chore: active le déploiement sur les PR de fork

2025-01-10 17:45:42 +01:00 · 2025-01-10 17:45:42 +01:00 · 56f11963d2
parent 541a695e36
commit 56f11963d2
1 changed files with 22 additions and 3 deletions
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@ -1,9 +1,9 @@
 name: Déploiement
 on:
-  pull_request:
+  pull_request_target:
    types: [opened, synchronize]
  push:
-    branches: [master, demo, next]
+    branches: [master]

  # We display the release notes in the "news" section of mon-entreprise.urssaf.fr so
  # we want to re-deploy the site when a new release is published or edited on
@ -142,7 +142,26 @@ jobs:
      matrix:
        site: ['', 'en']
    steps:
-      - uses: actions/checkout@v3
+      # https://michaelheap.com/access-secrets-from-forks/
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@v2
+        with:
+          require: write
+          username: ${{ github.triggering_actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.triggering_actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          echo "Job originally triggered by ${{ github.actor }}"
+          exit 1
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          ref: ${{  github.event.pull_request.head.sha }} # This is dangerous without the first access check
      - uses: actions/download-artifact@v3
        with:
          name: static-site