Support pull_request_target event (#25229)

Fix #25088

This PR adds the support for
[`pull_request_target`](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target)
workflow trigger. `pull_request_target` is similar to `pull_request`,
but the workflow triggered by the `pull_request_target` event runs in
the context of the base branch of the pull request rather than the head
branch. Since the workflow from the base is considered trusted, it can
access the secrets and doesn't need approvals to run.

Author: Zettat123

models/actions/run.go

@@ -36,12 +36,13 @@ type ActionRun struct {
 	TriggerUser       *user_model.User       `xorm:"-"`
 	Ref               string
 	CommitSHA         string
-	IsForkPullRequest bool  // If this is triggered by a PR from a forked repository or an untrusted user, we need to check if it is approved and limit permissions when running the workflow.
-	NeedApproval      bool  // may need approval if it's a fork pull request
-	ApprovedBy        int64 `xorm:"index"` // who approved
-	Event             webhook_module.HookEventType
-	EventPayload      string `xorm:"LONGTEXT"`
-	Status            Status `xorm:"index"`
+	IsForkPullRequest bool                         // If this is triggered by a PR from a forked repository or an untrusted user, we need to check if it is approved and limit permissions when running the workflow.
+	NeedApproval      bool                         // may need approval if it's a fork pull request
+	ApprovedBy        int64                        `xorm:"index"` // who approved
+	Event             webhook_module.HookEventType // the webhook event that causes the workflow to run
+	EventPayload      string                       `xorm:"LONGTEXT"`
+	TriggerEvent      string                       // the trigger event defined in the `on` configuration of the triggered workflow
+	Status            Status                       `xorm:"index"`
 	Started           timeutil.TimeStamp
 	Stopped           timeutil.TimeStamp
 	Created           timeutil.TimeStamp `xorm:"created"`

models/migrations/migrations.go

@@ -503,9 +503,10 @@ var migrations = []Migration{
 
 	// v260 -> v261
 	NewMigration("Drop custom_labels column of action_runner table", v1_21.DropCustomLabelsColumnOfActionRunner),
-
 	// v261 -> v262
 	NewMigration("Add variable table", v1_21.CreateVariableTable),
+	// v262 -> v263
+	NewMigration("Add TriggerEvent to action_run table", v1_21.AddTriggerEventToActionRun),
 }
 
 // GetCurrentDBVersion returns the current db version

models/migrations/v1_21/v262.go

@@ -0,0 +1,16 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package v1_21 //nolint
+
+import (
+	"xorm.io/xorm"
+)
+
+func AddTriggerEventToActionRun(x *xorm.Engine) error {
+	type ActionRun struct {
+		TriggerEvent string
+	}
+
+	return x.Sync(new(ActionRun))
+}

modules/actions/github.go

@@ -8,33 +8,33 @@ import (
 )
 
 const (
-	githubEventPullRequest              = "pull_request"
-	githubEventPullRequestTarget        = "pull_request_target"
-	githubEventPullRequestReviewComment = "pull_request_review_comment"
-	githubEventPullRequestReview        = "pull_request_review"
-	githubEventRegistryPackage          = "registry_package"
-	githubEventCreate                   = "create"
-	githubEventDelete                   = "delete"
-	githubEventFork                     = "fork"
-	githubEventPush                     = "push"
-	githubEventIssues                   = "issues"
-	githubEventIssueComment             = "issue_comment"
-	githubEventRelease                  = "release"
-	githubEventPullRequestComment       = "pull_request_comment"
-	githubEventGollum                   = "gollum"
+	GithubEventPullRequest              = "pull_request"
+	GithubEventPullRequestTarget        = "pull_request_target"
+	GithubEventPullRequestReviewComment = "pull_request_review_comment"
+	GithubEventPullRequestReview        = "pull_request_review"
+	GithubEventRegistryPackage          = "registry_package"
+	GithubEventCreate                   = "create"
+	GithubEventDelete                   = "delete"
+	GithubEventFork                     = "fork"
+	GithubEventPush                     = "push"
+	GithubEventIssues                   = "issues"
+	GithubEventIssueComment             = "issue_comment"
+	GithubEventRelease                  = "release"
+	GithubEventPullRequestComment       = "pull_request_comment"
+	GithubEventGollum                   = "gollum"
 )
 
 // canGithubEventMatch check if the input Github event can match any Gitea event.
 func canGithubEventMatch(eventName string, triggedEvent webhook_module.HookEventType) bool {
 	switch eventName {
-	case githubEventRegistryPackage:
+	case GithubEventRegistryPackage:
 		return triggedEvent == webhook_module.HookEventPackage
 
 	// See https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#gollum
-	case githubEventGollum:
+	case GithubEventGollum:
 		return triggedEvent == webhook_module.HookEventWiki
 
