feat: warn on non-default checkout during pull_request_target

Signed-off-by: Kengo TODA <skypencil@gmail.com>
2026-05-23 01:55:54 +00:00 · 2026-05-13 08:32:55 +08:00 · 2026-05-13 08:32:55 +08:00 · 5a3004714a
commit 5a3004714a
parent 900f2210b1
5 changed files with 149 additions and 2 deletions
--- a/test/input-helper.test.ts
+++ b/test/input-helper.test.ts
@ -55,6 +55,15 @@ describe('input-helper tests', () => {
  beforeEach(() => {
    // Reset inputs
    inputs = {}
+    github.context.eventName = 'push'
+    github.context.ref = 'refs/heads/some-ref'
+    github.context.sha = '1234567890123456789012345678901234567890'
+    github.context.payload = {
+      repository: {
+        default_branch: 'main'
+      }
+    } as any
+    jest.clearAllMocks()
  })

  afterAll(() => {
@ -65,6 +74,8 @@ describe('input-helper tests', () => {
    }

    // Restore @actions/github context
+    github.context.eventName = originalContext.eventName
+    github.context.payload = originalContext.payload
    github.context.ref = originalContext.ref
    github.context.sha = originalContext.sha

@ -150,6 +161,75 @@ describe('input-helper tests', () => {
    expect(settings.commit).toBeFalsy()
  })

+  it('warns when pull_request_target checks out a non-default branch', async () => {
+    github.context.eventName = 'pull_request_target'
+    inputs.ref = 'some-other-ref'
+
+    await inputHelper.getInputs()
+
+    expect(core.warning).toHaveBeenCalledWith(
+      expect.stringContaining(
+        'Checking out a non-default branch from pull_request_target'
+      )
+    )
+  })
+
+  it('does not warn when pull_request_target checks out the default branch name', async () => {
+    github.context.eventName = 'pull_request_target'
+    inputs.ref = 'main'
+
+    await inputHelper.getInputs()
+
+    expect(core.warning).not.toHaveBeenCalled()
+  })
+
+  it('does not warn when pull_request_target checks out the fully qualified default branch', async () => {
+    github.context.eventName = 'pull_request_target'
+    inputs.ref = 'refs/heads/main'
+
+    await inputHelper.getInputs()
+
+    expect(core.warning).not.toHaveBeenCalled()
+  })
+
+  it('does not warn when pull_request_target checks out the default branch sha', async () => {
+    github.context.eventName = 'pull_request_target'
+    inputs.ref = '1234567890123456789012345678901234567890'
+
+    await inputHelper.getInputs()
+
+    expect(core.warning).not.toHaveBeenCalled()
+  })
+
+  it('does not warn when dangerously-checkout-non-default-branch suppresses the warning', async () => {
+    github.context.eventName = 'pull_request_target'
+    inputs.ref = 'some-other-ref'
+    inputs['dangerously-checkout-non-default-branch'] = 'true'
+
+    await inputHelper.getInputs()
+
+    expect(core.warning).not.toHaveBeenCalled()
+  })
+
+  it('does not warn when pull_request checks out a non-default branch', async () => {
+    github.context.eventName = 'pull_request'
+    inputs.ref = 'some-other-ref'
+
+    await inputHelper.getInputs()
+
+    expect(core.warning).not.toHaveBeenCalled()
+  })
+
+  it('does not warn when pull_request_target checks out a different repository', async () => {
+    github.context.eventName = 'pull_request_target'
+    inputs.repository = 'some-owner/some-other-repo'
+    inputs.ref = 'some-other-ref'
+
+    await inputHelper.getInputs()
+
+    expect(core.warning).not.toHaveBeenCalled()
+  })
+
  it('sets workflow organization ID', async () => {
    const settings: IGitSourceSettings = await inputHelper.getInputs()
    expect(settings.workflowOrganizationId).toBe(123456)