ci: use pull_request_target

- https://zenn.dev/shunsuke_suzuki/articles/secure-github-actions-by-pull-request-target - https://dev.to/suzukishunsuke/secure-github-actions-by-pullrequesttarget-641
suzuki-shunsuke · Nov 11, 2023 · 0578b7f · 0578b7f
1 parent 59074f1
commit 0578b7f
Show file tree

Hide file tree

Showing 8 changed files with 72 additions and 8 deletions.
diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml
@@ -13,8 +13,8 @@ jobs:
       pull-requests: write
       contents: read
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-    - uses: aquaproj/aqua-installer@d9c4b5d107a17831a8c8718efa4ce67a0923d1f5 # v2.1.3
-      with:
-        aqua_version: v2.16.4
-    - uses: suzuki-shunsuke/github-action-actionlint@60449a33b52da4f92a069b8af50d04515d6177bf # v0.1.3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: aquaproj/aqua-installer@d9c4b5d107a17831a8c8718efa4ce67a0923d1f5 # v2.1.3
+        with:
+          aqua_version: v2.16.4
+      - uses: suzuki-shunsuke/github-action-actionlint@60449a33b52da4f92a069b8af50d04515d6177bf # v0.1.3
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -1,6 +1,6 @@
 ---
 name: test
-on: pull_request
+on: pull_request_target
 
 concurrency:
   group: ${{ github.workflow }}--${{ github.ref }}
@@ -10,6 +10,8 @@ jobs:
   path-filter:
     # Get changed files to filter jobs
     outputs:
+      merge_commit_sha: ${{steps.pr.outputs.merge_commit_sha}}
+
       update-aqua-checksums: ${{steps.changes.outputs.update-aqua-checksums}}
       renovate-config-validator: ${{steps.changes.outputs.renovate-config-validator}}
       conftest-verify: ${{steps.changes.outputs.conftest-verify}}
@@ -18,6 +20,8 @@ jobs:
     permissions:
       pull-requests: read # To get pull requests of the private repository
     steps:
+      - uses: suzuki-shunsuke/get-pr-action@b002e41164d7a39586b41f17f9caca4e98a1efe4 # v0.1.0
+        id: pr
       - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
         id: changes
         with:
@@ -74,10 +78,13 @@ jobs:
   test:
     uses: ./.github/workflows/wc-test.yaml
     if: 'false' # CHANGEME Please remove this.
+    needs: path-filter
     permissions:
       id-token: write
       contents: read
       pull-requests: write
+    with:
+      ref: ${{needs.path-filter.outputs.merge_commit_sha}}
     secrets:
       gh_app_id: ${{secrets.APP_ID}}
       gh_app_private_key: ${{secrets.APP_PRIVATE_KEY}}
@@ -92,6 +99,8 @@ jobs:
     permissions:
       contents: read
       pull-requests: write
+    with:
+      ref: ${{needs.path-filter.outputs.merge_commit_sha}}
     secrets:
       gh_app_id: ${{secrets.APP_ID}}
       gh_app_private_key: ${{secrets.APP_PRIVATE_KEY}}
@@ -104,15 +113,20 @@ jobs:
     permissions:
       contents: read
       pull-requests: write
+    with:
+      ref: ${{needs.path-filter.outputs.merge_commit_sha}}
     secrets:
       gh_app_id: ${{secrets.APP_ID}}
       gh_app_private_key: ${{secrets.APP_PRIVATE_KEY}}
 
   hide-comment:
     uses: ./.github/workflows/wc-hide-comment.yaml
+    needs: path-filter
     permissions:
       contents: read
       pull-requests: write
+    with:
+      ref: ${{needs.path-filter.outputs.merge_commit_sha}}
     secrets:
       gh_app_id: ${{secrets.APP_ID}}
       gh_app_private_key: ${{secrets.APP_PRIVATE_KEY}}
@@ -121,6 +135,8 @@ jobs:
     uses: ./.github/workflows/wc-renovate-config-validator.yaml
     needs: path-filter
     if: needs.path-filter.outputs.renovate-config-validator == 'true'
+    with:
+      ref: ${{needs.path-filter.outputs.merge_commit_sha}}
     permissions:
       contents: read
 
