Feature/run prs with readwrite token (#2676)

* Run PRs from forked repos with readwrite token * use caching integrated in setup-java This closes #2653
Adobe-Consulting-Services · Aug 25, 2021 · 2769058 · 2769058
1 parent 0cf04ee
commit 2769058
Showing 1 changed file with 29 additions and 8 deletions.
diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml
@@ -1,12 +1,29 @@
 name: Java CI
 
 on:
+  # for regular master build (after the merge)
   push:
     branches:
     - master
-  pull_request:
+  # for PRs from forked repos and non forked repos
+  # in order to write status info to the PR we require write repository token (https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/)
+  pull_request_target:
     branches:
     - master
+    types: [opened, synchronize, reopened]
+
+# restrict privileges except for setting commit status, adding PR comments and writing statuses
+permissions:
+  actions: read
+  checks: write
+  contents: read
+  deployments: read
+  issues: read
+  packages: read
+  pull-requests: write
+  repository-projects: read
+  security-events: read
+  statuses: write
 
 jobs:
   build:
@@ -26,20 +43,24 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
+      - name: Debug Event
+        env:
+          GH_EVENT: ${{ toJSON(github.event) }}
+        shell: bash
+        run: echo "Event that triggered the action $GH_EVENT"
       - name: Checkout
         uses: actions/checkout@v2
-
-      - name: Set up cache for ~/.m2/repository
-        uses: actions/cache@v2
+        # always act on the modified source code (even for event pull_request_target)
+        # is considered potentially unsafe (https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) but actions are only executed after approval from committers
         with:
-          path: ~/.m2/repository
-          key: maven-${{ matrix.os }}-${{ hashFiles('**/pom.xml') }}
-          restore-keys: |
-            maven-${{ matrix.os }}-
+          ref: ${{ github.event.pull_request.head.sha }}
+          # no additional git operations after checkout triggered in workflow, no need to store credentials
+          persist-credentials: false
 
       - name: Set up JDK
         uses: actions/setup-java@v2
         with:
+          cache: 'maven'
           distribution: 'adopt'
           java-version: ${{ matrix.jdk }}
           # generate settings.xml with the correct values