ppkarwasz commented on PR #3990:
URL: https://github.com/apache/logging-log4j2/pull/3990#issuecomment-3646233680
> Can you put that in a Groovy script that gets executed in a dedicated
`logging-parent` profile, that is, `./mvnw -P generate-dependabot-changelog
apache/logging-log4j2 12345`?
I’m concerned that, for security reasons, we cannot rely on a Groovy script
to generate the changelog entries.
Regardless of whether we split the workflow into two steps (which would
indeed make it easier to review), changelog generation effectively consists of
two distinct phases:
1. **Reading Dependabot changes (unprivileged)**
This step can safely use a Groovy script, relying on `mvnw`, Maven and
the Maven Groovy Plugin, provided it runs as `pull_request`.
2. **Writing changelog entries to the repository (privileged)**
Once the PR commit is checked out, we must be careful **not** to execute
any script or dependency defined in the repository itself. Concretely:
* We should not run `./mvnw` to determine the major version; that value
can and should be passed explicitly as an argument.
* More importantly, we must not run `./mvnw` to execute a Groovy script
whose dependencies or versions could have been modified in the PR.
For this reason, using a Groovy script in the privileged part of the
workflow is not something I would be comfortable with.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