@@ -130,6 +146,8 @@ jobs:
     if: needs.path-filter.outputs.update-aqua-checksums == 'true'
     permissions:
       contents: read
+    with:
+      ref: ${{needs.path-filter.outputs.merge_commit_sha}}
     secrets:
       gh_app_id: ${{secrets.APP_ID}}
       gh_app_private_key: ${{secrets.APP_PRIVATE_KEY}}
diff --git a/.github/workflows/wc-conftest-verify.yaml b/.github/workflows/wc-conftest-verify.yaml
@@ -2,13 +2,19 @@
 name: conftest-verify
 on:
   workflow_call:
+    inputs:
+      ref:
+        required: false
+        type: string
     secrets:
       gh_token:
         required: false
       gh_app_id:
         required: false
       gh_app_private_key:
         required: false
+env:
+  GH_COMMENT_SHA1: ${{inputs.ref}}
 jobs:
   conftest-verify:
     runs-on: ubuntu-latest
@@ -17,6 +23,8 @@ jobs:
       pull-requests: write
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: ${{inputs.ref}}
       - uses: suzuki-shunsuke/github-token-action@04d633c696e9d09e958c8b815c75db9606d6d927 # v0.2.0
         id: token
         with:

diff --git a/.github/workflows/wc-hide-comment.yaml b/.github/workflows/wc-hide-comment.yaml
@@ -2,6 +2,10 @@
 name: Hide comments
 on:
   workflow_call:
+    inputs:
+      ref:
+        required: false
+        type: string
     secrets:
       gh_token:
         required: false
@@ -12,11 +16,15 @@ on:
 permissions:
   contents: read
   pull-requests: write
+env:
+  GH_COMMENT_SHA1: ${{inputs.ref}}
 jobs:
   hide-comment:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: ${{inputs.ref}}
       - uses: suzuki-shunsuke/github-token-action@04d633c696e9d09e958c8b815c75db9606d6d927 # v0.2.0
         id: token
         with:

diff --git a/.github/workflows/wc-opa-fmt.yaml b/.github/workflows/wc-opa-fmt.yaml
@@ -2,6 +2,10 @@
 name: opa-fmt
 on:
   workflow_call:
+    inputs:
+      ref:
+        required: false
+        type: string
     secrets:
       gh_token:
         required: false
@@ -17,6 +21,8 @@ jobs:
       pull-requests: write
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: ${{inputs.ref}}
       - uses: suzuki-shunsuke/github-token-action@04d633c696e9d09e958c8b815c75db9606d6d927 # v0.2.0
         id: token
         with:

diff --git a/.github/workflows/wc-renovate-config-validator.yaml b/.github/workflows/wc-renovate-config-validator.yaml
@@ -1,9 +1,16 @@
 ---
 name: renovate-config-validator
-on: workflow_call
+on:
+  workflow_call:
+    inputs:
+      ref:
+        required: false
+        type: string
 jobs:
   renovate-config-validator:
     # Validate Renovate Configuration by renovate-config-validator.
-    uses: suzuki-shunsuke/renovate-config-validator-workflow/.github/workflows/validate.yaml@35f1c78014c423fd37eb792c73f11ec0898098f4 # v0.2.2
+    uses: suzuki-shunsuke/renovate-config-validator-workflow/.github/workflows/validate.yaml@4a378742d05b4e67aae34039d7c779ac913cd79d # v0.2.3
+    with:
+      ref: ${{inputs.ref}}
     permissions:
       contents: read
diff --git a/.github/workflows/wc-test.yaml b/.github/workflows/wc-test.yaml
@@ -2,6 +2,10 @@
 name: test
 on:
   workflow_call:
+    inputs:
+      ref:
+        required: false
+        type: string
     secrets:
       gh_token:
         required: false
@@ -16,6 +20,8 @@ on:
 
 env:
   TFACTION_IS_APPLY: 'false'
+  GH_COMMENT_SHA1: ${{inputs.ref}}
+  TFCMT_SHA: ${{inputs.ref}}
 
 permissions:
   id-token: write
@@ -30,6 +36,8 @@ jobs:
       modules: ${{ steps.list-targets.outputs.modules }}
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: ${{inputs.ref}}
       - uses: suzuki-shunsuke/github-token-action@04d633c696e9d09e958c8b815c75db9606d6d927 # v0.2.0
         id: token
         with:
@@ -60,6 +68,8 @@ jobs:
         target: ${{fromJSON(needs.setup.outputs.modules)}}
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: ${{inputs.ref}}
       - uses: suzuki-shunsuke/github-token-action@04d633c696e9d09e958c8b815c75db9606d6d927 # v0.2.0
         id: token
         with:
@@ -95,6 +105,8 @@ jobs:
       TFACTION_JOB_TYPE: ${{matrix.target.job_type}}
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: ${{inputs.ref}}
       - uses: suzuki-shunsuke/github-token-action@04d633c696e9d09e958c8b815c75db9606d6d927 # v0.2.0
         id: token
         with:

diff --git a/.github/workflows/wc-update-aqua-checksums.yaml b/.github/workflows/wc-update-aqua-checksums.yaml
@@ -2,6 +2,10 @@
 name: update-aqua-checksums
 on:
   workflow_call:
+    inputs:
+      ref:
+        required: false
+        type: string
     secrets:
       gh_token:
         required: false
@@ -18,6 +22,7 @@ jobs:
     with:
       aqua_version: v2.16.4
       prune: true
+      ref: ${{inputs.ref}}
     secrets:
       gh_token: ${{secrets.gh_token}}
       gh_app_id: ${{secrets.gh_app_id}}