Skip to content

[ci] Also give permissions on pull_requests #32709

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 21, 2025
Merged

[ci] Also give permissions on pull_requests #32709

merged 1 commit into from
Mar 21, 2025

Conversation

poteto
Copy link
Member

@poteto poteto commented Mar 21, 2025
edited
Loading

@poteto poteto mentioned this pull request Mar 21, 2025
Merged
@github-actions github-actions bot added the React Core Team Opened by a member of the React Core Team label Mar 21, 2025
@react-sizebot
Copy link

Comparing: fe8c106...06dafd5

Critical size changes

Includes critical production bundles, as well as any change greater than 2%:

Name +/- Base Current +/- gzip Base gzip Current gzip
oss-stable/react-dom/cjs/react-dom.production.js = 6.68 kB 6.68 kB = 1.83 kB 1.83 kB
oss-stable/react-dom/cjs/react-dom-client.production.js = 515.14 kB 515.14 kB = 91.74 kB 91.74 kB
oss-experimental/react-dom/cjs/react-dom.production.js = 6.69 kB 6.69 kB = 1.83 kB 1.83 kB
oss-experimental/react-dom/cjs/react-dom-client.production.js = 615.53 kB 615.53 kB = 108.89 kB 108.89 kB
facebook-www/ReactDOM-prod.classic.js = 651.48 kB 651.48 kB = 114.89 kB 114.89 kB
facebook-www/ReactDOM-prod.modern.js = 641.76 kB 641.76 kB = 113.31 kB 113.31 kB

Significant size changes

Includes any change greater than 0.2%:

(No significant changes)

Generated by 🚫 dangerJS against 06dafd5

@poteto poteto merged commit 4f080e4 into main Mar 21, 2025
241 of 243 checks passed
@poteto poteto deleted the pr32709 branch March 21, 2025 20:17
poteto added a commit that referenced this pull request Mar 21, 2025
@poteto
[ci] Don't use pull_request_target (#32708)
156f0ec 
`pull_request_target` gives access to repository secrets and permissions
for use from forks, for example to add a comment.

> Due to the dangers inherent to automatic processing of PRs, GitHub’s
standard pull_request workflow trigger by default prevents write
permissions and secrets access to the target repository. However, in
some scenarios such access is needed to properly process the PR. To this
end the pull_request_target workflow trigger was introduced.

> The reason to introduce the pull_request_target trigger was to enable
workflows to label PRs (e.g. needs review) or to comment on the PR.

(via
https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/)

In this case there is no reason for us to allow this, so let's just use
the normal `pull_request` trigger which is less permissive.
---
[//]: # (BEGIN SAPLING FOOTER)
Stack created with [Sapling](https://sapling-scm.com). Best reviewed
with [ReviewStack](https://reviewstack.dev/facebook/react/pull/32708).
* __->__ #32708
* #32709
@vercel-release-bot vercel-release-bot mentioned this pull request Mar 25, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
CLA Signed React Core Team Opened by a member of the React Core Team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@poteto @react-sizebot @facebook-github-bot