WIP
A demo of a GitHub Actions setup that automatically fixes PRs of external contributors.
Using pull_request_target to elevate your permissions to push to a contributor's fork is unsafe according to GitHub Security Labs best practices.
For security reasons, the process is split in 2 workflows:
- a
pull_requestworkflow that safely runs on the untrusted PR, and only generates a git diff patch - a
workflow_runworkflow with elevated permissions that push the diff patch to the repository