Add : pull_request_target event on GitHub Actions integration #1531
Conversation
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
PR Reviewer Guide 🔍Here are some key observations to aid the review process:
|
PR Code Suggestions ✨Latest suggestions up to c9500cf
Previous suggestionsSuggestions up to commit c9500cf
|
| @@ -81,7 +81,7 @@ async def run_action(): | |||
| get_logger().info(f"github action: failed to apply repo settings: {e}") | |||
|
|
|||
| # Handle pull request opened event | |||
| if GITHUB_EVENT_NAME == "pull_request": | |||
| if GITHUB_EVENT_NAME == "pull_request" or GITHUB_EVENT_NAME == "pull_request_target": | |||
There was a problem hiding this comment.
/ask explain what will change when implementing this diff
There was a problem hiding this comment.
This change expands the condition to handle GitHub Actions events from pull requests. Here's what changes:
- Before: The code only processed events when
GITHUB_EVENT_NAMEwas "pull_request" - After: The code will now process events when
GITHUB_EVENT_NAMEis either "pull_request" OR "pull_request_target"
The main impact is that this adds support for the pull_request_target event, which is a more secure way to handle pull requests from forks. The pull_request_target event:
- Runs in the context of the base repository
- Has access to secrets
- Can safely handle PRs from forks without exposing sensitive repository data
This is particularly useful for automation workflows that need to interact with pull requests from external contributors while maintaining security.
|
/improve |
|
@hi120ki can you specify exactly when a |
|
@mrT23 Thank you! name: pr_agent_job
on:
pull_request_target:
types: [opened, reopened, ready_for_review]
issue_comment:
jobs:
pr_agent_job:
if: ${{ github.event.sender.type != 'Bot' }}
runs-on: ubuntu-latest
permissions:
issues: write
pull-requests: write
contents: write
name: Run pr agent on every pull request, respond to user comments
steps:
- name: Check out repository
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name }}
- name: PR Agent action step
id: pragent
uses: qodo-ai/pr-agent@main
env:
OPENAI_KEY: ${{ secrets.OPENAI_KEY }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
User description
For GitHub Action's integration, we can setup pull_request and pull_request_target.
https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target
pull_request_target event will fix the workflow context to default branch's ref (like
refs/heads/main), and it will help us to not to allow editing the workflow file on PR for preventing unintended resource usage.Even if we switch the workflow from pull_request to pull_request_target, we can continue to get
event_payload.get("action")andevent_payload.get("pull_request", {}), then we don't need to change the existing codes.For testing, I tried to run the PR Agent with pull_request_target configuration and confirmed
/describe,/review,/improveworks. This shows we don't need to change the existing codes, and if my patch is applied, the automated describe and review will be executed on PR with pull_request_target.Could you please take a look? Thank you for your great work on awesome tool!
PR Type
Enhancement, Bug fix
Description
Added support for
pull_request_targetevent in GitHub Actions.Ensured compatibility with existing
pull_requestevent handling.Prevented unintended workflow edits for resource usage control.
Changes walkthrough 📝
github_action_runner.py
Support `pull_request_target` event in GitHub Actionspr_agent/servers/github_action_runner.py
pull_request_targetevent.pull_requestevent logic.