chore(ci): run tech debt burndown on forks (stenciljs#3552)

rwaskiewicz · web-flow · commit 8ddb48902ea0 · 2022-08-25T15:07:29.000-04:00
this commit changes the event type on the tech debt burndown list. the pull_request event does not offer the ability run the 'peter-evans/create-or-update-comment' step (see https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#restrictions-on-repository-forks) for security reasons. in this commit, we use 'pull_request_target' in an attempt to fix that. however, this affects what branch is used from in ci from the branch that the pr was opened with (pull_request), to the `HEAD` of `main` (pull_request_target). as a result, `actions/checkout` steps must be modified in order to account for the difference in branch
diff --git a/.github/workflows/tech-debt-burndown.yml b/.github/workflows/tech-debt-burndown.yml
@@ -7,7 +7,7 @@ name: Tech Debt Burndown
 # progress on them to each PR.
 
 on:
-  pull_request:
+  pull_request_target:
     branches:
       - '**'
 
@@ -27,6 +27,11 @@ jobs:
 
       - name: Checkout PR branch
         uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
+        with:
+          # the pull_request_target event will consider the HEAD of `main` to be the SHA to use.
+          # attempt to use the SHA associated with a pull request and fallback to HEAD of `main`
+          ref: ${{ github.event_name == 'pull_request_target' && format('refs/pull/{0}/merge', github.event.number) || '' }}
+          persist-credentials: false
         if: ${{ matrix.branch == 'pr' }}
 
       - name: Get Core Dependencies
@@ -60,6 +65,11 @@ jobs:
 
       - name: Checkout PR branch
         uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
+        with:
+          # the pull_request_target event will consider the HEAD of `main` to be the SHA to use.
+          # attempt to use the SHA associated with a pull request and fallback to HEAD of `main`
+          ref: ${{ github.event_name == 'pull_request_target' && format('refs/pull/{0}/merge', github.event.number) || '' }}
+          persist-credentials: false
         if: ${{ matrix.branch == 'pr' }}
 
       - name: Install ts-prune
@@ -81,6 +91,11 @@ jobs:
     steps:
       - name: Checkout current branch
         uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
+        with:
+          # the pull_request_target event will consider the HEAD of `main` to be the SHA to use.
+          # attempt to use the SHA associated with a pull request and fallback to HEAD of `main`
+          ref: ${{ github.event_name == 'pull_request_target' && format('refs/pull/{0}/merge', github.event.number) || '' }}
+          persist-credentials: false
 
       - name: Get Core Dependencies
         uses: ./.github/workflows/actions/get-core-dependencies
