From 48e5a74f215d78813a816c57fc5a85a909a003d5 Mon Sep 17 00:00:00 2001 From: Zettat123 Date: Mon, 26 Jun 2023 14:33:18 +0800 Subject: [PATCH] Support `pull_request_target` event (#25229) Fix #25088 This PR adds the support for [`pull_request_target`](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target) workflow trigger. `pull_request_target` is similar to `pull_request`, but the workflow triggered by the `pull_request_target` event runs in the context of the base branch of the pull request rather than the head branch. Since the workflow from the base is considered trusted, it can access the secrets and doesn't need approvals to run. --- models/actions/run.go | 13 +- models/migrations/migrations.go | 3 +- models/migrations/v1_21/v262.go | 16 +++ modules/actions/github.go | 38 +++--- modules/actions/github_test.go | 26 ++-- modules/actions/workflows.go | 20 ++- modules/actions/workflows_test.go | 22 ++-- routers/api/actions/runner/utils.go | 15 ++- services/actions/notifier_helper.go | 52 ++++++-- tests/integration/actions_trigger_test.go | 144 ++++++++++++++++++++++ 10 files changed, 286 insertions(+), 63 deletions(-) create mode 100644 models/migrations/v1_21/v262.go create mode 100644 tests/integration/actions_trigger_test.go diff --git a/models/actions/run.go b/models/actions/run.go index 0654809900c..7b62ff884f4 100644 --- a/models/actions/run.go +++ b/models/actions/run.go @@ -36,12 +36,13 @@ type ActionRun struct { TriggerUser *user_model.User `xorm:"-"` Ref string CommitSHA string - IsForkPullRequest bool // If this is triggered by a PR from a forked repository or an untrusted user, we need to check if it is approved and limit permissions when running the workflow. - NeedApproval bool // may need approval if it's a fork pull request - ApprovedBy int64 `xorm:"index"` // who approved - Event webhook_module.HookEventType - EventPayload string `xorm:"LONGTEXT"` - Status Status `xorm:"index"` + IsForkPullRequest bool // If this is triggered by a PR from a forked repository or an untrusted user, we need to check if it is approved and limit permissions when running the workflow. + NeedApproval bool // may need approval if it's a fork pull request + ApprovedBy int64 `xorm:"index"` // who approved + Event webhook_module.HookEventType // the webhook event that causes the workflow to run + EventPayload string `xorm:"LONGTEXT"` + TriggerEvent string // the trigger event defined in the `on` configuration of the triggered workflow + Status Status `xorm:"index"` Started timeutil.TimeStamp Stopped timeutil.TimeStamp Created timeutil.TimeStamp `xorm:"created"` diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go index 1d443b3d152..30a0b6e7eb7 100644 --- a/models/migrations/migrations.go +++ b/models/migrations/migrations.go @@ -503,9 +503,10 @@ var migrations = []Migration{ // v260 -> v261 NewMigration("Drop custom_labels column of action_runner table", v1_21.DropCustomLabelsColumnOfActionRunner), - // v261 -> v262 NewMigration("Add variable table", v1_21.CreateVariableTable), + // v262 -> v263 + NewMigration("Add TriggerEvent to action_run table", v1_21.AddTriggerEventToActionRun), } // GetCurrentDBVersion returns the current db version diff --git a/models/migrations/v1_21/v262.go b/models/migrations/v1_21/v262.go new file mode 100644 index 00000000000..23e900572a2 --- /dev/null +++ b/models/migrations/v1_21/v262.go @@ -0,0 +1,16 @@ +// Copyright 2023 The Gitea Authors. All rights reserved. +// SPDX-License-Identifier: MIT + +package v1_21 //nolint + +import ( + "xorm.io/xorm" +) + +func AddTriggerEventToActionRun(x *xorm.Engine) error { + type ActionRun struct { + TriggerEvent string + } + + return x.Sync(new(ActionRun)) +} diff --git a/modules/actions/github.go b/modules/actions/github.go index