Check run permissions for build artifact generation secrets usage (#11897)

2026-01-01 08:03:20 +00:00 · 2024-11-07 13:01:54 -05:00
parent b42741f313
commit db40f20160
4 changed files with 105 additions and 31 deletions
--- a/.github/workflows/build-web.yml
+++ b/.github/workflows/build-web.yml
@@ -1,7 +1,8 @@
 name: Build Web

 on:
-  pull_request:
+  pull_request_target:
+    types: [opened, synchronize]
    branches-ignore:
      - 'l10n_master'
      - 'cf-pages'
@@ -36,6 +37,10 @@ env:
  _AZ_REGISTRY: bitwardenprod.azurecr.io

 jobs:
+  check-run:
+    name: Check PR run
+    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+
  setup:
    name: Setup
    runs-on: ubuntu-22.04
@@ -43,8 +48,10 @@ jobs:
      version: ${{ steps.version.outputs.value }}
      node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
    steps:
-      - name: Checkout repo
+      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{  github.event.pull_request.head.sha }}

      - name: Get GitHub sha as version
        id: version
@@ -89,8 +96,10 @@ jobs:
            git_metadata: true

    steps:
-      - name: Checkout repo
+      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{  github.event.pull_request.head.sha }}

      - name: Set up Node
        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
@@ -142,6 +151,7 @@ jobs:
    needs:
      - setup
      - build-artifacts
+      - check-run
    strategy:
      fail-fast: false
      matrix:
@@ -155,8 +165,10 @@ jobs:
    env:
      _VERSION: ${{ needs.setup.outputs.version }}
    steps:
-      - name: Checkout repo
+      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{  github.event.pull_request.head.sha }}

      - name: Check Branch to Publish
        env:
@@ -250,11 +262,15 @@ jobs:
  crowdin-push:
    name: Crowdin Push
    if: github.ref == 'refs/heads/main'
-    needs: build-artifacts
+    needs:
+      - build-artifacts
+      - check-run
    runs-on: ubuntu-22.04
    steps:
-      - name: Checkout repo
+      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{  github.event.pull_request.head.sha }}

      - name: Login to Azure
        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
@@ -284,7 +300,9 @@ jobs:
    name: Trigger web vault deploy
    if: github.ref == 'refs/heads/main'
    runs-on: ubuntu-22.04
-    needs: build-artifacts
+    needs:
+      - build-artifacts
+      - check-run
    steps:
      - name: Login to Azure - CI Subscription
        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0