[ 
https://issues.apache.org/jira/browse/NUTCH-3186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18092232#comment-18092232
 ] 

Piotr Karwasz commented on NUTCH-3186:
--------------------------------------

Hi [~snagel] ,

That is due to the upgrade to {{actions/checkout}} version 7. The only change 
in that version is that it refuses to checkout code from forks on 
{{pull_request_target}} and {{workflow_run}}. You can override that after 
reviewing that the workflow is safe.

Right now the {{Compile (no tests)}} step seems dangerous, because it depends 
on the checked out code. I think you should compile the code in the 
{{pull_request}} workflow and upload it, so the Sonar code can review it.

Piotr

> Split SonarQube workflow in unprivileged build and privileged analysis part
> ---------------------------------------------------------------------------
>
>                 Key: NUTCH-3186
>                 URL: https://issues.apache.org/jira/browse/NUTCH-3186
>             Project: Nutch
>          Issue Type: Bug
>          Components: build
>    Affects Versions: 1.23
>            Reporter: Sebastian Nagel
>            Assignee: Sebastian Nagel
>            Priority: Critical
>             Fix For: 1.23
>
>
> The SonarQube workflow defined by {{.github/workflows/sonarcloud.yml}} is run 
> in a single workflow which has access to repository secrets. By splitting the 
> workflow in an unprivileged build and privileged part which performs the 
> analysis and sets the SonarQube status will secure the workflow secrets.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to