Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/leak-detect.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,6 @@ jobs:
# fail as a required check. Leak scanning of fork PRs is enforced
# post-merge by the maintainer-side push trigger on main.
if: github.event.pull_request.head.repo.full_name == github.repository
uses: klodr/.github/.github/workflows/reusable-leak-detect.yml@7987f59050ff9ee614d21b603e4ba87ace27f7d9
uses: klodr/.github/.github/workflows/reusable-leak-detect.yml@33ff8e518ecb7a799f114dc83ba06c9f0d660845

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Check the PR author instead of the trigger actor

This pins the caller to reusable workflow 33ff8e5, whose new skip guard tests github.actor rather than the PR author. This workflow also runs on pull_request edited and reopened events, so when a maintainer edits or reopens a Dependabot / release-please PR, the triggering actor is the human, the bot PR is not skipped, and it can still enter the private-key token step and fail—the case this bump is meant to unblock. Please point at a reusable ref that checks github.event.pull_request.user.login (or otherwise keys the skip off the PR author).

Useful? React with 👍 / 👎.

secrets:
leak-detect-app-private-key: ${{ secrets.LEAK_DETECT_APP_PRIVATE_KEY }}
Loading