Changing workflow triggered by pull_request_target

I have a workflow (https://github.com/bfjelds/changing-workflow-triggered-by-pull_request_target/blob/main/.github/workflows/foo.yaml) that has a pull_request_target trigger in it. Generally this works and a fork PR triggers the workflow, access to secrets works (yay!).

However, if the fork PR contains changes to the workflow, the workflow changes never execute.

For example, if the original workflow was:

name: Foo
on:
  pull_request_target:
jobs:
  foo:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout the merged commit from PR and base branch
        uses: actions/checkout@v2
        with:
          ref: refs/pull/${{ github.event.pull_request.number }}/head
      - name: foo
        run: echo "do stuff involving [${{ secrets.Foo }}]"

Once this is in our main/master, this all seems to work with both our internal PRs and fork PRs (https://github.com/bfjelds/changing-workflow-triggered-by-pull_request_target/runs/1303290076?check_suite_focus=true) … they all execute and have access to secrets.

However, if I make a change to the workflow and create a fork PR (https://github.com/bfjelds/changing-workflow-triggered-by-pull_request_target/pull/2):

name: Foo
on:
  pull_request_target:
jobs:
  foo:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout the merged commit from PR and base branch
        uses: actions/checkout@v2
        with:
          ref: refs/pull/${{ github.event.pull_request.number }}/head

      - name: foochanged
        run: echo "do stuff involving [${{ secrets.Foo }}]"

The workflow invoked by the fork PR never executes the foochanged step (which was a part of the PR change), only the foo step: https://github.com/bfjelds/changing-workflow-triggered-by-pull_request_target/runs/1303310023?check_suite_focus=true

This seems to make it impossible to actually test a workflow change without merging it.

Any suggestions?

This is by design so that a malicious PR can’t do something bad with your secrets.

@bfjelds,

Here is a ticket for the similar topic:

As I mentioned in that ticket, you need to update the pull request branch to make it up-to-date with the base branch (target branch) of the PR.

Thanks!

I ended up creating triggers for pull_request (gated on !github.event.pull_request.head.repo.fork) and pull_request_target (gated on github.event.pull_request.head.repo.fork). In essence, to create a PR that tests a change a workflow, the PR must be from a branch.