[
https://issues.apache.org/jira/browse/NUTCH-3186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18092232#comment-18092232
]
Piotr Karwasz commented on NUTCH-3186:
--------------------------------------
Hi [~snagel] ,
That is due to the upgrade to {{actions/checkout}} version 7. The only change
in that version is that it refuses to checkout code from forks on
{{pull_request_target}} and {{workflow_run}}. You can override that after
reviewing that the workflow is safe.
Right now the {{Compile (no tests)}} step seems dangerous, because it depends
on the checked out code. I think you should compile the code in the
{{pull_request}} workflow and upload it, so the Sonar code can review it.
Piotr
> Split SonarQube workflow in unprivileged build and privileged analysis part
> ---------------------------------------------------------------------------
>
> Key: NUTCH-3186
> URL: https://issues.apache.org/jira/browse/NUTCH-3186
> Project: Nutch
> Issue Type: Bug
> Components: build
> Affects Versions: 1.23
> Reporter: Sebastian Nagel
> Assignee: Sebastian Nagel
> Priority: Critical
> Fix For: 1.23
>
>
> The SonarQube workflow defined by {{.github/workflows/sonarcloud.yml}} is run
> in a single workflow which has access to repository secrets. By splitting the
> workflow in an unprivileged build and privileged part which performs the
> analysis and sets the SonarQube status will secure the workflow secrets.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)