f3cb335da98..71f81a89034 100644 --- a/modules/actions/github.go +++ b/modules/actions/github.go @@ -8,33 +8,33 @@ import ( ) const ( - githubEventPullRequest = "pull_request" - githubEventPullRequestTarget = "pull_request_target" - githubEventPullRequestReviewComment = "pull_request_review_comment" - githubEventPullRequestReview = "pull_request_review" - githubEventRegistryPackage = "registry_package" - githubEventCreate = "create" - githubEventDelete = "delete" - githubEventFork = "fork" - githubEventPush = "push" - githubEventIssues = "issues" - githubEventIssueComment = "issue_comment" - githubEventRelease = "release" - githubEventPullRequestComment = "pull_request_comment" - githubEventGollum = "gollum" + GithubEventPullRequest = "pull_request" + GithubEventPullRequestTarget = "pull_request_target" + GithubEventPullRequestReviewComment = "pull_request_review_comment" + GithubEventPullRequestReview = "pull_request_review" + GithubEventRegistryPackage = "registry_package" + GithubEventCreate = "create" + GithubEventDelete = "delete" + GithubEventFork = "fork" + GithubEventPush = "push" + GithubEventIssues = "issues" + GithubEventIssueComment = "issue_comment" + GithubEventRelease = "release" + GithubEventPullRequestComment = "pull_request_comment" + GithubEventGollum = "gollum" ) // canGithubEventMatch check if the input Github event can match any Gitea event. func canGithubEventMatch(eventName string, triggedEvent webhook_module.HookEventType) bool { switch eventName { - case githubEventRegistryPackage: + case GithubEventRegistryPackage: return triggedEvent == webhook_module.HookEventPackage // See https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#gollum - case githubEventGollum: + case GithubEventGollum: return triggedEvent == webhook_module.HookEventWiki - case githubEventIssues: + case GithubEventIssues: switch triggedEvent { case webhook_module.HookEventIssues, webhook_module.HookEventIssueAssign, @@ -46,7 +46,7 @@ func canGithubEventMatch(eventName string, triggedEvent webhook_module.HookEvent return false } - case githubEventPullRequest, githubEventPullRequestTarget: + case GithubEventPullRequest, GithubEventPullRequestTarget: switch triggedEvent { case webhook_module.HookEventPullRequest, webhook_module.HookEventPullRequestSync, @@ -58,7 +58,7 @@ func canGithubEventMatch(eventName string, triggedEvent webhook_module.HookEvent return false } - case githubEventPullRequestReview: + case GithubEventPullRequestReview: switch triggedEvent { case webhook_module.HookEventPullRequestReviewApproved, webhook_module.HookEventPullRequestReviewComment, diff --git a/modules/actions/github_test.go b/modules/actions/github_test.go index e7f4158ae2d..4bf55ae03fc 100644 --- a/modules/actions/github_test.go +++ b/modules/actions/github_test.go @@ -21,85 +21,85 @@ func TestCanGithubEventMatch(t *testing.T) { // registry_package event { "registry_package matches", - githubEventRegistryPackage, + GithubEventRegistryPackage, webhook_module.HookEventPackage, true, }, { "registry_package cannot match", - githubEventRegistryPackage, + GithubEventRegistryPackage, webhook_module.HookEventPush, false, }, // issues event { "issue matches", - githubEventIssues, + GithubEventIssues, webhook_module.HookEventIssueLabel, true, }, { "issue cannot match", - githubEventIssues, + GithubEventIssues, webhook_module.HookEventIssueComment, false, }, // issue_comment event { "issue_comment matches", - githubEventIssueComment, + GithubEventIssueComment, webhook_module.HookEventIssueComment, true, }, { "issue_comment cannot match", - githubEventIssueComment, + GithubEventIssueComment, webhook_module.HookEventIssues, false, }, // pull_request event { "pull_request matches", - githubEventPullRequest, + GithubEventPullRequest, webhook_module.HookEventPullRequestSync, true, }, { "pull_request