File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 1+ ---
2+ ---
Original file line number Diff line number Diff line change @@ -138,10 +138,6 @@ jobs:
138138
139139 integration-tests :
140140 name : Integration Tests
141- # Skip for fork PRs to prevent security vulnerabilities (no secrets)
142- # Runs if it comes from the root repo or once it gets approved by a maintainer
143- if : |
144- github.event.inputs.run_integration_tests == 'true' || github.event.pull_request.head.repo.full_name == github.repository
145141 needs : formatting-linting
146142 runs-on : ${{ vars.RUNNER_LARGE || 'ubuntu-latest-l' }}
147143 timeout-minutes : ${{ vars.TIMEOUT_MINUTES_LONG && fromJSON(vars.TIMEOUT_MINUTES_LONG) || 15 }}
@@ -163,11 +159,30 @@ jobs:
163159 next-version : ' 15'
164160
165161 steps :
162+ # Skip integration tests from fork PRs to prevent secret exfiltration
163+ - name : Get User Permission
164+ id : checkAccess
165+ uses : actions-cool/check-user-permission@v2
166+ with :
167+ require : write
168+ username : ${{ github.triggering_actor }}
169+ env :
170+ GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
171+ - name : Check User Permission
172+ if : steps.checkAccess.outputs.require-result == 'false'
173+ run : |
174+ echo "${{ github.triggering_actor }} does not have permissions on this repo."
175+ echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
176+ echo "Job originally triggered by ${{ github.actor }}"
177+ exit 1
178+
166179 - name : Checkout Repo
167180 uses : actions/checkout@v4
168181 with :
169182 fetch-depth : 0
170183 show-progress : false
184+ # We must first verify the user permissions before checking out PR code
185+ ref : ${{ github.event.pull_request.head.sha }}
171186
172187 - name : Setup
173188 id : config
Load diff This file was deleted.
You can’t perform that action at this time.
0 commit comments