[
https://issues.apache.org/jira/browse/HADOOP-19893?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18088638#comment-18088638
]
ASF GitHub Bot commented on HADOOP-19893:
-----------------------------------------
Copilot commented on code in PR #8530:
URL: https://github.com/apache/hadoop/pull/8530#discussion_r3406376404
##########
.github/workflows/tmpl_cloud_aws.yml:
##########
@@ -87,6 +99,9 @@ jobs:
run: |
echo "Build image URL: ${{
needs.precondition.outputs.build_image_url }}"
- uses: actions/checkout@v6
+ with:
+ repository: ${{ inputs.checkout_repository || github.repository }}
+ ref: ${{ inputs.checkout_ref || github.ref }}
Review Comment:
In the `build-image` job checkout, `persist-credentials` is not disabled.
When this workflow is manually triggered for fork PRs it checks out untrusted
code, and leaving the `GITHUB_TOKEN` in `.git/config` makes it easier for that
code to read/exfiltrate the token. This checkout shouldn’t need persisted git
credentials (the GHCR push uses `${{ github.token }}` via
`docker/login-action`).
##########
.github/workflows/notify_cloud_aws.yml:
##########
@@ -0,0 +1,120 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+# Add a sticky comment to hadoop-aws PRs from forked repos with a hint that
+# integration tests must be manually triggered by a maintainer.
+#
+name: "Cloud-AWS PR Update"
+
+# Security: This privileged workflow uses pull_request_target but does not
+# check out or execute untrusted code. It only creates a check run and a PR
+# comment in the base repository.
+on:
+ pull_request_target:
+ types: [opened, reopened, synchronize]
+ paths:
+ - 'hadoop-tools/hadoop-aws/**'
+ - '.github/workflows/*cloud_aws.yml'
+ - '.github/actions/build_image**'
+ - '.github/gha-tests/hadoop-aws*excludes.txt'
+
+jobs:
+ notify:
+ if: github.event.pull_request.head.repo.full_name != github.repository
+ name: "Notify Cloud-AWS"
+ runs-on: ubuntu-slim
+ permissions:
+ checks: write
+ pull-requests: write
+ steps:
+ - name: Post approval-required check and sticky comment
+ uses: actions/github-script@v9
+ with:
+ github-token: ${{ secrets.GITHUB_TOKEN }}
+ script: |
+ const marker = '<!
> ci: s3a integration tests fail for fork PRs
> -------------------------------------------
>
> Key: HADOOP-19893
> URL: https://issues.apache.org/jira/browse/HADOOP-19893
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: ci, fs/s3
> Affects Versions: 3.5.0
> Reporter: Aaron Fabbri
> Assignee: Aaron Fabbri
> Priority: Major
> Labels: pull-request-available
>
> `.github/workflows/cloud_aws.yml` fails to execute when a PR branch is pushed
> to a fork repository. It works fine when pushing a branch to upstream
> (apache/hadoop). The problem is that the determination of the container image
> URL (which happens in `.github/actions/build_image_url/action.yml`) uses
> `apache` for `github.repository.owner` instead of `fork-owner`, due to use of
> `pull_request` trigger.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
