Fixes the pull_request_target usage to avoid the secret leak issue. (#193)

sighingnow · web-flow · commit fb8b27ed0ee1 · 2023-06-28T09:50:41.000+08:00
Signed-off-by: Tao He &lt;sighingnow@gmail.com&gt;
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -18,7 +18,7 @@ on:
   push:
     branches:
       - main
-  pull_request_target:
+  pull_request:
     branches:
       - main
       - docs
@@ -38,13 +38,13 @@ jobs:
       - name: Checkout Code
         uses: actions/checkout@v3
         with:
-          repository: ${{github.event.pull_request.head.repo.full_name}}
-          ref: ${{github.event.pull_request.head.ref}}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          ref: ${{ github.event.pull_request.head.ref }}
           submodules: true
           fetch-depth: 0
 
       - name: Leave the comment on pull request when started
-        if: ${{ github.event_name == 'pull_request_target' }}
+        if: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'alibaba/GraphAr' }}
         uses: actions-cool/maintain-one-comment@v3
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -71,15 +71,15 @@ jobs:
           popd
 
       - name: Preview using surge
-        if: ${{ github.event_name == 'pull_request_target' && github.repository == 'alibaba/GraphAr' }}
+        if: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'alibaba/GraphAr' && github.repository == 'alibaba/GraphAr' }}
         run: |
           npm install -g surge
           surge ./docs/_build/html \
                 alibaba-graphar-build-pr-${{ github.event.number }}.surge.sh \
                 --token ${{ secrets.SURGE_TOKEN }}
 
       - name: Leave the comment on pull request when succeed
-        if: ${{ github.event_name == 'pull_request_target' }}
+        if: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'alibaba/GraphAr' }}
         uses: actions-cool/maintain-one-comment@v3
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -94,7 +94,7 @@ jobs:
           body-include: '<!-- Sticky Pull Request Comment: Surge Preview build -->'
 
       - name: Leave the comment on pull request when failed
-        if: ${{ failure() && github.event_name == 'pull_request_target' }}
+        if: ${{ failure() && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'alibaba/GraphAr' }}
         uses: actions-cool/maintain-one-comment@v3
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
