Hi,
When using a workflow with pull_request_target the workflow definition shown in the UI for a workflow run is sometimes different from the workflow definition actually being run.
To reproduce:
- Create a workflow with 2 steps, for example a docker login. Let’s call this v1 of the workflow. Configure the workflow to run on pull_request_target (and push).
- Commit the workflow on master branch. Real life example: https://github.com/DefectDojo/django-DefectDojo/blob/a585f90f38e9984083450e906e30eb65784848c4/.github/workflows/flake8.yml
- Update the workflow file on master branch to remove the first step. i.e. remove the docker login. Real life example: https://github.com/DefectDojo/django-DefectDojo/commit/a1558a0fa72d112788b3c047d875bac51514e400#diff-671c07983afb8d3f8dbdedd4c38fc8519b316c6155449b77f844056e9b96217e and https://github.com/DefectDojo/django-DefectDojo/blob/48512cdf77a0ce0c308f13517126171cead6e884/.github/workflows/flake8.yml
- When the worflow runs on master branch, it works fine using the new v2 version of the workflow. Docker login is not executed and not shown in the UI: https://github.com/DefectDojo/django-DefectDojo/actions/runs/392243650/workflow
The problem:
- Create a branch branch-X from master, but branch of from the commit which has v1 of the workflow
- Commit something to the branch, for example an empty test.txt.
- Push branch
- Create PR
- Observe the workflow action will run on the PR.
- Observe in the logs that the correct v2 version of the workflow is run.
- Observe that in the UI the workflow definition v1 is shown, which includes the docker login step.
UI showing old v1 workflow: https://github.com/DefectDojo/django-DefectDojo/actions/runs/392263966/workflow
UI showing logs shows correct v2 workflow: https://github.com/DefectDojo/django-DefectDojo/runs/1475796185?check_suite_focus=true
So the UI is showing the wrong workflow definition. This seems to suggest the old / previous version of the workflow is being run. But when you check the logs of the run, it shows that the correct version has been run (without the docker login step, that was removed in v2).
Valentijn