0

I want to trigger a GitHub Actions workflow when a pull request review is submitted. However, I need to ensure that:

  1. The workflow cannot be modified from within the pull request itself.
  2. The workflow has write permissions, even when the pull request comes from a forked repository. I found that the pull_request_review event can trigger workflows on review submissions, but it can be manipulated in the PR and lacks write permissions when the PR comes from a fork.

How can I securely trigger a workflow on review submission while ensuring it can't be altered in the PR and retains write access?

I used the pull_request_review event to trigger the workflow

on:
  pull_request_review:
    types: [submitted]

The workflow can be modified within the PR, making it a security risk, and it lacks write permissions when triggered from a forked repository.

I expected the workflow to trigger securely when a review is submitted, without allowing the PR to modify it, and to retain write permissions, even for forked PRs.

Improve this question
1
  • You can use a pipeline implementation that validates "untouchable files" to prevent some files to be updated. I've got an example here if you want to have a look. Commented Feb 27 at 19:10
Related questions
403
Preferred Github workflow for updating a pull request after code review
802
Why is a git 'pull request' not called a 'push request'?
200
Renaming a branch while on pull request
Load 7 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.