update CI config for pull requests

see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
2026-05-22 20:51:27 +00:00 · 2021-10-08 15:30:28 +02:00
parent 6c6f6baf12
commit 7f833d2567
2 changed files with 32 additions and 7 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -2,6 +2,8 @@ name: Build

 on:
  push:
+  pull_request_target:
+    types: [labeled]

 env:
  JAVA_VERSION: 17
@@ -17,19 +19,16 @@ jobs:
    if: "!contains(github.event.head_commit.message, '[ci skip]') && !contains(github.event.head_commit.message, '[skip ci]')"
    steps:
      - uses: actions/checkout@v2
-      - uses: actions/setup-java@v1
+      - uses: actions/setup-java@v2
        with:
+          distribution: 'temurin'
          java-version: ${{ env.JAVA_VERSION }}
-      - uses: actions/cache@v2
-        with:
-          path: ~/.m2/repository
-          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
-          restore-keys: |
-            ${{ runner.os }}-maven-
+          cache: 'maven'
      - name: Build and Test
        run: mvn -B clean install jacoco:report -Pcoverage,dependency-check
      - name: Upload code coverage report
        id: codacyCoverageReporter
+        if: "contains(github.event.pull_request.labels.*.name, 'pr:safe')"
        run: bash <(curl -Ls https://coverage.codacy.com/get.sh)
        env:
          CODACY_PROJECT_TOKEN: ${{ secrets.CODACY_PROJECT_TOKEN }}
--- a/.github/workflows/pullrequest.yml
+++ b/.github/workflows/pullrequest.yml
@@ -0,0 +1,26 @@
+name: Pull Request
+
+on:
+  pull_request:
+
+env:
+  JAVA_VERSION: 17
+
+defaults:
+  run:
+    shell: bash
+
+jobs: 
+  test:
+    name: Compile and Test
+    runs-on: ubuntu-latest
+    if: "!contains(github.event.head_commit.message, '[ci skip]') && !contains(github.event.head_commit.message, '[skip ci]')"
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-java@v2
+        with:
+          distribution: 'temurin'
+          java-version: ${{ env.JAVA_VERSION }}
+          cache: 'maven'
+      - name: Build and Test
+        run: mvn -B clean install jacoco:report -Pcoverage,dependency-check