github/codeql-action
0
0
Fork 0
mirror of https://github.com/github/codeql-action.git synced 2026-05-04 12:50:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Change the update-dependencies workflow

Browse Source 
Add more security. Don't run the workflow if the actor is incorrect,
or there is a fork involved. And then only run the update dependencies
after a manual approval.
This commit is contained in:
Andrew Eisenberg
2021-10-21 15:41:25 -07:00
parent bee5aac8d7
commit 43d3eddc73
1 changed files with 18 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/update-dependencies.yml
+18 -1
View File
@@ -4,10 +4,27 @@ on:
types: [opened, synchronize, reopened, ready_for_review, labeled]
jobs:
check:
name: Check for relevance
runs-on: ubuntu-latest
if: |
contains(github.event.pull_request.labels.*.name, 'Update dependencies') &&
(github.actor == 'dependabot[bot]' || github.actor == 'github-actions[bot]') &&
github.repository == 'github/codeql-action' &&
github.head.repo.full_name == 'github/codeql-action' &&
github.base.repo.full_name == 'github/codeql-action'
env:
ACTOR: '${{ github.actor }}'
steps:
- name: Check Actor
run: echo "This PR should run the Update Dependencies workflow because the actor is $ACTOR, there is no fork involved, and the 'Update dependencies' label exists."
update:
needs: check
environment: Update dependencies
name: Update dependencies
runs-on: macos-latest
if: contains(github.event.pull_request.labels.*.name, 'Update dependencies')
steps:
- name: Checkout repository
uses: actions/checkout@v2