tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
fork atom

workflows/check-by-name: Make runnable without approval

Co-Authored-By: zowoq <59103226+zowoq@users.noreply.github.com>
(cherry picked from commit 437d00dde346bdd596ffe2686ec4ba67e01fde65)

Silvan Mosberger cbd9be06 a87a0c3b

options
unified split
Changed files
+9 -4
.github
workflows
check-by-name.yml
+9 -4
.github/workflows/check-by-name.yml
··· 3 3 name: Check pkgs/by-name 4 4 5 5 # The pre-built tool is fetched from a channel, 6 - # making it work predictable on all PRs 7 - on: pull_request 6 + # making it work predictable on all PRs. 7 + on: 8 + # Using pull_request_target instead of pull_request avoids having to approve first time contributors 9 + pull_request_target 8 10 9 11 # The tool doesn't need any permissions, it only outputs success or not based on the checkout 10 12 permissions: {} ··· 15 17 # as specified in nixos/release-combined.nix 16 18 runs-on: ubuntu-latest 17 19 steps: 18 - - uses: actions/checkout@v3 19 - - uses: cachix/install-nix-action@v22 20 + - uses: actions/checkout@v4 21 + with: 22 + # pull_request_target checks out the base branch by default 23 + ref: refs/pull/${{ github.event.pull_request.number }}/merge 24 + - uses: cachix/install-nix-action@v23 20 25 - name: Determining channel to use for dependencies 21 26 run: | 22 27 echo "Determining which channel to use for PR base branch $GITHUB_BASE_REF"