From 334a5305c30bfe0ce174a3227599365bad92b336 Mon Sep 17 00:00:00 2001 From: Earl Warren Date: Thu, 28 Sep 2023 18:20:16 +0200 Subject: [PATCH] user: actions: `on.pull_request_target` workflows are not moderated (cherry picked from commit 1f7a005627dba4741e735473894b4e21e55020cc) --- docs/user/actions.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/docs/user/actions.md b/docs/user/actions.md index e64d4311..3dd98f59 100644 --- a/docs/user/actions.md +++ b/docs/user/actions.md @@ -188,16 +188,21 @@ A `workflow` can be disabled (or enabled) by selecting it and using the three do ![disabling a workflow](../_images/user/actions/actions-disable.png) -## Pull request actions are moderated +## Pull request workflows are moderated -The first time a user proposes a pull request, the task is blocked to reduce the security risks. +The first time a user proposes a pull request, the `on.pull_request` +workflows are blocked. ![blocked action](../_images/user/actions/action-blocked.png) -It can be approved by a maintainer of the project and there will be no need to unblock future pull requests. +They can be approved by a maintainer of the project and there will be +no need to unblock future pull requests. ![button to approve an action](../_images/user/actions/action-approve.png) +The `on.pull_request_target` workflows are not subject to the same +restriction and will always run. + ## Secrets A repository, a user or an organization can hold secrets, a set of key/value pairs that are stored encrypted in the `Forgejo` database and revealed to the `workflows` as `${{ secrets.KEY }}`. They can be defined from the web interface: