georgereuben commented on PR #14927: URL: https://github.com/apache/lucene/pull/14927#issuecomment-3052357824
> This looks very interesting... and way beyond my knowledge of gh actions. What are the security implications for having these permissions in the workflow? Can somebody craft a PR that would somehow alter Lucene's main repo? There is a check before the workflow runs so that only users with admin or write repository permissions can trigger the bot. I have tested it in the test PR and verified that the workflow rejects the trigger command from an external actor <img width="1512" alt="Screenshot 2025-07-09 at 5 23 25 PM" src="https://github.com/user-attachments/assets/ace92ed0-192b-4ff4-89ed-8b710f6f8f51"; /> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
