From 4616d36b7c7de6041f9cda2e225f0265fced1feb Mon Sep 17 00:00:00 2001
From: Baptiste Grenier <baptiste.grenier@egi.eu>
Date: Tue, 14 Jan 2025 12:32:32 +0100
Subject: [PATCH] chore: use pull_request_target to allow deleting previews
 from froks (#697)

Uses
[pull_request_target](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target)
to delete previews of PRs from forks.

See also
https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/

It grants write access using the GITHUB_TOKEN, but it is safe as:
 - No code from the PR is built or executed
 - The workflow file in use is the one from the base branch (main)

**Related issue :**

Fix #696
---
 .github/workflows/delete_pr_preview.yml | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/delete_pr_preview.yml b/.github/workflows/delete_pr_preview.yml
index ec436863bb..0790330cc4 100644
--- a/.github/workflows/delete_pr_preview.yml
+++ b/.github/workflows/delete_pr_preview.yml
@@ -2,21 +2,30 @@
 name: Delete pull request preview
 
 on:
-  pull_request:
-    # Run when label is removed or pull request closed
-    types: [unlabeled, closed]
+  # XXX: Use pull_request_target to delete previews of PRs from fork
+  # It grants write access using the GITHUB_TOKEN, but it is safe as:
+  # - No code from the PR is built or executed
+  # - The worklfow file in use is the one from the base branch (main)
+  pull_request_target:
+    # Run for PR against main when label is removed or pull request closed
+    types:
+      - unlabeled
+      - closed
+    branches:
+      - main
 
 permissions: read-all
 
 jobs:
   delete_preview:
-    # Do not run on forks, and only if "safe for preview" label is set
+    # XXX: Do not run at forks, and only if "safe for preview" label is set
     if: >
       github.repository == 'EGI-Federation/documentation' &&
       ((github.event.action == 'unlabeled' && github.event.label.name == 'safe
       for preview') || (github.event.action == 'closed' &&
       contains(github.event.pull_request.labels.*.name, 'safe for preview')))
     name: Delete PR preview when a PR is closed or label removed
+    # Ensure GITHUB_TOKEN can be usd to write to the repository content
     permissions:
       contents: write
     runs-on: ubuntu-latest