From 05aa1e5bb412bf00f60524f433ec33689f14e2e5 Mon Sep 17 00:00:00 2001 From: ylemkimon Date: Sun, 9 Aug 2020 21:54:36 +0900 Subject: [PATCH 1/5] Update README regarding `pull_request_target` --- README.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/README.md b/README.md index 9c56a6f..bab66f6 100644 --- a/README.md +++ b/README.md @@ -119,6 +119,7 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous - [Checkout pull request HEAD commit instead of merge commit](#Checkout-pull-request-HEAD-commit-instead-of-merge-commit) - [Checkout pull request on closed event](#Checkout-pull-request-on-closed-event) - [Push a commit using the built-in token](#Push-a-commit-using-the-built-in-token) +- [Checkout pull request on `pull_request_target`](#Checkout-pull-request-on-pull_request_target) ## Fetch all history for all tags and branches @@ -214,6 +215,22 @@ jobs: - uses: actions/checkout@v2 ``` +## Checkout pull request on `pull_request_target` + +```yaml +on: + - pull_request_target +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: refs/pull/${{ github.event.pull_request.number }}/head +``` + +**WARNING! NEVER** run code from pull requests of public repositories! The token of `pull_request_target` event has write access. + ## Push a commit using the built-in token ```yaml From 4c4d2b5a39761bb8a521b5fa0355d08a2b5592c3 Mon Sep 17 00:00:00 2001 From: ylemkimon Date: Sun, 9 Aug 2020 21:59:31 +0900 Subject: [PATCH 2/5] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index bab66f6..87117b0 100644 --- a/README.md +++ b/README.md @@ -118,8 +118,8 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous - [Checkout multiple repos (private)](#Checkout-multiple-repos-private) - [Checkout pull request HEAD commit instead of merge commit](#Checkout-pull-request-HEAD-commit-instead-of-merge-commit) - [Checkout pull request on closed event](#Checkout-pull-request-on-closed-event) -- [Push a commit using the built-in token](#Push-a-commit-using-the-built-in-token) - [Checkout pull request on `pull_request_target`](#Checkout-pull-request-on-pull_request_target) +- [Push a commit using the built-in token](#Push-a-commit-using-the-built-in-token) ## Fetch all history for all tags and branches From f16eddee8410930a20309c41063631c4177643a5 Mon Sep 17 00:00:00 2001 From: ylemkimon Date: Tue, 15 Sep 2020 04:37:09 +0900 Subject: [PATCH 3/5] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 87117b0..a714c0f 100644 --- a/README.md +++ b/README.md @@ -226,7 +226,7 @@ jobs: steps: - uses: actions/checkout@v2 with: - ref: refs/pull/${{ github.event.pull_request.number }}/head + ref: refs/pull/${{ github.event.pull_request.number }}/merge ``` **WARNING! NEVER** run code from pull requests of public repositories! The token of `pull_request_target` event has write access. From 009b9ae9e446ad8d9b8c809870b0fbcc5e03573e Mon Sep 17 00:00:00 2001 From: Ben Wells Date: Thu, 16 Jan 2025 14:14:48 -0500 Subject: [PATCH 4/5] Documentation update - add recommended permissions to Readme (#2043) * Update README.md * Update README.md Co-authored-by: Josh Gross --------- Co-authored-by: Josh Gross --- README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/README.md b/README.md index b0f6224..f28fec7 100644 --- a/README.md +++ b/README.md @@ -311,6 +311,16 @@ jobs: git commit -m "generated" git push ``` + +## Recommended permissions + +When using the `checkout` action in your GitHub Actions workflow, it is recommended to set the following `GITHUB_TOKEN` permissions to ensure proper functionality, unless alternative auth is provided via the `token` or `ssh-key` inputs: + +```yaml +permissions: + contents: read +``` + *NOTE:* The user email is `{user.id}+{user.login}@users.noreply.github.com`. See users API: https://api.github.com/users/github-actions%5Bbot%5D From 85e6279cec87321a52edac9c87bce653a07cf6c2 Mon Sep 17 00:00:00 2001 From: Josh Gross Date: Thu, 16 Jan 2025 15:56:18 -0500 Subject: [PATCH 5/5] Adjust positioning of user email note and permissions heading (#2044) --- README.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index f28fec7..64dc025 100644 --- a/README.md +++ b/README.md @@ -312,7 +312,9 @@ jobs: git push ``` -## Recommended permissions +*NOTE:* The user email is `{user.id}+{user.login}@users.noreply.github.com`. See users API: https://api.github.com/users/github-actions%5Bbot%5D + +# Recommended permissions When using the `checkout` action in your GitHub Actions workflow, it is recommended to set the following `GITHUB_TOKEN` permissions to ensure proper functionality, unless alternative auth is provided via the `token` or `ssh-key` inputs: @@ -321,9 +323,6 @@ permissions: contents: read ``` -*NOTE:* The user email is `{user.id}+{user.login}@users.noreply.github.com`. See users API: https://api.github.com/users/github-actions%5Bbot%5D - - # License The scripts and documentation in this project are released under the [MIT License](LICENSE)