mirror of
https://github.com/actualbudget/actual.git
synced 2026-03-11 12:43:09 -05:00
36 lines
1.5 KiB
YAML
36 lines
1.5 KiB
YAML
name: Handle completed feature requests
|
|
|
|
##########################################################################################
|
|
# WARNING! This workflow uses the 'pull_request_target' event. That mans that it will #
|
|
# always run in the context of the main actualbudget/actual repo, even if the PR is from #
|
|
# a fork. This is necessary to get access to a GitHub token that can post a comment on #
|
|
# the PR. Be VERY CAREFUL about adding things to this workflow, since forks can inject #
|
|
# arbitrary code into their branch, and can pollute the artifacts we download. Arbitrary #
|
|
# code execution in this workflow could lead to a compromise of the main repo. #
|
|
##########################################################################################
|
|
# See: https://securitylab.github.com/research/github-actions-preventing-pwn-requests #
|
|
##########################################################################################
|
|
|
|
on:
|
|
pull_request_target:
|
|
types: [closed]
|
|
|
|
permissions:
|
|
issues: write
|
|
|
|
jobs:
|
|
handle-feature-requests:
|
|
if: github.event.pull_request.merged == true
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
# This is not a security concern because we have approved & merged the PR
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: '19'
|
|
- name: Handle feature requests
|
|
run: node .github/actions/handle-feature-requests.js
|
|
env:
|
|
PR_NUMBER: ${{ github.event.pull_request.number }}
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|