[ 
https://issues.apache.org/jira/browse/IGNITE-28827?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Anton Vinogradov resolved IGNITE-28827.
---------------------------------------
    Resolution: Fixed

[~shishkovilja], thanks for your review!

> Run all PR checks even when the PR conflicts with the base branch
> -----------------------------------------------------------------
>
>                 Key: IGNITE-28827
>                 URL: https://issues.apache.org/jira/browse/IGNITE-28827
>             Project: Ignite
>          Issue Type: Task
>            Reporter: Anton Vinogradov
>            Assignee: Anton Vinogradov
>            Priority: Major
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> h3. Problem
> The GitHub Actions checks in .github/workflows/commit-check.yml (Code Style, 
> Abandoned Tests,
> Javadocs, .NET, ducktape) are not dispatched for a pull request that 
> conflicts with the base
> branch. The status checks never appear, so a contributor whose PR is 
> temporarily in conflict
> gets no CI feedback until the conflict is resolved.
> h3. Root cause
> These checks are triggered by the \{{pull_request}} event, which GitHub 
> dispatches against the
> *test-merge commit* (PR head merged into base). When the PR conflicts 
> (mergeable state DIRTY),
> GitHub cannot compute that merge commit, so no run is created. This is 
> independent of what the
> jobs check out — they already check out \{{pull_request.head.sha}}.
> For comparison, the "Rolling Upgrade / Protected Classes" check runs fine on 
> conflicting PRs
> because it is triggered by \{{pull_request_target}}, which runs in the 
> base-branch context and
> does not depend on the test-merge commit.
> h3. Proposed change
> Switch commit-check.yml from \{{pull_request}} to \{{pull_request_target}}. 
> That event is the only
> PR-triggered event not gated on the merge commit, so it is the only way to 
> dispatch these checks
> on a conflicting PR. All jobs already check out \{{pull_request.head.sha}}.
> h3. Security trade-off
> These jobs build and *run* untrusted PR code (mvnw test, dotnet build, tox). 
> Running untrusted
> code under pull_request_target is sensitive, so the workflow is hardened to 
> grant no more
> privilege than the \{{pull_request}} event already did:
> * the token is downscoped to \{{permissions: contents: read}} (no write);
> * no \{{secrets.*}} are referenced;
> * the workflow definition is taken from the base branch, so a PR cannot 
> modify it.
> A code comment documents this invariant so that secrets / write permissions 
> are not added later
> without revisiting the trade-off.
> h3. Notes / follow-ups
> * pull_request_target that builds and runs fork code goes against GitHub's 
> default guidance for
>   untrusted code; needs confirmation that ASF Infra policy permits it.
> * Required checks / branch protection are unchanged (job names stay the same).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to