GitHub Actionsのpull_request_targetを試してみる
GitHub Actions(gh-actions)は、pull_requesをトリガーにできますが、そこで使用するGITHUB_TOKENやシークレット環境変数へのアクセス権の問題がありました。
例えば、プルリクエストを送ってくれた人がいたとして、pull_requestで実行されるgh-actionsでは、GITHUB_TOKENが使用できず、シークレット環境変数の読み取りもできませんでした。
しかし、新しく追加されたpull_request_targetはこの問題を解決できるかもしれません。
GitHub Actions has always been about more than just continuous integration. Our goal is to enable repository maintainers to automate a variety of workflows and reduce manual effort. In order to protect public repositories for malicious users we run all pull request workflows raised from repository forks with a read-only token and no access to secrets. This makes common workflows like labeling or commenting on pull requests very difficult.
In order to solve this, we’ve added a new pull_request_target event, which behaves in an almost identical way to the pull_request event with the same set of filters and payload. However, instead of running against the workflow and code from the merge commit, the event runs against the workflow and code from the base of the pull request. This means the workflow is running from a trusted source and is given access to a read/write token as well as secrets enabling the maintainer to safely comment on or label a pull request. This event can be used in combination with the private repository settings as well.
Discussion