-	case githubEventIssues:
+	case GithubEventIssues:
 		switch triggedEvent {
 		case webhook_module.HookEventIssues,
 			webhook_module.HookEventIssueAssign,
@@ -46,7 +46,7 @@ func canGithubEventMatch(eventName string, triggedEvent webhook_module.HookEvent
 			return false
 		}
 
-	case githubEventPullRequest, githubEventPullRequestTarget:
+	case GithubEventPullRequest, GithubEventPullRequestTarget:
 		switch triggedEvent {
 		case webhook_module.HookEventPullRequest,
 			webhook_module.HookEventPullRequestSync,
@@ -58,7 +58,7 @@ func canGithubEventMatch(eventName string, triggedEvent webhook_module.HookEvent
 			return false
 		}
 
-	case githubEventPullRequestReview:
+	case GithubEventPullRequestReview:
 		switch triggedEvent {
 		case webhook_module.HookEventPullRequestReviewApproved,
 			webhook_module.HookEventPullRequestReviewComment,

modules/actions/github_test.go

@@ -21,85 +21,85 @@ func TestCanGithubEventMatch(t *testing.T) {
 		// registry_package event
 		{
 			"registry_package matches",
-			githubEventRegistryPackage,
+			GithubEventRegistryPackage,
 			webhook_module.HookEventPackage,
 			true,
 		},
 		{
 			"registry_package cannot match",
-			githubEventRegistryPackage,
+			GithubEventRegistryPackage,
 			webhook_module.HookEventPush,
 			false,
 		},
 		// issues event
 		{
 			"issue matches",
-			githubEventIssues,
+			GithubEventIssues,
 			webhook_module.HookEventIssueLabel,
 			true,
 		},
 		{
 			"issue cannot match",
-			githubEventIssues,
+			GithubEventIssues,
 			webhook_module.HookEventIssueComment,
 			false,
 		},
 		// issue_comment event
 		{
 			"issue_comment matches",
-			githubEventIssueComment,
+			GithubEventIssueComment,
 			webhook_module.HookEventIssueComment,
 			true,
 		},
 		{
 			"issue_comment cannot match",
-			githubEventIssueComment,
+			GithubEventIssueComment,
 			webhook_module.HookEventIssues,
 			false,
 		},
 		// pull_request event
 		{
 			"pull_request matches",
-			githubEventPullRequest,
+			GithubEventPullRequest,
 			webhook_module.HookEventPullRequestSync,
 			true,
 		},
 		{
 			"pull_request cannot match",
-			githubEventPullRequest,
+			GithubEventPullRequest,
 			webhook_module.HookEventPullRequestComment,
 			false,
 		},
 		// pull_request_target event
 		{
 			"pull_request_target matches",
-			githubEventPullRequest,
+			GithubEventPullRequest,
 			webhook_module.HookEventPullRequest,
 			true,
 		},
 		{
 			"pull_request_target cannot match",
-			githubEventPullRequest,
+			GithubEventPullRequest,
 			webhook_module.HookEventPullRequestComment,
 			false,
 		},
 		// pull_request_review event
 		{
 			"pull_request_review matches",
-			githubEventPullRequestReview,
+			GithubEventPullRequestReview,
 			webhook_module.HookEventPullRequestReviewComment,
 			true,
 		},
 		{
 			"pull_request_review cannot match",
-			githubEventPullRequestReview,
+			GithubEventPullRequestReview,
 			webhook_module.HookEventPullRequestComment,
 			false,
 		},
 		// other events
 		{
 			"create event",
-			githubEventCreate,
+			GithubEventCreate,
 			webhook_module.HookEventCreate,
 			true,
 		},

modules/actions/workflows.go

@@ -20,6 +20,14 @@ import (
 	"gopkg.in/yaml.v3"
 )
 
+type DetectedWorkflow struct {
+	EntryName    string
+	TriggerEvent string
+	Commit       *git.Commit
+	Ref          string
+	Content      []byte
+}
+
 func init() {
 	model.OnDecodeNodeError = func(node yaml.Node, out interface{}, err error) {
 		// Log the error instead of panic or fatal.
@@ -89,13 +97,13 @@ func GetEventsFromContent(content []byte) ([]*jobparser.Event, error) {
 	return events, nil
 }
 
-func DetectWorkflows(commit *git.Commit, triggedEvent webhook_module.HookEventType, payload api.Payloader) (map[string][]byte, error) {
+func DetectWorkflows(commit *git.Commit, triggedEvent webhook_module.HookEventType, payload api.Payloader) ([]*DetectedWorkflow, error) {
 	entries, err := ListWorkflows(commit)
 	if err != nil {
 		return nil, err
 	}
 
