Arnout Engelen created IGNITE-23820:
---------------------------------------
Summary: run privileged workflow against approved commit
Key: IGNITE-23820
URL: https://issues.apache.org/jira/browse/IGNITE-23820
Project: Ignite
Issue Type: Improvement
Components: build
Reporter: Arnout Engelen
`sonar-pr-from-fork-build.yml` and `sonar-pr-from-fork-scan.yml` analyze PRs.
`sonar-pr-from-fork-scan.yml` needs privileges to access the `SONARCLOUD_TOKEN`
and to update the status of the PR check.
To avoid a malicious PR from accessing those privileges, Ignite requires
approval for GitHub Actions, and reviews the PR to catch any malicious code
before approving the workflow.
Some changes to the workflow are needed to make sure the privileged workflow is
ran against the commit that was approved, and does not pull in any changes that
may have been added to the PR after approval.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
