GoogleCloudPlatform/cloud-sql-nodejs-connector

GitHub Worklow for PR from a Fork does not checkout PR code

edosrecki opened this issue · 1 comments

edosrecki commented

Bug Description

When a PR is opened from a repository fork, and repository maintainers add a label tests: run, GitHub Actions executes a workflow that runs tests. However, this workflow checks out the latest commit on a default branch of the target repository (not a repository fork). Therefore, test are not actually run against the code submitted by a contributor.

This is by design:

pull_request_target runs in the context of the target repository of the PR, rather than in the merge commit. This means the standard checkout action uses the target repository to prevent accidental usage of the user supplied code.

It can be easily validated by checking the logs of a workflow execution on one of the PRs submitted from a repository fork.

Therefore, parameters need to be provided to actions/checkout action to check out the PR head commit.

Code

cloud-sql-nodejs-connector/.github/workflows/tests.yml

Line 71 in 993d5d8

uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0

jackwotherspoon commented

Good catch! Not sure how I missed this previously, fixed in linked PR