-	workflows := make(map[string][]byte, len(entries))
+	workflows := make([]*DetectedWorkflow, 0, len(entries))
 	for _, entry := range entries {
 		content, err := GetContentFromEntry(entry)
 		if err != nil {
@@ -109,7 +117,13 @@ func DetectWorkflows(commit *git.Commit, triggedEvent webhook_module.HookEventTy
 		for _, evt := range events {
 			log.Trace("detect workflow %q for event %#v matching %q", entry.Name(), evt, triggedEvent)
 			if detectMatched(commit, triggedEvent, payload, evt) {
-				workflows[entry.Name()] = content
+				dwf := &DetectedWorkflow{
+					EntryName:    entry.Name(),
+					TriggerEvent: evt.Name,
+					Commit:       commit,
+					Content:      content,
+				}
+				workflows = append(workflows, dwf)
 			}
 		}
 	}

modules/actions/workflows_test.go

@@ -23,77 +23,77 @@ func TestDetectMatched(t *testing.T) {
 		expected     bool
 	}{
 		{
-			desc:         "HookEventCreate(create) matches githubEventCreate(create)",
+			desc:         "HookEventCreate(create) matches GithubEventCreate(create)",
 			triggedEvent: webhook_module.HookEventCreate,
 			payload:      nil,
 			yamlOn:       "on: create",
 			expected:     true,
 		},
 		{
-			desc:         "HookEventIssues(issues) `opened` action matches githubEventIssues(issues)",
+			desc:         "HookEventIssues(issues) `opened` action matches GithubEventIssues(issues)",
 			triggedEvent: webhook_module.HookEventIssues,
 			payload:      &api.IssuePayload{Action: api.HookIssueOpened},
 			yamlOn:       "on: issues",
 			expected:     true,
 		},
 		{
-			desc:         "HookEventIssues(issues) `milestoned` action matches githubEventIssues(issues)",
+			desc:         "HookEventIssues(issues) `milestoned` action matches GithubEventIssues(issues)",
 			triggedEvent: webhook_module.HookEventIssues,
 			payload:      &api.IssuePayload{Action: api.HookIssueMilestoned},
 			yamlOn:       "on: issues",
 			expected:     true,
 		},
 		{
-			desc:         "HookEventPullRequestSync(pull_request_sync) matches githubEventPullRequest(pull_request)",
+			desc:         "HookEventPullRequestSync(pull_request_sync) matches GithubEventPullRequest(pull_request)",
 			triggedEvent: webhook_module.HookEventPullRequestSync,
 			payload:      &api.PullRequestPayload{Action: api.HookIssueSynchronized},
 			yamlOn:       "on: pull_request",
 			expected:     true,
 		},
 		{
-			desc:         "HookEventPullRequest(pull_request) `label_updated` action doesn't match githubEventPullRequest(pull_request) with no activity type",
+			desc:         "HookEventPullRequest(pull_request) `label_updated` action doesn't match GithubEventPullRequest(pull_request) with no activity type",
 			triggedEvent: webhook_module.HookEventPullRequest,
 			payload:      &api.PullRequestPayload{Action: api.HookIssueLabelUpdated},
 			yamlOn:       "on: pull_request",
 			expected:     false,
 		},
 		{
-			desc:         "HookEventPullRequest(pull_request) `label_updated` action matches githubEventPullRequest(pull_request) with `label` activity type",
+			desc:         "HookEventPullRequest(pull_request) `label_updated` action matches GithubEventPullRequest(pull_request) with `label` activity type",
 			triggedEvent: webhook_module.HookEventPullRequest,
 			payload:      &api.PullRequestPayload{Action: api.HookIssueLabelUpdated},
 			yamlOn:       "on:\n  pull_request:\n    types: [labeled]",
 			expected:     true,
 		},
 		{
-			desc:         "HookEventPullRequestReviewComment(pull_request_review_comment) matches githubEventPullRequestReviewComment(pull_request_review_comment)",
+			desc:         "HookEventPullRequestReviewComment(pull_request_review_comment) matches GithubEventPullRequestReviewComment(pull_request_review_comment)",
 			triggedEvent: webhook_module.HookEventPullRequestReviewComment,
 			payload:      &api.PullRequestPayload{Action: api.HookIssueReviewed},
 			yamlOn:       "on:\n  pull_request_review_comment:\n    types: [created]",
 			expected:     true,
 		},
 		{
-			desc:         "HookEventPullRequestReviewRejected(pull_request_review_rejected) doesn't match githubEventPullRequestReview(pull_request_review) with `dismissed` activity type (we don't support `dismissed` at present)",
+			desc:         "HookEventPullRequestReviewRejected(pull_request_review_rejected) doesn't match GithubEventPullRequestReview(pull_request_review) with `dismissed` activity type (we don't support `dismissed` at present)",
 			triggedEvent: webhook_module.HookEventPullRequestReviewRejected,
 			payload:      &api.PullRequestPayload{Action: api.HookIssueReviewed},
 			yamlOn:       "on:\n  pull_request_review:\n    types: [dismissed]",
 			expected:     false,
 		},
 		{
-			desc:         "HookEventRelease(release) `published` action matches githubEventRelease(release) with `published` activity type",
+			desc:         "HookEventRelease(release) `published` action matches GithubEventRelease(release) with `published` activity type",
 			triggedEvent: webhook_module.HookEventRelease,
 			payload:      &api.ReleasePayload{Action: api.HookReleasePublished},
 			yamlOn:       "on:\n  release:\n    types: [published]",
 			expected:     true,
 		},
 		{
-			desc:         "HookEventPackage(package) `created` action doesn't match githubEventRegistryPackage(registry_package) with `updated` activity type",
+			desc:         "HookEventPackage(package) `created` action doesn't match GithubEventRegistryPackage(registry_package) with `updated` activity type",
 			triggedEvent: webhook_module.HookEventPackage,
 			payload:      &api.PackagePayload{Action: api.HookPackageCreated},
 			yamlOn:       "on:\n  registry_package:\n    types: [updated]",
 			expected:     false,
 		},
 		{
-			desc:         "HookEventWiki(wiki) matches githubEventGollum(gollum)",
+			desc:         "HookEventWiki(wiki) matches GithubEventGollum(gollum)",
 			triggedEvent: webhook_module.HookEventWiki,
 			payload:      nil,
 			yamlOn:       "on: gollum",

