I m using pull_request_target in one of my github actions and the actions runs don’t run against the merge commit / last commit of my PR. Instead it runs against the already committed code in the master. How can I make it work against the merge commit ?
Technically: You can find the branch head in the event structure, and then merge as part of your workflow.
However, using code from the pull request can be dangerous (link to the source with details and security practices below), for example because that code might exploit the
GITHUB_TOKEN that has write access when running for
pull_request_targetworkflow trigger with an explicit checkout of an untrusted PR is a dangerous practice that may lead to repository compromise.
This is what I use:
But do note that you should be very careful about pull requests. Make sure that your checker isn’t running code from the PR and is merely statically analyzing it.
In principle, if there’s a reasonable risk that your compiler could be attacked by source code (i.e. to cause code-execution), you shouldn’t even use your compiler in this context. Instead, you’d be better served by creating non-privileged account w/ a PAT, and having your PR check instead push the merge commit to the non-privileged account’s fork and check the result of the push event. (I haven’t done something like this, but depending on what you’re doing, you’d want to consult w/ an expert.)