cannot match", - githubEventPullRequest, + GithubEventPullRequest, webhook_module.HookEventPullRequestComment, false, }, // pull_request_target event { "pull_request_target matches", - githubEventPullRequest, + GithubEventPullRequest, webhook_module.HookEventPullRequest, true, }, { "pull_request_target cannot match", - githubEventPullRequest, + GithubEventPullRequest, webhook_module.HookEventPullRequestComment, false, }, // pull_request_review event { "pull_request_review matches", - githubEventPullRequestReview, + GithubEventPullRequestReview, webhook_module.HookEventPullRequestReviewComment, true, }, { "pull_request_review cannot match", - githubEventPullRequestReview, + GithubEventPullRequestReview, webhook_module.HookEventPullRequestComment, false, }, // other events { "create event", - githubEventCreate, + GithubEventCreate, webhook_module.HookEventCreate, true, }, diff --git a/modules/actions/workflows.go b/modules/actions/workflows.go index d9459288b18..3786f2a274c 100644 --- a/modules/actions/workflows.go +++ b/modules/actions/workflows.go @@ -20,6 +20,14 @@ import ( "gopkg.in/yaml.v3" ) +type DetectedWorkflow struct { + EntryName string + TriggerEvent string + Commit *git.Commit + Ref string + Content []byte +} + func init() { model.OnDecodeNodeError = func(node yaml.Node, out interface{}, err error) { // Log the error instead of panic or fatal. @@ -89,13 +97,13 @@ func GetEventsFromContent(content []byte) ([]*jobparser.Event, error) { return events, nil } -func DetectWorkflows(commit *git.Commit, triggedEvent webhook_module.HookEventType, payload api.Payloader) (map[string][]byte, error) { +func DetectWorkflows(commit *git.Commit, triggedEvent webhook_module.HookEventType, payload api.Payloader) ([]*DetectedWorkflow, error) { entries, err := ListWorkflows(commit) if err != nil { return nil, err } - workflows := make(map[string][]byte, len(entries)) + workflows := make([]*DetectedWorkflow, 0, len(entries)) for _, entry := range entries { content, err := GetContentFromEntry(entry) if err != nil { @@ -109,7 +117,13 @@ func DetectWorkflows(commit *git.Commit, triggedEvent webhook_module.HookEventTy for _, evt := range events { log.Trace("detect workflow %q for event %#v matching %q", entry.Name(), evt, triggedEvent) if detectMatched(commit, triggedEvent, payload, evt) { - workflows[entry.Name()] = content + dwf := &DetectedWorkflow{ + EntryName: entry.Name(), + TriggerEvent: evt.Name, + Commit: commit, + Content: content, + } + workflows = append(workflows, dwf) } } } diff --git a/modules/actions/workflows_test.go b/modules/actions/workflows_test.go index 6ef5d599422..2c374d2c0d0 100644 --- a/modules/actions/workflows_test.go +++ b/modules/actions/workflows_test.go @@ -23,77 +23,77 @@ func TestDetectMatched(t *testing.T) { expected bool }{ { - desc: "HookEventCreate(create) matches githubEventCreate(create)", + desc: "HookEventCreate(create) matches GithubEventCreate(create)", triggedEvent: webhook_module.HookEventCreate, payload: nil, yamlOn: "on: create", expected: true, }, { - desc: "HookEventIssues(issues) `opened` action matches githubEventIssues(issues)", + desc: "HookEventIssues(issues) `opened` action matches GithubEventIssues(issues)", triggedEvent: webhook_module.HookEventIssues, payload: &api.IssuePayload{Action: api.HookIssueOpened}, yamlOn: "on: issues", expected: true, }, { - desc: "HookEventIssues(issues) `milestoned` action matches githubEventIssues(issues)", + desc: "HookEventIssues(issues) `milestoned` action matches GithubEventIssues(issues)", triggedEvent: webhook_module.HookEventIssues, payload: &api.IssuePayload{Action: api.HookIssueMilestoned}, yamlOn: "on: issues", expected: true, }, { - desc: "HookEventPullRequestSync(pull_request_sync) matches