openrn/react-native-logging-tools
openrn/react-native-logging-tools
1
0
Fork 2
Code Issues 5 Pull requests Releases 9 Packages 1 Activity Actions

#59 - Use pull_request_target event in PR workflow to support fork CI with secrets #60

Merged
GuillaumeHemmen merged 2 commits from 59-Use-pull_request_target-event-in-PR-workflow-to-support-fork-CI-with-secrets into master 2026-04-13 15:34:29 +00:00
Conversation 0 Commits 2 Files changed 1 +14 -1
GuillaumeHemmen commented 2026-04-13 15:22:36 +00:00
Owner
Copy link

Description

Switch the PR workflow trigger from pull_request to pull_request_target so
that the full CI pipeline (including Sonar analysis) runs for fork PRs. All
actions/checkout@v4 steps are updated to check out the PR head commit
explicitly via ref: ${{ github.event.pull_request.head.sha }}.

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to
    not work as expected)
  • Documentation update
  • Performance improvement
  • Refactoring (no functional changes)
  • CI/CD update

Related Issue

Fixes #59

Testing

  • Unit tests added/updated
  • Manual testing performed — workflow triggered on a fork PR and verified
    all jobs (prettier, tsc, lint, unit-testing, sonar) ran successfully with
    access to secrets
  • Tested on iOS
  • Tested on Android

Breaking Changes

None. This change only affects how the CI workflow is triggered; no code, API,
or configuration changes are made to the library itself.

Checklist

  • Code follows the project's code style (Prettier, ESLint)
  • TypeScript types are properly defined
  • Tests pass locally
  • Documentation updated (if needed)
  • CI checks pass (Prettier, TypeScript, Lint, Tests, Sonar)

Additional Notes

Security consideration: Using
ref: ${{ github.event.pull_request.head.sha }} pins the checkout to the exact
SHA the contributor pushed, avoiding the ambiguity of the auto-merged ref. This
is the recommended approach for pull_request_target in Forgejo to avoid
running untrusted code from a stale or manipulated merge commit.

The Sonar job's existing if: condition remains unchanged — it still only runs
when SONAR_TOKEN, SONAR_HOST_URL, SONAR_PROJECT_KEY, and
SONAR_PROJECT_NAME are all configured.

## Description Switch the PR workflow trigger from `pull_request` to `pull_request_target` so that the full CI pipeline (including Sonar analysis) runs for fork PRs. All `actions/checkout@v4` steps are updated to check out the PR head commit explicitly via `ref: ${{ github.event.pull_request.head.sha }}`. ## Type of Change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] Documentation update - [ ] Performance improvement - [ ] Refactoring (no functional changes) - [x] CI/CD update ## Related Issue Fixes #59 ## Testing - [ ] Unit tests added/updated - [x] Manual testing performed — workflow triggered on a fork PR and verified all jobs (prettier, tsc, lint, unit-testing, sonar) ran successfully with access to secrets - [ ] Tested on iOS - [ ] Tested on Android ## Breaking Changes None. This change only affects how the CI workflow is triggered; no code, API, or configuration changes are made to the library itself. ## Checklist - [x] Code follows the project's code style (Prettier, ESLint) - [x] TypeScript types are properly defined - [x] Tests pass locally - [ ] Documentation updated (if needed) - [x] CI checks pass (Prettier, TypeScript, Lint, Tests, Sonar) ## Additional Notes **Security consideration:** Using `ref: ${{ github.event.pull_request.head.sha }}` pins the checkout to the exact SHA the contributor pushed, avoiding the ambiguity of the auto-merged ref. This is the recommended approach for `pull_request_target` in Forgejo to avoid running untrusted code from a stale or manipulated merge commit. The Sonar job's existing `if:` condition remains unchanged — it still only runs when `SONAR_TOKEN`, `SONAR_HOST_URL`, `SONAR_PROJECT_KEY`, and `SONAR_PROJECT_NAME` are all configured.
#59 - Switch PR workflow to pull_request_target to support fork CI with secrets
All checks were successful
/ pre-check (push) Successful in 9s
Details
/ prettier (push) Successful in 32s
Details
/ tsc (push) Successful in 36s
Details
/ lint (push) Successful in 30s
Details
/ unit-testing (push) Successful in 31s
Details
/ sonar (push) Successful in 57s
Details
4717a78d9f
GuillaumeHemmen scheduled this pull request to auto merge when all checks succeed 2026-04-13 15:24:00 +00:00
#59 - Update PR workflow to listen to both pull_request and pull_request_target for improved CI event handling
All checks were successful
/ pre-check (push) Successful in 13s
Details
/ prettier (push) Successful in 27s
Details
/ tsc (push) Successful in 31s
Details
/ lint (push) Successful in 33s
Details
/ unit-testing (push) Successful in 31s
Details
/ tsc (pull_request) Successful in 30s
Details
/ prettier (pull_request) Successful in 34s
Details
/ lint (pull_request) Successful in 32s
Details
/ unit-testing (pull_request) Successful in 31s
Details
/ sonar (push) Successful in 1m4s
Details
/ sonar (pull_request) Successful in 55s
Details
60bb3b3fbf
GuillaumeHemmen canceled auto merging this pull request when all checks succeed 2026-04-13 15:28:21 +00:00
GuillaumeHemmen deleted branch 59-Use-pull_request_target-event-in-PR-workflow-to-support-fork-CI-with-secrets 2026-04-13 15:34:29 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug
Something isn't working

  
dependencies
Pull requests that update a dependency file

  
documentation
Improvements or additions to documentation

  
duplicate
This issue or pull request already exists

  
enhancement
New feature or request

  
good first issue
Good for newcomers

  
help wanted
Extra attention is needed

  
invalid
This doesn't seem right

  
question
Further information is requested

  
wontfix
This will not be worked on

No labels
bug
dependencies
documentation
duplicate
enhancement
good first issue
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
GuillaumeHemmen
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
openrn/react-native-logging-tools!60
No description provided.