routers/api/actions/runner/utils.go

@@ -9,6 +9,7 @@ import (
 
 	actions_model "code.gitea.io/gitea/models/actions"
 	secret_model "code.gitea.io/gitea/models/secret"
+	actions_module "code.gitea.io/gitea/modules/actions"
 	"code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/modules/json"
 	"code.gitea.io/gitea/modules/log"
@@ -54,8 +55,10 @@ func pickTask(ctx context.Context, runner *actions_model.ActionRunner) (*runnerv
 
 func getSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) map[string]string {
 	secrets := map[string]string{}
-	if task.Job.Run.IsForkPullRequest {
+	if task.Job.Run.IsForkPullRequest && task.Job.Run.TriggerEvent != actions_module.GithubEventPullRequestTarget {
 		// ignore secrets for fork pull request
+		// for the tasks triggered by pull_request_target event, they could access the secrets because they will run in the context of the base branch
+		// see the documentation: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
 		return secrets
 	}
 
@@ -116,6 +119,14 @@ func generateTaskContext(t *actions_model.ActionTask) *structpb.Struct {
 	event := map[string]interface{}{}
 	_ = json.Unmarshal([]byte(t.Job.Run.EventPayload), &event)
 
+	// TriggerEvent is added in https://github.com/go-gitea/gitea/pull/25229
+	// This fallback is for the old ActionRun that doesn't have the TriggerEvent field
+	// and should be removed in 1.22
+	eventName := t.Job.Run.TriggerEvent
+	if eventName == "" {
+		eventName = t.Job.Run.Event.Event()
+	}
+
 	baseRef := ""
 	headRef := ""
 	if pullPayload, err := t.Job.Run.GetPullRequestEventPayload(); err == nil && pullPayload.PullRequest != nil && pullPayload.PullRequest.Base != nil && pullPayload.PullRequest.Head != nil {
@@ -137,7 +148,7 @@ func generateTaskContext(t *actions_model.ActionTask) *structpb.Struct {
 		"base_ref":          baseRef,                                              // string, The base_ref or target branch of the pull request in a workflow run. This property is only available when the event that triggers a workflow run is either pull_request or pull_request_target.
 		"env":               "",                                                   // string, Path on the runner to the file that sets environment variables from workflow commands. This file is unique to the current step and is a different file for each step in a job. For more information, see "Workflow commands for GitHub Actions."
 		"event":             event,                                                // object, The full event webhook payload. You can access individual properties of the event using this context. This object is identical to the webhook payload of the event that triggered the workflow run, and is different for each event. The webhooks for each GitHub Actions event is linked in "Events that trigger workflows." For example, for a workflow run triggered by the push event, this object contains the contents of the push webhook payload.
-		"event_name":        t.Job.Run.Event.Event(),                              // string, The name of the event that triggered the workflow run.
+		"event_name":        eventName,                                            // string, The name of the event that triggered the workflow run.
 		"event_path":        "",                                                   // string, The path to the file on the runner that contains the full event webhook payload.
 		"graphql_url":       "",                                                   // string, The URL of the GitHub GraphQL API.
 		"head_ref":          headRef,                                              // string, The head_ref or source branch of the pull request in a workflow run. This property is only available when the event that triggers a workflow run is either pull_request or pull_request_target.