kevinjqliu commented on code in PR #15790:
URL: https://github.com/apache/iceberg/pull/15790#discussion_r2999045474
##########
.github/workflows/labeler.yml:
##########
@@ -18,7 +18,7 @@
#
name: "Pull Request Labeler"
-on: pull_request_target
+on: pull_request_target # zizmor: ignore[dangerous-triggers]
Review Comment:
`pull_request_target` trigger — This is generally a dangerous trigger
because it runs with write access to the base repo, even for fork PRs. However,
the key safety factor is that this workflow never checks out PR code. There's
no `actions/checkout` step, so no untrusted code from a fork can be executed.
if a checkout step is added in the future, both codeql and zizmor (will add
soon) will catch it
##########
.github/workflows/publish-iceberg-rest-fixture-docker.yml:
##########
@@ -39,13 +39,16 @@ jobs:
build:
if: github.repository_owner == 'apache'
runs-on: ubuntu-latest
+ environment: docker-publish
Review Comment:
need to create this
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
