[
https://issues.apache.org/jira/browse/IGNITE-20466?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17868015#comment-17868015
]
Sergey Korotkov commented on IGNITE-20466:
------------------------------------------
Implemented according to the GitHub's security recommendations at
[https://securitylab.github.com/research/github-actions-preventing-pwn-requests/]
In other words Sonar analysis is done via 2 separate GitHub Actions workflows.
The first one is triggered on `pull_request`, has read-only access to apache
repository and has *no* acceess to secrets. It just builds the PR and stores
compiled classes and PR metadata as artifacts.
The second one is triggered on `workflow_run` upon completion of the first one,
has write access to repo and has access to secrets. It downloads the prepared
artifacts and does the real Sonar scan.
Note, that the second workflow is invoked {*}only if it is already stored in
the default branch (in master){*}. So, no untrusted code from the external fork
PR is executed.
> Investigate running sonar checks from fork repositories
> -------------------------------------------------------
>
> Key: IGNITE-20466
> URL: https://issues.apache.org/jira/browse/IGNITE-20466
> Project: Ignite
> Issue Type: Task
> Reporter: Maxim Muzafarov
> Assignee: Sergey Korotkov
> Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Investigate running sonar checks from fork repositories.
> See the discussion here:
> https://github.com/actions/checkout/issues/518
> Additionally, we can run checks after a pull-request has been approved by a
> maintainer:
> https://github.com/orgs/community/discussions/25372
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
