clients/.github/workflows/chromatic-target.yml

33 lines
1.1 KiB
YAML

# This workflow is intended to be run when we need to run Chromatic and produce artifacts that
# require secrets when the PR source branch does not have access to secrets (e.g. a fork). It will
# fail until an approved user has manually re-run the workflow. This workflow will then run in the
# context of the target of the PR and have access to secrets. This should only be done after
# reviewing the PR to ensure that no malicious code has been introduced, as it could allow the code
# on the forked branch to have access to workflow secrets.
name: Chromatic on PR Target
on:
pull_request_target:
types: [opened, synchronize, reopened]
branches:
- "main"
jobs:
check-run:
name: Check PR run
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
permissions:
contents: read
run-workflow:
name: Chromatic
needs: check-run
if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
uses: ./.github/workflows/chromatic.yml
secrets: inherit
permissions:
contents: read
pull-requests: write
id-token: write