Optimize comment-on-asciidoc-changes.yml #367
Conversation
| fetch-depth: 0 # This is important to fetch all history | ||
| # This is considered a security risk when used in conjunction with pull_request_target | ||
| # However, we are not running any code from the PR, so it's safe | ||
| ref: ${{ github.event.pull_request.head.sha }} |
There was a problem hiding this comment.
Maybe add a link on why its a security risk: https://github.com/actions/checkout?tab=readme-ov-file#usage does not mention this :)
fetch-depth: 1 is suppose to work to according to the changed-files github actions docs?
There was a problem hiding this comment.
| ref: ${{ github.event.pull_request.head.sha }} | |
| # https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/ | |
| ref: ${{ github.event.pull_request.head.sha }} |
There was a problem hiding this comment.
fetch-depth: 1 is suppose to work to according to the changed-files github actions docs?
Yes, the examples in https://github.com/tj-actions/changed-files for pull_request always show the checkout action without any additional inputs.
And as stated in the usage, it's only necessary for the push event trigger.
There was a problem hiding this comment.
I was able to test it here: https://github.com/elastic/docs-eng-playground/pull/17
Context
The current script relies on
fetch-depth: 0. This causes a checkout time of ~5 minutes on kibana PRs.Changes
fetch-depth: 0is only needed for thepushevent and thus not needed for thepull_request_event