From dce6af9d24ac5a40cd1aa8feb165e6281780cc08 Mon Sep 17 00:00:00 2001 From: Earl Warren Date: Mon, 1 Sep 2025 13:39:30 +0000 Subject: [PATCH] fix: pull_request_target events can share the cache of the repository (#927) This is a regression introduced in v10.0.0 by which a pull_request_target event would fail because it attemps to set an isolation key, as if it was a pull request originating from a fork. - bug fixes - [PR](https://code.forgejo.org/forgejo/runner/pulls/927): fix: pull_request_target events can share the cache of the repository Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/927 Reviewed-by: Mathieu Fenniak Reviewed-by: Michael Kriese Co-authored-by: Earl Warren Co-committed-by: Earl Warren --- internal/app/run/runner.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/app/run/runner.go b/internal/app/run/runner.go index 86cddd1a..08682d1f 100644 --- a/internal/app/run/runner.go +++ b/internal/app/run/runner.go @@ -272,7 +272,7 @@ func (r *Runner) run(ctx context.Context, task *runnerv1.Task, reporter *report. // future runs of the PR's workflows and won't be shared with other pull requests or actions. This is a security // measure to prevent a malicious pull request from poisoning the cache with secret-stealing code which would // later be executed on another action. - if taskContext["event_name"].GetStringValue() == "pull_request" || taskContext["event_name"].GetStringValue() == "pull_request_target" { + if taskContext["event_name"].GetStringValue() == "pull_request" { // Ensure that `Ref` has the expected format so that we don't end up with a useless write isolation key if !strings.HasPrefix(preset.Ref, "refs/pull/") { return fmt.Errorf("write isolation key: expected preset.Ref to be refs/pull/..., but was %q", preset.Ref)