Description
Currently almost all the gh actions / workflows are run on push event. So that if I open a PR from a feature branch that exist on the upstream repo the checks will appear on the PR, because they were run during the push into that feature branch. However, if anyone opens a pull-request from they own fork, the checks are not there.
We can't assume the contributors to create their feature branches on our repo (b/c of the rights hell), instead we should run all our checks against all the PRs.
To my knowledge there aren't any security implications here, there no secrets in the repo or gh metadata if i am not mistaken and if one opens a pull request w/ a change to the workflow itself, say providing a docker image that will mine some shitcoin, these actions that appears in the new PR should not be run before actually merging it (or at least that's how Travis worked and hopefully it's not a wishful thinking :D)
Activity