https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
might be interesting. It describes a set up, where untrusted code is processed
by an `on: pull_request` step (which has access to the pull request). In this
step we could run danger, similar to what chef/chef is doing as mentioned
above. The results on this analysis run can then be checked in as artifact, and
another trusted CI step can then be used to download the artifact and update
the Pull request labels. This second step is leveraging `on:
pull_request_target:`.
I think the overall aproach might in fact work. At least the first step to run
danger with `on: pull_request` should be able to successfully analyse the
untrusted code in the pull request.
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/5267#issuecomment-2429030319
You are receiving this because you are subscribed to this thread.
Message ID:
<openstreetmap/openstreetmap-website/issues/5267/2429030...@github.com>
_______________________________________________
rails-dev mailing list
rails-dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/rails-dev
