[
https://issues.apache.org/jira/browse/IGNITE-23820?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17904341#comment-17904341
]
Sergey Korotkov edited comment on IGNITE-23820 at 12/10/24 4:28 AM:
--------------------------------------------------------------------
Hi Arnout Engelen,
Thanks much for the build workflow fix! Now it does the build. I added one
comment on PR and copy it here just for record.
***
I think we still need to return back the the fetch of the PR's base branch in
the scan workflow. It would be a master branch from the upstream (main ignite)
repo in fact. Otherwise the Sonar would fail to detect the "new lines of code"
if fork's master is not synchronized with main repo and produce wrong report.
See more details at the comment
https://community.sonarsource.com/t/how-to-use-sonarcloud-with-a-forked-repository-on-github/7363/32
Do you see any security risks in fetching of the master branch from the main
ignite repo?
***
I mean to return back the following section in the sonar-pr-from-fork-scan.yml:
{code:java}
- name: Checkout PR base branch
run: |
git remote add upstream ${{ github.event.repository.clone_url }}
git fetch upstream
git checkout -B $pr_base_ref upstream/$pr_base_ref
git checkout ${{ github.event.workflow_run.head_branch }}
git clean -ffdx && git reset --hard HEAD
{code}
was (Author: JIRAUSER279895):
Hi Arnout Engelen,
Thanks much for the build workflow fix! Now it does the build. I added one
comment on PR and copy it here just for record.
***
I think we still need to return back the the fetch of the PR's base branch in
the scan workflow. It would be a master branch from the upstream (main ignite)
repo in fact. Otherwise the Sonar would fail to detect the "new lines of code"
if fork's master is not synchronized with main repo and produce wrong report.
See more details at the comment
https://community.sonarsource.com/t/how-to-use-sonarcloud-with-a-forked-repository-on-github/7363/32
Do you see any security risks in fetching of the master branch from the main
ignite repo?
***
I mean to return back the following section in the sonar-pr-from-fork-scan.yml:
{code:java}
- name: Checkout PR base branch
run: |
git remote add upstream ${\{ github.event.repository.clone_url }}
git fetch upstream
git checkout -B $pr_base_ref upstream/$pr_base_ref
git checkout ${\{ github.event.workflow_run.head_branch }}
git clean -ffdx && git reset --hard HEAD
{code}
> run privileged workflow against approved commit
> -----------------------------------------------
>
> Key: IGNITE-23820
> URL: https://issues.apache.org/jira/browse/IGNITE-23820
> Project: Ignite
> Issue Type: Improvement
> Components: build
> Reporter: Arnout Engelen
> Assignee: Pavel Tupitsyn
> Priority: Minor
> Fix For: 2.17
>
> Attachments: image-2024-12-09-18-53-12-359.png
>
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> `sonar-pr-from-fork-build.yml` and `sonar-pr-from-fork-scan.yml` analyze PRs.
> `sonar-pr-from-fork-scan.yml` needs privileges to access the
> `SONARCLOUD_TOKEN` and to update the status of the PR check.
> To avoid a malicious PR from accessing those privileges, Ignite requires
> approval for GitHub Actions, and reviews the PR to catch any malicious code
> before approving the workflow.
> Some changes to the workflow are needed to make sure the privileged workflow
> is ran against the commit that was approved, and does not pull in any changes
> that may have been added to the PR after approval.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
