[jira] [Commented] (IGNITE-23820) run privileged workflow against approved commit

Mon, 09 Dec 2024 04:05:31 -0800 


    [ 
https://issues.apache.org/jira/browse/IGNITE-23820?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17904124#comment-17904124
 ] 

Sergey Korotkov commented on IGNITE-23820:
------------------------------------------

Hi,

[~ptupitsyn]
[~engelen]

Looks like this have broken the PR sonar scans totally. See for example the
[https://github.com/apache/ignite/actions/runs/12231658380/job/34115332441?pr=11695]

 

Why do you beleave these changes are needed?

The `sonar-pr-from-fork-scan.yml` (which does need priviledges) is triggered by 
the *workflow_run* event which is triggered only and only if the workflow file 
is already on master (in other words already approved and merged by commiter 
sometimes before). So malicious PR can not modify this workflow file and 
therefore can not steal the secrets. And this workflow also doesn't invoke 
build which is done by the *not priviledged* `sonar-pr-from-fork-build.yml` 
workflow instead.

 
See 
([https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflow_run])

!image-2024-12-09-18-53-12-359.png|width=400!

> run privileged workflow against approved commit
> -----------------------------------------------
>
>                 Key: IGNITE-23820
>                 URL: https://issues.apache.org/jira/browse/IGNITE-23820
>             Project: Ignite
>          Issue Type: Improvement
>          Components: build
>            Reporter: Arnout Engelen
>            Assignee: Pavel Tupitsyn
>            Priority: Minor
>             Fix For: 2.17
>
>         Attachments: image-2024-12-09-18-53-12-359.png
>
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> `sonar-pr-from-fork-build.yml` and `sonar-pr-from-fork-scan.yml` analyze PRs. 
> `sonar-pr-from-fork-scan.yml` needs privileges to access the 
> `SONARCLOUD_TOKEN` and to update the status of the PR check.
> To avoid a malicious PR from accessing those privileges, Ignite requires 
> approval for GitHub Actions, and reviews the PR to catch any malicious code 
> before approving the workflow.
> Some changes to the workflow are needed to make sure the privileged workflow 
> is ran against the commit that was approved, and does not pull in any changes 
> that may have been added to the PR after approval.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to