fix: allow rerun on forked PRs (#41)

gilescope · chrisferry · web-flow · commit e0ad9e486493 · 2025-08-25T14:28:26.000+01:00
* fix: allow rerun on forked PRs

* Update check-user-permission action version to sha

---------

Co-authored-by: Chris Ferry &lt;chrisferry@gmail.com&gt;
diff --git a/.github/workflows/checkmarx.yaml b/.github/workflows/checkmarx.yaml
@@ -8,8 +8,8 @@ permissions:
   security-events: write     # to upload the scan results
 
 on:
-  pull_request:
-    branches: [ '**' ]
+  pull_request_target:
+    types: [opened, synchronize, reopened]
   push:
     branches: [ 'main' ]
 concurrency:
@@ -26,8 +26,30 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      # From https://michaelheap.com/access-secrets-from-forks/
+      # Also see https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@7b90a27f92f3961b368376107661682c441f6103  #v2
+        with:
+          require: write
+          username: ${{ github.triggering_actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.triggering_actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          echo "Job originally triggered by ${{ github.actor }}"
+          exit 1
+
+      # This is dangerous without the first access check
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  #v5.0.0
+        with:
+          # Yes we do need to specify head explicitly here (read github article)
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Install dependencies
         run: |
