Changed pull_request_target to pull_request (#438)

auth0 · Sep 3, 2024 · f25e6e3 · f25e6e3
1 parent e31d23f
commit f25e6e3
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 16 deletions.
diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
@@ -1,7 +1,10 @@
 name: govulncheck
 
 on:
-  pull_request_target: {}
+  pull_request:
+    types:
+      - opened
+      - synchronize
   push:
     branches: [main]
   schedule:
@@ -15,6 +18,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha || github.ref }}
+
       - name: Scan for Vulnerabilities in Code
         uses: golang/govulncheck-action@dd0578b371c987f96d1185abb54344b44352bd58 # [email protected]
         with:

diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -1,8 +1,7 @@
 name: Semgrep
 
 on:
-  merge_group:
-  pull_request_target:
+  pull_request:
     types:
       - opened
       - synchronize
@@ -20,30 +19,22 @@ concurrency:
   cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
 
 jobs:
-  authorize:
-    name: Authorize
-    environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - run: true
-
   run:
-    needs: authorize # Require approval before running on forked pull requests
-
     name: Check for Vulnerabilities
     runs-on: ubuntu-latest
-
     container:
       image: returntocorp/semgrep
 
     steps:
       - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
-        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
+        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues.
 
-      - uses: actions/checkout@v4
+      - name: Checkout Code
+        uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha || github.ref }}
 
-      - run: semgrep ci
+      - name: Run Semgrep
+        run: semgrep ci
         env:
           SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_TOKEN }}