lupyuen commented on issue #18359: URL: https://github.com/apache/nuttx/issues/18359#issuecomment-3869143242
Yep thanks! Looks like we need to follow the Official Guidance from ASF Infra, because it's low-level and doesn't have any unnecessary features: https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=321719166#GitHubActionsSecurity-Buildstriggeredwithworkflow_run > A [common technique](https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/) for building untrusted code but also using privileges to act on the build result is to split the build into two parts: a low-privilege one triggered by pull_request that runs the untrusted code, stores the result in an artifact, and triggers a second, high-privilege build with workflow_run that acts on that result. Which links to this Two-Step Solution: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/ (1) Remember the PR Number via the (safer) pull_request trigger... <img width="629" height="891" alt="Image" src="https://github.com/user-attachments/assets/89a8e1ec-5d0a-4d48-bc2b-76b7644adca3"; /> (2) Which will then safely trigger workflow_run, to retrieve and update the PR (via a privileged GitHub Token)... <img width="1064" height="1630" alt="Image" src="https://github.com/user-attachments/assets/51b53707-4da0-4000-b939-1ea7373d3697"; /> Lemme experiment with this on my own NuttX Repo... -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
