assignUser commented on code in PR #44644:
URL: https://github.com/apache/arrow/pull/44644#discussion_r1836961655
##########
ci/docker/python-wheel-manylinux.dockerfile:
##########
@@ -75,11 +78,15 @@ COPY ci/scripts/install_vcpkg.sh \
ENV VCPKG_ROOT=/opt/vcpkg
ARG build_type=release
ENV CMAKE_BUILD_TYPE=${build_type} \
- VCPKG_FORCE_SYSTEM_BINARIES=1 \
- VCPKG_OVERLAY_TRIPLETS=/arrow/ci/vcpkg \
+ GITHUB_REPOSITORY_OWNER="${GITHUB_REPOSITORY_OWNER}" \
+ GITHUB_TOKEN="${GITHUB_TOKEN}" \
Review Comment:
I don't think we should merge it like this, it bakes the token into the
image. Even if the token is ephemeral it could still be abused (it lives a
little longer than the job) and crossbow jobs have full permissions because
they don't run as external pull requests.
In addition if people test/build the image locally it could leak their token
as well.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
