[
https://issues.apache.org/jira/browse/IGNITE-23820?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17904342#comment-17904342
]
Sergey Korotkov edited comment on IGNITE-23820 at 12/10/24 4:24 AM:
--------------------------------------------------------------------
May be we just need to hardcode the main repo url instead using of the
`github.event.repository.clone_url`. To protect ourselves from I don't know
some sort of forks chain.
was (Author: JIRAUSER279895):
May be we just need to hardcode the main repo url instead using of the
`github.event.repository.clone_url`. To protect yourself from I don't know
some sort of forks chain.
> run privileged workflow against approved commit
> -----------------------------------------------
>
> Key: IGNITE-23820
> URL: https://issues.apache.org/jira/browse/IGNITE-23820
> Project: Ignite
> Issue Type: Improvement
> Components: build
> Reporter: Arnout Engelen
> Assignee: Pavel Tupitsyn
> Priority: Minor
> Fix For: 2.17
>
> Attachments: image-2024-12-09-18-53-12-359.png
>
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> `sonar-pr-from-fork-build.yml` and `sonar-pr-from-fork-scan.yml` analyze PRs.
> `sonar-pr-from-fork-scan.yml` needs privileges to access the
> `SONARCLOUD_TOKEN` and to update the status of the PR check.
> To avoid a malicious PR from accessing those privileges, Ignite requires
> approval for GitHub Actions, and reviews the PR to catch any malicious code
> before approving the workflow.
> Some changes to the workflow are needed to make sure the privileged workflow
> is ran against the commit that was approved, and does not pull in any changes
> that may have been added to the PR after approval.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
