Duplicate Budget #1598
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Handle completed feature requests | |
########################################################################################## | |
# WARNING! This workflow uses the 'pull_request_target' event. That mans that it will # | |
# always run in the context of the main actualbudget/actual repo, even if the PR is from # | |
# a fork. This is necessary to get access to a GitHub token that can post a comment on # | |
# the PR. Be VERY CAREFUL about adding things to this workflow, since forks can inject # | |
# arbitrary code into their branch, and can pollute the artifacts we download. Arbitrary # | |
# code execution in this workflow could lead to a compromise of the main repo. # | |
########################################################################################## | |
# See: https://securitylab.github.com/research/github-actions-preventing-pwn-requests # | |
########################################################################################## | |
on: | |
pull_request_target: | |
types: [closed] | |
permissions: | |
issues: write | |
jobs: | |
handle-feature-requests: | |
if: github.event.pull_request.merged == true | |
runs-on: ubuntu-latest | |
steps: | |
# This is not a security concern because we have approved & merged the PR | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-node@v4 | |
with: | |
node-version: '19' | |
- name: Handle feature requests | |
run: node .github/actions/handle-feature-requests.js | |
env: | |
PR_NUMBER: ${{ github.event.pull_request.number }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |