Optimize comment-on-asciidoc-changes.yml (#367)

reakaleek · web-flow · commit ced78583b5c7 · 2025-01-29T09:53:23.000Z
* Optimize comment-on-asciidoc-changes.yml * Checkout correct commit when used with pull_request_target * Update .github/workflows/comment-on-asciidoc-changes.yml * Add error exit code if there are changes for the asciidoc comment workflow (#357) * Merge main
diff --git a/.github/workflows/comment-on-asciidoc-changes.yml b/.github/workflows/comment-on-asciidoc-changes.yml
@@ -3,6 +3,10 @@ name: Comment on PR for .asciidoc changes
 on:
   workflow_call: ~
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   comment-on-asciidoc-change:
     runs-on: ubuntu-latest
@@ -11,19 +15,20 @@ jobs:
       - name: Checkout the repository
         uses: actions/checkout@v4
         with:
-          fetch-depth: 0  # This is important to fetch all history
+          # This is considered a security risk when used in conjunction with pull_request_target
+          # However, we are not running any code from the PR, so it's safe
+          # https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
+          ref: ${{ github.event.pull_request.head.sha }}
 
-      - name: Check for changes in .asciidoc files
+      - name: Get changed files
         id: check-files
-        run: |
-          git fetch origin ${{ github.base_ref }}
-          if git diff --name-only origin/${{ github.base_ref }}..HEAD | grep -E '\.asciidoc$'; then
-            echo "asciidoc_changed=true" >> $GITHUB_OUTPUT
-          else
-            echo "asciidoc_changed=false" >> $GITHUB_OUTPUT
-          fi
+        uses: tj-actions/changed-files@d6e91a2266cdb9d62096cebf1e8546899c6aa18f # v45.0.6
+        with:
+          files: |
+            **/*.asciidoc
+
       - name: Add a comment if .asciidoc files changed
-        if: steps.check-files.outputs.asciidoc_changed == 'true'
+        if: steps.check-files.outputs.any_changed == 'true'
         uses: actions/github-script@v6
         with:
           script: |
@@ -33,6 +38,7 @@ jobs:
               issue_number: context.payload.pull_request.number,
               body: 'It looks like this PR modifies one or more `.asciidoc` files. These files are being migrated to Markdown, and any changes merged now will be lost. See the [migration guide](https://elastic.github.io/docs-builder/migration/freeze/index.html) for details.'
             })
+
       - name: Error if .asciidoc files changed
-        if: steps.check-files.outputs.asciidoc_changed == 'true'
+        if: steps.check-files.outputs.any_changed == 'true'
         run: exit 1
