microsoft · aholstrup1 · Aug 7, 2023 · Aug 1, 2023 · Aug 1, 2023 · Aug 1, 2023
@@ -220,16 +220,30 @@
                         }
                     }
 
-                    # The PullRequestHandler workflow can have a RepoSetting called CICDPullRequestBranches, which will be used to set the branches for the workflow
                     if ($baseName -eq "PullRequestHandler") {
+                        # The PullRequestHandler workflow can have a RepoSetting called SecretlessPRBuild which will run PR Builds from forks in secretless environments 
+                        $triggerSection = $yaml.Get('on:/')
+                        if (($repoSettings.Keys -contains 'SecretlessPRBuild') -and ($repoSettings.SecretlessPRBuild)) {
+                            # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request
+                            $prTrigger = "pull_request"
+                            $triggerSection.ReplaceAll("pull_request_target:", "$($prTrigger):")
+                        } else {
+                            # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
+                            $prTrigger = "pull_request_target"
+                            $triggerSection.ReplaceAll("pull_request:", "$($prTrigger):")
+                        }
+                        $yaml.Replace('on:/', $triggerSection.Content)
+
+                        # The PullRequestHandler workflow can have a RepoSetting called CICDPullRequestBranches, which will be used to set the branches for the workflow
                         if ($repoSettings.Keys -contains 'CICDPullRequestBranches') {
                             $CICDPullRequestBranches = $repoSettings.CICDPullRequestBranches
                         }
                         else {
                             $CICDPullRequestBranches = $defaultCICDPullRequestBranches
                         }
+
                         # update the branches: line with the new branches
-                        $yaml.Replace('on:/pull_request_target:/branches:', "branches: [ '$($cicdPullRequestBranches -join "', '")' ]")
+                        $yaml.Replace("on:/$($prTrigger):/branches:", "branches: [ '$($CICDPullRequestBranches -join "', '")' ]")
                     }
 
                     # Repo Setting runs-on and shell determines which GitHub runner is used for all non-build jobs (build jobs are run using the GitHubRunner/GitHubRunnerShell repo settings)

@@ -25,6 +25,7 @@ Now, you can set the checkbox called Use GhTokenWorkflow to allowing you to use
 
 ### New Settings
 - `keyVaultCodesignCertificateName`:  With this setting you can delegate the codesigning to an Azure Key Vault. This can be useful if your certificate has to be stored in a Hardware Security Module
+- `SecretlessPRBuild`:  With this setting you can ensure that PR Builds triggered by forked repositories don't have access to secrets
 
 ### New Actions
 - `DownloadProjectDependencies`: Downloads the dependency apps for a given project and build mode.

@@ -56,6 +56,7 @@ The repository settings are only read from the repository settings file (.github
 | <a id="CICDSchedule"></a>CICDSchedule | CRON schedule for when CI/CD workflow should run. Default is no scheduled run, only manually triggered or triggered by Push or Pull Request. Build your CRON string here: [https://crontab.guru](https://crontab.guru) |
 | <a id="UpdateGitHubGoSystemFilesSchedule"></a>UpdateGitHubGoSystemFilesSchedule | CRON schedule for when Update AL-Go System Files should run. When Update AL-Go System Files runs on a schedule, it uses direct COMMIT instead of creating a PR. Default is no scheduled run, only manual trigger. Build your CRON string here: [https://crontab.guru](https://crontab.guru) |
 | <a id="buildModes"></a>buildModes | A list of build modes to use when building the AL-Go projects. Every AL-Go projects will be built using each built mode. Available build modes are:<br /> **Default**: Apps are compiled as they are in the source code.<br />**Clean**: _PreprocessorSymbols_ are enabled when compiling the apps. The values for the symbols correspond to the `cleanModePreprocessorSymbols` setting of the AL-Go project.<br />**Translated**: `TranslationFile` compiler feature is enabled when compiling the apps. |
+| <a id="SecretlessPRBuild"></a>SecretlessPRBuild | Set to true if PR Builds should be triggered by the [pull_request](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request) event. When set to true, workflows triggered from forked repositories will not be able to access secrets with the exception of GITHUB_TOKEN |
 
 ## Advanced settings
 

@@ -26,7 +26,7 @@ env:
 
 jobs:
   PregateCheck:
-    if: github.event.pull_request.base.repo.full_name != github.event.pull_request.head.repo.full_name
+    if: (github.event.pull_request.base.repo.full_name != github.event.pull_request.head.repo.full_name) && (github.event_name != 'pull_request')
     runs-on: [ windows-latest ]
     steps:
       - uses: actions/checkout@v3

@@ -85,6 +85,7 @@ jobs:
             project: ${{ inputs.project }}
 
         - name: Read secrets
+          if: github.event_name != 'pull_request'
           uses: microsoft/AL-Go-Actions/ReadSecrets@main
           env:
             secrets: ${{ toJson(secrets) }}
@@ -102,7 +103,6 @@ jobs:
             parentTelemetryScopeJson: ${{ inputs.parentTelemetryScopeJson }}
             project: ${{ inputs.project }}
             settingsJson: ${{ env.Settings }}
-            secretsJson: ${{ env.RepoSecrets }}
 
         - name: Cache Business Central Artifacts
           if: env.useCompilerFolder == 'True' && inputs.useArtifactCache && steps.determineArtifactUrl.outputs.ArtifactCacheKey

@@ -26,7 +26,7 @@ env:
 
 jobs:
   PregateCheck:
-    if: github.event.pull_request.base.repo.full_name != github.event.pull_request.head.repo.full_name
+    if: (github.event.pull_request.base.repo.full_name != github.event.pull_request.head.repo.full_name) && (github.event_name != 'pull_request')
     runs-on: [ windows-latest ]
     steps:
       - uses: actions/checkout@v3

@@ -85,6 +85,7 @@ jobs:
             project: ${{ inputs.project }}
 
         - name: Read secrets
+          if: github.event_name != 'pull_request'
           uses: microsoft/AL-Go-Actions/ReadSecrets@main
           env:
             secrets: ${{ toJson(secrets) }}
@@ -102,7 +103,6 @@ jobs:
             parentTelemetryScopeJson: ${{ inputs.parentTelemetryScopeJson }}
             project: ${{ inputs.project }}
             settingsJson: ${{ env.Settings }}
-            secretsJson: ${{ env.RepoSecrets }}
 
         - name: Cache Business Central Artifacts
           if: env.useCompilerFolder == 'True' && inputs.useArtifactCache && steps.determineArtifactUrl.outputs.ArtifactCacheKey