MartijnVisser commented on code in PR #170: URL: https://github.com/apache/flink-kubernetes-operator/pull/170#discussion_r853762710
########## .github/workflows/helm-charts.yaml: ########## @@ -0,0 +1,35 @@ +name: Release Charts + +on: + push: + branches: + - main + +jobs: + release: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: 0 + + - name: Configure Git + run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "[email protected]" + + - name: Install Helm + uses: azure/setup-helm@v1 + with: + version: v3.8.1 + + - name: Run chart-releaser + uses: helm/[email protected] Review Comment: The attack vector is that the workflow could be changed/compromised to perform an unwanted/unverified change, such as outputting credentials to a log file or submitting it to a 3rd party command & control server. So yes, the risk would still be there, only (much) lower. If you pin the workflow with a SHA commit, you would mitigate it even more (because any change in the workflow would only happen in a newly created commit, which you then wouldn't include in your action run) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
