Switch to pull_request_target and set permissions explicitly

microsoft · Feb 11, 2025 · 2d98bdd · 2d98bdd
1 parent c98cc91
commit 2d98bdd
Showing 1 changed file with 4 additions and 6 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,7 +1,7 @@
 name: CI
 on:
   - push
-  - pull_request
+  - pull_request_target
 
 env:
   GO_BUILD_CMD: 'go build "-ldflags=-s -w" -trimpath'
@@ -19,7 +19,6 @@ env:
   LINUX_BOOT_FILES_PATH: ${{ github.workspace }}/LinuxBootFiles
 
 permissions:
-  id-token: write   # This is required for OIDC login (azure/login) to succeed
   contents: read    # This is required for actions/checkout to succeed
 
 jobs:
@@ -250,16 +249,15 @@ jobs:
       - self-hosted
       - 1ES.Pool=containerplat-github-runner-pool-east-us-2
       - 1ES.ImageOverride=github-mms-ubuntu-22
+    permissions:
+      id-token: write   # This is required for OIDC login (azure/login) to succeed
+      contents: read    # This is required for actions/checkout to succeed
     steps:
     - name: Checkout hcsshim
       uses: actions/checkout@v4
       with:
         show-progress: false
 
-    - name: Print ACTIONS_ID_TOKEN_REQUEST_URL
-      run: |
-        echo "ACTIONS_ID_TOKEN_REQUEST_URL=${{ secrets.ACTIONS_ID_TOKEN_REQUEST_URL }}"
-
     # Install Azure CLI and login to Azure
     - name: Azure OIDC Login
       uses: azure/login@v2