SVI/ProxmoxVE
1
0
Fork 0
mirror of https://github.com/community-scripts/ProxmoxVE.git synced 2026-03-31 06:34:17 -04:00
Code Issues 2.6k Packages Projects Releases 10 Wiki Activity

[PR #1316] fix: permissions of validate pipelines #2946

New Issue
Open
opened 2025-11-20 05:32:40 -05:00 by saavagebueno · 0 comments
saavagebueno commented 2025-11-20 05:32:40 -05:00
Owner
Copy Link

Original Pull Request: https://github.com/community-scripts/ProxmoxVE/pull/1316

State: closed
Merged: Yes

✍️ Description

This pull request includes several updates to GitHub Actions workflows to improve the validation processes for filenames, formatting, and scripts. The most important changes include switching the event type from pull_request to pull_request_target and adding steps to fetch pull request information.

Updates to event triggers and job steps:

  • .github/workflows/validate-filenames.yml: Changed the event type from pull_request to pull_request_target and added steps to fetch pull request information using actions/github-script@v7 and ensure accurate diffing by checking out the code with the merge commit SHA.
  • .github/workflows/validate-formatting.yaml: Changed the event type from pull_request to pull_request_target and added steps to fetch pull request information using actions/github-script@v7 and ensure accurate diffing by checking out the code with the merge commit SHA. [1] [2]
  • .github/workflows/validate-scripts.yml: Changed the event type from pull_request to pull_request_target and added steps to fetch pull request information using actions/github-script@v7 and ensure accurate diffing by checking out the code with the merge commit SHA. [1] [2]

The pull_request_target event in GitHub Actions triggers workflows in the context of the base branch (the branch into which the pull request is being merged) with secrets, rather than the context of the pull request itself without secrets. In these workflows we do however checkout the code from the pull request, but not to execute or build anything from it. Only to do the analysis. It is thus very important that these workflows will never include running any scripts from the repository, since those will have access to any secrets.

Because of the nature of these workflows (they do not run when changed in a PR) I am not really able to test the functionality however.

Please remove unneeded lines!

  • Related Issue: # (issue number, if applicable)
  • Related PR: # (if applicable)
  • Related Discussion: (if applicable)

🛠️ Type of Change

Please check the relevant options:

  • Bug fix (non-breaking change that resolves an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change unexpectedly)
  • New script (a fully functional and thoroughly tested script or set of scripts)

Prerequisites

The following steps must be completed for the pull request to be considered:

  • Self-review performed (I have reviewed my code to ensure it follows established patterns and conventions.)
  • Testing performed (I have thoroughly tested my changes and verified expected functionality.)
  • Documentation updated (I have updated any relevant documentation)

📋 Additional Information (optional)

Provide any extra context or screenshots about the feature or fix here.

**Original Pull Request:** https://github.com/community-scripts/ProxmoxVE/pull/1316 **State:** closed **Merged:** Yes --- ## ✍️ Description This pull request includes several updates to GitHub Actions workflows to improve the validation processes for filenames, formatting, and scripts. The most important changes include switching the event type from `pull_request` to `pull_request_target` and adding steps to fetch pull request information. Updates to event triggers and job steps: * [`.github/workflows/validate-filenames.yml`](diffhunk://#diff-30d5a8fd4a6f843c81c0c289183e086bfce64d4453282c495ff5c38821c4a26bL4-R33): Changed the event type from `pull_request` to `pull_request_target` and added steps to fetch pull request information using `actions/github-script@v7` and ensure accurate diffing by checking out the code with the merge commit SHA. * [`.github/workflows/validate-formatting.yaml`](diffhunk://#diff-28c4629b579fe28dcecb337c1687cfe6c5759251be0d297fc2115061e12be0f1L7-L11): Changed the event type from `pull_request` to `pull_request_target` and added steps to fetch pull request information using `actions/github-script@v7` and ensure accurate diffing by checking out the code with the merge commit SHA. [[1]](diffhunk://#diff-28c4629b579fe28dcecb337c1687cfe6c5759251be0d297fc2115061e12be0f1L7-L11) [[2]](diffhunk://#diff-28c4629b579fe28dcecb337c1687cfe6c5759251be0d297fc2115061e12be0f1R20-R35) * [`.github/workflows/validate-scripts.yml`](diffhunk://#diff-a358bdc3eb19146a321b6edafce5f6ba757438054c297e42857d49b69f57b9c9L6-L10): Changed the event type from `pull_request` to `pull_request_target` and added steps to fetch pull request information using `actions/github-script@v7` and ensure accurate diffing by checking out the code with the merge commit SHA. [[1]](diffhunk://#diff-a358bdc3eb19146a321b6edafce5f6ba757438054c297e42857d49b69f57b9c9L6-L10) [[2]](diffhunk://#diff-a358bdc3eb19146a321b6edafce5f6ba757438054c297e42857d49b69f57b9c9R19-R34) The `pull_request_target` event in GitHub Actions triggers workflows in the context of the base branch (the branch into which the pull request is being merged) with secrets, rather than the context of the pull request itself without secrets. In these workflows we do however checkout the code from the pull request, but not to execute or build anything from it. Only to do the analysis. It is thus very important that these workflows will never include running any scripts from the repository, since those will have access to any secrets. Because of the nature of these workflows (they do not run when changed in a PR) I am not really able to test the functionality however. - - - **_Please remove unneeded lines!_** - Related Issue: # (issue number, if applicable) - Related PR: # (if applicable) - Related Discussion: []()(if applicable) --- ## 🛠️ Type of Change Please check the relevant options: - [ ] Bug fix (non-breaking change that resolves an issue) - [ ] New feature (non-breaking change that adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to change unexpectedly) - [ ] New script (a fully functional and thoroughly tested script or set of scripts) --- ## ✅ Prerequisites The following steps must be completed for the pull request to be considered: - [ ] Self-review performed (I have reviewed my code to ensure it follows established patterns and conventions.) - [ ] Testing performed (I have thoroughly tested my changes and verified expected functionality.) - [ ] Documentation updated (I have updated any relevant documentation) --- ## 📋 Additional Information (optional) Provide any extra context or screenshots about the feature or fix here.
saavagebueno added the pull-request label 2025-11-20 05:32:40 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
🛑 Failure to comply with the guidelines
breaking change
bug
bug
bugfix
deferred
delete script
dependencies
enhancement
external
feature
github
help wanted
Implemented in VED waiting push to Main
in project pipeline
invalid
investigation
json
maintenance
new script
new script
nice to have
not a script issue
not planned
organization
pull-request
Mirrored from GitHub Pull Request
 question
refactor
rename script
security
update script
website
wontdo
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
saavagebueno
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SVI/ProxmoxVE#2946
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?