: | |
| 20 | 19 | fail-fast: false | |
@@ -27,10 +26,9 @@ jobs: | |||
| 27 | 26 | steps: | |
| 28 | 27 | - uses: actions/checkout@v4 | |
| 29 | 28 | with: | |
| 30 | - # pull_request_target runs the workflow in the context of the base repo | ||
| 31 | - # as such actions/checkout needs to be explicit configured to retrieve | ||
| 32 | - # code from the PR. | ||
| 33 | - ref: refs/pull/${{ github.event.pull_request.number }}/merge | ||
| 29 | + repository: ${{ github.event.repository.full_name }} # Uses the full repository name | ||
| 30 | + ref: ${{ github.ref }} # Uses the ref from the event | ||
| 31 | + token: ${{ secrets.GITHUB_TOKEN }} # Automatically provided token | ||
| 34 | 32 | submodules: recursive | |
| 35 | 33 | - name: Setup Python | |
| 36 | 34 | uses: actions/setup-python@v5 | |
0 commit comments