sadpandajoe commented on code in PR #40719:
URL: https://github.com/apache/superset/pull/40719#discussion_r3352147966
##########
.github/workflows/superset-e2e.yml:
##########
@@ -88,13 +106,13 @@ jobs:
steps:
# -------------------------------------------------------
# Conditional checkout based on context
- - name: Checkout for push or pull_request event
- if: github.event_name == 'push' || github.event_name == 'pull_request'
+ - name: Checkout (gated by pre-commit via workflow_run)
+ if: github.event_name == 'workflow_run'
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
submodules: recursive
- ref: ${{ github.event_name == 'pull_request' &&
github.event.pull_request.head.sha || github.sha }}
+ ref: ${{ github.event.workflow_run.head_sha }}
Review Comment:
By changing this from `pull_request` to `workflow_run` do we drop the
implicit fork-PR secrets block?
This checkout pulls the fork's SHA, then `cypress-run-all` runs with
`secrets.CYPRESS_RECORD_KEY` in env (L163) — a fork PR can exfiltrate the key
once pre-commit passes. Same shape on `playwright-tests` (L222). Both jobs need
`if: github.event.workflow_run.head_repository.full_name == github.repository`
to skip forks.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
