GitHub Actions provides a well-integrated CI/CD system for code hosted on
GitHub. If you want to build and run tests when someone sends pull requests,
you can use the pull_request event. The
event runs the workflow in a security-hardened environment due to security
reasons. For example, the encrypted
secrets deposited in GitHub will not be available for the
workflow. Another restriction is that the
GITHUB_TOKEN only gets read
access with the pull_request event type.
If you want some write operations after the build and tests, you can use the
workflow run event. It requires some preparation from the
pull_request job. You can save the pull request number, build outputs, test
results, and all other workflow data into one directory, say
pr, and store it
as an artifact.
Here is an example to upload the
pr directory as an artifact. It will be
pr.zip in the workflow run for 90 days (by default):
- uses: actions/upload-artifact@v2 with: name: pr path: pr/
From the workflow run event, you can download the stored artifact. You can see an example in the Keeping your GitHub Actions and workflows secure article. Since the workflow run got write access, you can perform write operations based on the downloaded artifacts. Some of the common write operations are adding comments and labels to the pull requests.
Yet another restriction with the pull request event is manual approval required for the first-time contributors’ pull request. The requirement for manual approval is an ongoing issue with some workarounds.