githubEventPullRequest(pull_request)", + desc: "HookEventPullRequestSync(pull_request_sync) matches GithubEventPullRequest(pull_request)", triggedEvent: webhook_module.HookEventPullRequestSync, payload: &api.PullRequestPayload{Action: api.HookIssueSynchronized}, yamlOn: "on: pull_request", expected: true, }, { - desc: "HookEventPullRequest(pull_request) `label_updated` action doesn't match githubEventPullRequest(pull_request) with no activity type", + desc: "HookEventPullRequest(pull_request) `label_updated` action doesn't match GithubEventPullRequest(pull_request) with no activity type", triggedEvent: webhook_module.HookEventPullRequest, payload: &api.PullRequestPayload{Action: api.HookIssueLabelUpdated}, yamlOn: "on: pull_request", expected: false, }, { - desc: "HookEventPullRequest(pull_request) `label_updated` action matches githubEventPullRequest(pull_request) with `label` activity type", + desc: "HookEventPullRequest(pull_request) `label_updated` action matches GithubEventPullRequest(pull_request) with `label` activity type", triggedEvent: webhook_module.HookEventPullRequest, payload: &api.PullRequestPayload{Action: api.HookIssueLabelUpdated}, yamlOn: "on:\n pull_request:\n types: [labeled]", expected: true, }, { - desc: "HookEventPullRequestReviewComment(pull_request_review_comment) matches githubEventPullRequestReviewComment(pull_request_review_comment)", + desc: "HookEventPullRequestReviewComment(pull_request_review_comment) matches GithubEventPullRequestReviewComment(pull_request_review_comment)", triggedEvent: webhook_module.HookEventPullRequestReviewComment, payload: &api.PullRequestPayload{Action: api.HookIssueReviewed}, yamlOn: "on:\n pull_request_review_comment:\n types: [created]", expected: true, }, { - desc: "HookEventPullRequestReviewRejected(pull_request_review_rejected) doesn't match githubEventPullRequestReview(pull_request_review) with `dismissed` activity type (we don't support `dismissed` at present)", + desc: "HookEventPullRequestReviewRejected(pull_request_review_rejected) doesn't match GithubEventPullRequestReview(pull_request_review) with `dismissed` activity type (we don't support `dismissed` at present)", triggedEvent: webhook_module.HookEventPullRequestReviewRejected, payload: &api.PullRequestPayload{Action: api.HookIssueReviewed}, yamlOn: "on:\n pull_request_review:\n types: [dismissed]", expected: false, }, { - desc: "HookEventRelease(release) `published` action matches githubEventRelease(release) with `published` activity type", + desc: "HookEventRelease(release) `published` action matches GithubEventRelease(release) with `published` activity type", triggedEvent: webhook_module.HookEventRelease, payload: &api.ReleasePayload{Action: api.HookReleasePublished}, yamlOn: "on:\n release:\n types: [published]", expected: true, }, { - desc: "HookEventPackage(package) `created` action doesn't match githubEventRegistryPackage(registry_package) with `updated` activity type", + desc: "HookEventPackage(package) `created` action doesn't match GithubEventRegistryPackage(registry_package) with `updated` activity type", triggedEvent: webhook_module.HookEventPackage, payload: &api.PackagePayload{Action: api.HookPackageCreated}, yamlOn: "on:\n registry_package:\n types: [updated]", expected: false, }, { - desc: "HookEventWiki(wiki) matches githubEventGollum(gollum)", + desc: "HookEventWiki(wiki) matches GithubEventGollum(gollum)", triggedEvent: webhook_module.HookEventWiki, payload: nil, yamlOn: "on: gollum", diff --git a/routers/api/actions/runner/utils.go b/routers/api/actions/runner/utils.go index cc9c06ab455..ab70f622b39 100644 --- a/routers/api/actions/runner/utils.go +++ b/routers/api/actions/runner/utils.go @@ -9,6 +9,7 @@ import ( actions_model "code.gitea.io/gitea/models/actions" secret_model "code.gitea.io/gitea/models/secret" + actions_module "code.gitea.io/gitea/modules/actions" "code.gitea.io/gitea/modules/git" "code.gitea.io/gitea/modules/json" "code.gitea.io/gitea/modules/log" @@ -54,8 +55,10 @@ func pickTask(ctx context.Context, runner *actions_model.ActionRunner) (*runnerv func getSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) map[string]string { secrets := map[string]string{} - if task.Job.Run.IsForkPullRequest { + if task.Job.Run.IsForkPullRequest && task.Job.Run.TriggerEvent != actions_module.GithubEventPullRequestTarget { // ignore secrets for fork pull request + // for the tasks triggered by pull_request_target event, they could access the secrets because they will run in the context of the base branch + // see the documentation: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target return secrets } @@ -116,6 +119,14 @@ func generateTaskContext(t *actions_model.ActionTask) *structpb.Struct { event := map[string]interface{}{} _ = json.Unmarshal([]byte(t.Job.Run.EventPayload), &event) + // TriggerEvent is added in https://github.com/go-gitea/gitea/pull/25229 + // This fallback is for the old ActionRun that doesn't have the TriggerEvent field + // and should be removed in 1.22 + eventName := t.Job.Run.TriggerEvent + if eventName == "" { + eventName = t.Job.Run.Event.Event() + } + baseRef := "" headRef := "" if pullPayload, err := t.Job.Run.GetPullRequestEventPayload(); err == nil && pullPayload.PullRequest != nil && pullPayload.PullRequest.Base != nil && pullPayload.PullRequest.Head != nil { @@ -137,7 +148,7 @@ func generateTaskContext(t *actions_model.ActionTask) *structpb.Struct { "base_ref": baseRef, // string, The base_ref or target branch of the pull request in a workflow run. This property is only available when the event that triggers a workflow run is either pull_request or pull_request_target. "env": "", // string, Path on the runner to the file that sets environment variables from workflow commands. This file is unique to the current step and is a different file for each step in a job. For more information, see "Workflow commands for GitHub Actions." "event": event, // object, The full event webhook payload. You can access individual properties of the event using this context. This object is identical to the webhook payload of the event that triggered the workflow run, and is different for each event. The webhooks for each GitHub Actions event is linked in "Events that trigger workflows." For example, for a workflow run triggered by the push event, this object contains the contents of the push webhook payload. - "event_name": t.Job.Run.Event.Event(), // string, The name of the event that triggered the workflow run. + "event_name": eventName, // string, The name of the event that triggered the workflow run. "event_path": "", // string, The path to the file on the runner that contains the full event webhook payload. "graphql_url": "", // string, The URL of the GitHub GraphQL API. "head_ref": headRef, // string, The head_ref or source branch of the pull request in a workflow run. This property is only available when the event that triggers a workflow run is either pull_request or pull_request_target. diff --git a/services/actions/notifier_helper.go b/services/actions/notifier_helper.go index 69c23656f29..8e6cdcf680d 100644 --- a/services/actions/notifier_helper.go +++ b/services/actions/notifier_helper.go @@ -142,13 +142,46 @@ func notify(ctx context.Context, input *notifyInput) error { return fmt.Errorf("gitRepo.GetCommit: %w", err) } + var detectedWorkflows []*actions_module.DetectedWorkflow workflows, err := actions_module.DetectWorkflows(commit, input.Event, input.Payload) if err != nil { return fmt.Errorf("DetectWorkflows: %w", err) } - if len(workflows) == 0 { log.Trace("repo %s with commit %s couldn't find workflows", input.Repo.RepoPath(), commit.ID) + } else { + for _, wf := range workflows { + if wf.TriggerEvent != actions_module.GithubEventPullRequestTarget { + wf.Ref = ref + detectedWorkflows = append(detectedWorkflows, wf) + } + } + } + + if input.PullRequest != nil { + // detect pull_request_target workflows + baseRef := git.BranchPrefix + input.PullRequest.BaseBranch + baseCommit, err := gitRepo.GetCommit(baseRef) + if err != nil { + return fmt.Errorf("gitRepo.GetCommit: %w", err) + } + baseWorkflows, err := actions_module.DetectWorkflows(baseCommit, input.Event, input.Payload) + if err != nil { + return fmt.Errorf("DetectWorkflows: %w", err) + } + if len(baseWorkflows) == 0 { + log.Trace("repo %s with commit %s couldn't find pull_request_target workflows", input.Repo.RepoPath(), baseCommit.ID) + } else { + for _, wf := range baseWorkflows { + if wf.TriggerEvent == actions_module.GithubEventPullRequestTarget { + wf.Ref = baseRef + detectedWorkflows = append(detectedWorkflows, wf) + } + } + } + } + + if len(detectedWorkflows) == 0 { return nil } @@ -172,18 +205,19 @@ func notify(ctx context.Context, input *notifyInput) error { } } - for id, content := range workflows { + for _, dwf := range detectedWorkflows { run := &actions_model.ActionRun{ Title: strings.SplitN(commit.CommitMessage, "\n", 2)[0], RepoID: input.Repo.ID, OwnerID: input.Repo.OwnerID, - WorkflowID: id, + WorkflowID: dwf.EntryName, TriggerUserID: input.Doer.ID, - Ref: ref, - CommitSHA: commit.ID.String(), + Ref: dwf.Ref, + CommitSHA: dwf.Commit.ID.String(), IsForkPullRequest: isForkPullRequest, Event: input.Event, EventPayload: string(p), + TriggerEvent: dwf.TriggerEvent, Status: actions_model.StatusWaiting, } if need, err := ifNeedApproval(ctx, run, input.Repo, input.Doer); err != nil { @@ -193,7 +227,7 @@ func notify(ctx context.Context, input *notifyInput) error { run.NeedApproval = need } - jobs, err := jobparser.Parse(content) + jobs, err := jobparser.Parse(dwf.Content) if err != nil { log.Error("jobparser.Parse: %v", err) continue @@ -259,8 +293,10 @@ func notifyPackage(ctx context.Context, sender *user_model.User, pd *packages_mo } func ifNeedApproval(ctx context.Context, run *actions_model.ActionRun, repo *repo_model.Repository, user *user_model.User) (bool, error) { - // don't need approval if it's not a fork PR - if !run.IsForkPullRequest { + // 1. don't need approval if it's not a fork PR + // 2. don't need approval if the event is `pull_request_target` since the workflow will run in the context of base branch + // see https://docs.github.com/en/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks#about-workflow-runs-from-public-forks + if !run.IsForkPullRequest || run.TriggerEvent == actions_module.GithubEventPullRequestTarget { return false, nil } diff --git a/tests/integration/actions_trigger_test.go b/tests/integration/actions_trigger_test.go new file mode 100644 index 00000000000..bbf7ad302e0 --- /dev/null +++ b/tests/integration/actions_trigger_test.go @@ -0,0 +1,144 @@ +// Copyright 2023 The Gitea Authors. All rights reserved. +// SPDX-License-Identifier: MIT + +package integration + +import ( + "net/url" + "testing" + "time" + + actions_model "code.gitea.io/gitea/models/actions" + "code.gitea.io/gitea/models/db" + issues_model "code.gitea.io/gitea/models/issues" + repo_model "code.gitea.io/gitea/models/repo" + unit_model "code.gitea.io/gitea/models/unit" + "code.gitea.io/gitea/models/unittest" + user_model "code.gitea.io/gitea/models/user" + actions_module "code.gitea.io/gitea/modules/actions" + "code.gitea.io/gitea/modules/git" + repo_module "code.gitea.io/gitea/modules/repository" + pull_service "code.gitea.io/gitea/services/pull" + repo_service "code.gitea.io/gitea/services/repository" + files_service "code.gitea.io/gitea/services/repository/files" + + "github.com/stretchr/testify/assert" +) + +func TestPullRequestTargetEvent(t *testing.T) { + onGiteaRun(t, func(t *testing.T, u *url.URL) { + user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}) // owner of the base repo + user3 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 3}) // owner of the forked repo + + // create the base repo + baseRepo, err := repo_service.CreateRepository(db.DefaultContext, user2, user2, repo_module.CreateRepoOptions{ + Name: "repo-pull-request-target", + Description: "test pull-request-target event", + AutoInit: true, + Gitignores: "Go", + License: "MIT", + Readme: "Default", + DefaultBranch: "main", + IsPrivate: false, + }) + assert.NoError(t, err) + assert.NotEmpty(t, baseRepo) + + // enable actions + err = repo_model.UpdateRepositoryUnits(baseRepo, []repo_model.RepoUnit{{ + RepoID: baseRepo.ID, + Type: unit_model.TypeActions, + }}, nil) + assert.NoError(t, err) + + // create the forked repo + forkedRepo, err := repo_service.ForkRepository(git.DefaultContext, user2, user3, repo_service.ForkRepoOptions{ + BaseRepo: baseRepo, + Name: "forked-repo-pull-request-target", + Description: "test pull-request-target event", + }) + assert.NoError(t, err) + assert.NotEmpty(t, forkedRepo) + + // add workflow file to the base repo + addWorkflowToBaseResp, err := files_service.ChangeRepoFiles(git.DefaultContext, baseRepo, user2, &files_service.ChangeRepoFilesOptions{ + Files: []*files_service.ChangeRepoFile{ + { + Operation: "create", + TreePath: ".gitea/workflows/pr.yml", + Content: "name: test\non: pull_request_target\njobs:\n test:\n runs-on: ubuntu-latest\n steps:\n - run: echo helloworld\n", + }, + }, + Message: "add workflow", + OldBranch: "main", + NewBranch: "main", + Author: &files_service.IdentityOptions{ + Name: user2.Name, + Email: user2.Email, + }, + Committer: &files_service.IdentityOptions{ + Name: user2.Name, + Email: user2.Email, + }, + Dates: &files_service.CommitDateOptions{ + Author: time.Now(), + Committer: time.Now(), + }, + }) + assert.NoError(t, err) + assert.NotEmpty(t, addWorkflowToBaseResp) + + // add a new file to the forked repo + addFileToForkedResp, err := files_service.ChangeRepoFiles(git.DefaultContext, forkedRepo, user3, &files_service.ChangeRepoFilesOptions{ + Files: []*files_service.ChangeRepoFile{ + { + Operation: "create", + TreePath: "file_1.txt", + Content: "file1", + }, + }, + Message: "add file1", + OldBranch: "main", + NewBranch: "fork-branch-1", + Author: &files_service.IdentityOptions{ + Name: user3.Name, + Email: user3.Email, + }, + Committer: &files_service.IdentityOptions{ + Name: user3.Name, + Email: user3.Email, + }, + Dates: &files_service.CommitDateOptions{ + Author: time.Now(), + Committer: time.Now(), + }, + }) + assert.NoError(t, err) + assert.NotEmpty(t, addFileToForkedResp) + + // create Pull + pullIssue := &issues_model.Issue{ + RepoID: baseRepo.ID, + Title: "Test pull-request-target-event", + PosterID: user3.ID, + Poster: user3, + IsPull: true, + } + pullRequest := &issues_model.PullRequest{ + HeadRepoID: forkedRepo.ID, + BaseRepoID: baseRepo.ID, + HeadBranch: "fork-branch-1", + BaseBranch: "main", + HeadRepo: forkedRepo, + BaseRepo: baseRepo, + Type: issues_model.PullRequestGitea, + } + err = pull_service.NewPullRequest(git.DefaultContext, baseRepo, pullIssue, nil, nil, pullRequest, nil) + assert.NoError(t, err) + + // load and compare ActionRun + actionRun := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{RepoID: baseRepo.ID}) + assert.Equal(t, addWorkflowToBaseResp.Commit.SHA, actionRun.CommitSHA) + assert.Equal(t, actions_module.GithubEventPullRequestTarget, actionRun.TriggerEvent) + }) +}